This guide was written to help DoD contractors and subcontractors quickly understand what is required of them to take proper action after they either suspect or discover a cyber incident on their information systems in compliance with DFARS regulations.

If you need information about how to protect yourself from cyber incidents, rather, please see our guide on NIST 800-171 for DFARS Compliance.

What is a Cyber Incident?

According to section 252.204-7012 of DFARS Documentation, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on a DoD contractor’s information system and/or the information residing therein.” This broad definition includes actions that are taken by DoD contractors or subcontractors internally, and unauthorized outsiders, such as cyber criminals or foreign actors.

In simple terms, a cyber incident is any action taken, either internally or externally, that results in the compromise or potential compromise of a DoD contractor’s information system.

How to Know if There’s a Cyber Incident

Part of the DFARS regulation requires DoD contractors and subcontractors to implement and utilize cyber security monitoring tools. These tools may or may not have been implemented by your internal IT department, outsourced IT service provider, or a Managed Security Service Provider (MSSP) like SysArc. These monitoring tools would alert you of any compromise or attempt to compromise your information systems.

How to Report a Cyber Incident to the DoD

According to DFARS 204.7301 definitions, a cyber incident must be “rapidly reported” within 72 hours of your discovery of the incident. 204.7302 policy then states that DoD contractors and subcontractors must submit the following information via the DoD reporting website:

1. A cyber incident report;
2. Malicious software, if detected and isolated; and
3. Media (or access to covered contractor information systems and equipment) upon request.

What information goes in the incident report?

DoD Contractors that are not providing Cloud Services

On the DIBNet Portal website, DoD contractors, except those providing cloud services, are required to submit as much as the following 20 items of information as possible:

1. Your company name
2. Company point of contact information (address, position, telephone, email)
3. Data Universal Numbering System (DUNS) Number
4. Contract number(s) or other type of agreement affected or potentially affected
5. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
6. USG Program Manager point of contact (address, position, telephone, email)
7. Contract or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
8. Facility CAGE code
9. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
10. Impact to Covered Defense Information
11. Ability to provide operationally critical support
12. Date incident discovered
13. Location(s) of compromise
14. Incident location CAGE code
15. DoD programs, platforms or systems involved
16. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
17. Description of technique or method used in cyber incident
18. Incident outcome (successful compromise, failed attempt, unknown)
19. Incident/Compromise narrative
20. Any additional information

DoD Contractors that are providing Cloud Services

For DoD Contractors providing Cloud Services on behalf of the Department of Defense, the DoD requires you to submit the following 16 items of information:

1. Contract information to include contract number, USG Contracting Officer(s) contact information, contract clearance level, etc.
2. Contact information for the impacted and reporting organizations as well as the MCND
3. Details describing any vulnerabilities involved (i.e., Common Vulnerabilities and Exposures (CVE) identifiers)
4. Date/Time of occurrence, including time zone
5. Date/Time of detection and identification, including time zone
6. Related indicators (e.g. hostnames, domain names, network traffic characteristics, registry keys, X.509 certificates, MD5 file signatures)
7. Threat vectors, if known (see Threat Vector Taxonomy and Cause Analysis flowchart within the US-CERT Federal Incident Notification Guidelines)
8. Prioritization factors (i.e. functional impact, information impact, and recoverability as defined flowchart within the US-CERT Federal Incident Notification Guidelines)
9. Source and Destination Internet Protocol (IP) address, port, and protocol
10. Operating System(s) affected
11. Mitigating factors (e.g. full disk encryption or two-factor authentication)
12. Mitigation actions taken, if applicable
13. System Function(s) (e.g. web server, domain controller, or workstation)
14. Physical system location(s) (e.g., Washington DC, Los Angeles, CA)
15. Sources, methods, or tools used to identify the incident (e.g., Intrusion Detection System or audit log analysis)
16. Any additional information relevant to the incident and not included above

Do you need further assistance?

For DoD contractors who need further consultation, please feel free to give us a call at (866) 583-6946, or read about our NIST 800-171 Services. We help DoD contractors and subcontractors all over the United States comply with DFARS using the NIST 800-171 cyber security framework.  

We work with the Department of Defense (DoD) Contractors all over the United States and help them navigate the complexities of DFARS and NIST 800-171 compliance. One of the most common questions we get asked is what is meant by “Adequate Security” in the compliance requirements. “Adequate Security” is extremely vague, so it’s no wonder DoD Contractors have trouble understanding whether their current information security is adequate or not. We seek to clear up this confusion in this article.

Making Sense of The Official Language

According to section 252.204-7012 of DFARS documentation, “Adequate security” means protective measures that are put in place to mitigate the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. The documentation proceeds to list out two scenarios for DoD Contractors and then provides the guidelines on protective measures for adequate security.

