peshkova - Fotolia


DFARS compliance targets 'controlled unclassified information'

Contractors have until the end of 2017 to meet DFARS compliance rules that put cybersecurity safeguards on what the U.S. government calls 'controlled unclassified information.'

Many of our most sensitive national defense and space systems are designed, implemented and maintained by government contractors. The information these public and private organizations create and maintain on behalf of the federal government is significant. But as we have all seen, there are no systems that are immune to illicit hacking attempts, including the nation's vital defense systems.

There is clearly a lot at stake, and much of the burden to protect our nation's defense secrets falls primarily on contractors who win government deals, as well as their subcontractors that are often doing much of the work. If you fall into this category, a recently implemented rule from the Department of Defense called the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 will impact how you handle controlled unclassified information (CUI).

According to the National Archives, Controlled Unclassified Information (CUI) is "information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies."

The path to DFARS compliance

The new DFARS compliance rule has taken a circuitous path from conception to final version, and it draws upon a number of government guidelines. In August 2013, in an effort to protect our critical national defense- and space-related technologies, the DoD released the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. The rule drew cybersecurity standards guidance from the National Institute of Standards and Technology's (NIST) Special Publication 800-53.

The NIST publication contains 303 requirements organized into 18 control families. After the original rule's release, many of the contractors obligated to comply with the associated NIST SP800-53 guidelines found them to be overly complex and difficult to implement. Many contractors made their challenges known to NIST and DoD through public comments, and NIST responded by releasing paired down guidelines contained in the new Special Publication 800-171, which was later updated to Special Publication SP800-171r1.

The new DFARS compliance rule has taken a circuitous path from conception to final version, and it draws upon a number of government guidelines.

Special Publication 800-171 significantly reduced the burden from 303 requirements and 18 control families down to 109 requirements and 14 control families. On Dec. 20, 2016, after reducing the initial requirements and making some additional changes, NIST released Special Publication (SP) 800-171r1: "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." The security requirements in the final version of NIST SP 800-171r1 were released to include security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. The security guidelines include "basic" security requirements obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and systems.

NIST SP 800-171r1 also contains "derived" security requirements, designed to supplement the "basic" security requirements, taken from the security controls in NIST Special Publication 800-53. All of these security requirements have a "moderate" impact value as defined in FIPS Publication 199. Special Publication 800-171r1 provides federal agencies (and their contractors and subs) with recommended actions to protect United States' government CUI within nonfederal systems and organizations that are consistent with law, regulation and government-wide policy.

DFARS compliance controls
DFARS compliance controls

Under NIST SP 800-171r1, new baseline security standards were outlined that expanded the classes of information subject to safeguards and data that trigger reporting requirements. These regulations are designed to be a specific measure of cybersecurity readiness to support the government's needs in regard to defending its secrets and protected information. They are prescriptive as to expected results, and deadlines are said to be set in stone. Contractors and their subs have until Dec. 31, 2017 to comply with the DFARS compliance requirements outlined in the rule.

Risks for noncompliance

These new requirements offer both threats and opportunity for those who must comply and the IT and cybersecurity service providers who will help them to meet these compliance obligations. The government has stated that those who are noncompliant will effectively be cut off, and contractors are already sending notices of the requirements to their subcontractors. Contractors and their subs that fully comply early will likely see additional wins against those who have not complied or who are struggling to maintain their compliance.

If you are noncompliant or wish to vary in any way from the requirements of the rule, you will be required to submit the variance for consideration by the DoD CIO. Your request for variance must include why you are requesting the variance and what you will do to alternatively satisfy the requirements. If your request is accepted in writing, it will then be included in contract language. Noncompliance with the rule must be reported to the DoD CIO's office within 30 days of contract award, even if the noncompliance is before the Dec. 31, 2017 deadline.

Now, let's talk about the cyber incident reporting requirements. According to DFARS, "cyber incident" means, "actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein." As part of the contractors' legal and contractual obligations, they are required to investigate and rapidly report any cyber incident, "that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support."

If there is evidence of a potential compromise, the contractor must complete a review of evidence that shows potential compromise of covered defense information and report its findings to the DoD.  Contractors have 72 hours to report such cyber incidents.

Bottom line: If you're a defense contractor or subcontractor, you have until 30 days from contract award to report on your compliance status to DoD and Dec. 31, 2017 to comply with these regulations. Will you be able to?

Next Steps

More on cybersecurity compliance:

Cybersecurity experts: HIPAA compliance audits on the way

Calls grow louder for International Cybersecurity Principles

Report: Lack of awareness holds back GDPR compliance

Dig Deeper on Regulatory compliance reporting