These scenarios are:

1. Contractors that have information systems that are not part of an Information Technology (IT) service or system operated on behalf of the Government, and;
2. Contractors that have information systems that are part of an IT service or system operated on behalf of the government

Scenario 1: Contractors with IT Systems that are not a part of or operated on behalf of the Government

For Contractors with IT Systems that are not part of an IT service or system operated on behalf of the Government, the information system must adhere to the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (or NIST SP 800-171), at the time the contract solicitation is issued or as authorized by the Contracting Officer.

Complete documentation on NIST SP 800-171 controls is available here. If you need help implementing these controls, please see our NIST compliance services.

Scenario 2: Contractors with IT Systems a part of or operated on behalf of the Government

For Contractors with IT Systems that are part of an IT service or system operated on behalf of the Government, the requirements for adequate security are:

1. Cloud Computing Security
• If the Contractor indicated in its offer that it “does not anticipate the use of cloud computing services in the performance of a resultant contract,” in response to provision 252.239-7009, and after the award of this contract, the Contractor proposes to use cloud computing services in the performance of the contract, the Contractor shall obtain approval from the Contracting Officer prior to utilizing cloud computing services in performance of the contract.
• The Contractor shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG), unless notified by the Contracting Officer that this requirement has been waived by the DoD Chief Information Officer.
• The Contractor shall maintain within the United States or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location, in accordance with DFARS 239.7602-2(a).
2. Any other such IT service or system (other than cloud computing) shall be subject to the security requirements specified in scenario 1 above.

DFARS Consultants are Available to Help

If you are a DoD Contractor and have any questions about DFARS and NIST SP 800-171, feel free to give us a call at: (866) 583-6946. Our DFARS Compliance specialists are happy to assist you in navigating the challenges of DFARS, and help you implement the security controls detailed in NIST SP 800-171.

Broadly speaking, the U.S. Government defines Controlled Unclassified Information (CUI) as any information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.

But how does this broad definition apply to Department of Defense (DoD) Contractors? More specifically, what is CUI with regards to the Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171? This short article will answer these questions for DoD Contractors.

CUI That Concerns DoD Contractors

As described in the CUI registry, CUI that pertains specifically to the DoD is known as Covered Defense Information. Covered Defense Information includes:

• Controlled Technical Information and;
• Contractor Attributional/Proprietary Information

Controlled Technical Information

According to section 252.204-7012 of DFARS Documentation, Controlled Technical Information means technical information with military or space application.

Examples of technical information include: research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Contractor Attributional/Proprietary Information

The second type of Covered Defense Information is Contractor Attributional/Proprietary Information. According to 252.204-7012, this information identifies the contractor, whether directly or indirectly, by the grouping of information that can be traced back to the contractor (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.

Protecting CUI

DFARS Policy 204.7302 states that Covered Defense Information is to be protected and monitored on the DoD Contractor’s information system(s), as well as the Department of Defense’s systems. Contractors are also required to rapidly report cyber incidents (actual or potentially compromised information) within 72 hours to the Department of Defense here.

More Guidance on CUI and How to Protect It

If you are a DoD Contractor and have any questions about CUI and how to protect it, feel free to give us a call at: (866) 583-6946. Our DFARS Compliance specialists are happy to assist you in navigating the challenges of DFARS, and help you implement the security controls detailed in NIST SP 800-171.

The Department of Defense’s final guidance requires the review of a System Security Plan (SSP) in the assessment of contract solicitation during the awards process. In other words, that means that DoD contracts will be assessed on the ability of the Contractor to provide proof of compliance with NIST 800-171. Without an SSP, DoD contractors may not be awarded any DoD contracts. Therefore, if your business relies heavily on contracts with the DoD, it is vitally important to create an SSP that meets all the requirements of NIST 800-171.

Use the following guidance to produce an SSP that allows your company to compete for DoD contracts and enjoy a smooth working relationship with the Department of Defense.

What is an SSP?

A system security plan or SSP is a document that identifies the functions and features of a system, including all its hardware and the software installed on the system. This document also defines the security measures that have been or will be soon put in place to limit access to authorized users, as well as to train managers, users and systems administrators in the secure use of the system. It includes details of processes for auditing and maintaining the system, in addition to information about how you plan to respond to security incidents that occur on the network. An SSP is a comprehensive summary of all security practices and policies that will help to keep DoD data secure if the contractor is awarded a DoD contract.

What Are Your Options for Writing an SSP?

NIST supplies a template to help contractors create an SSP. Some companies have their internal IT staff fill in this template to create a system security plan. This approach can work well if you are sure that your IT employees have the relevant knowledge and experience to create a comprehensive SSP. However, the disadvantage of creating an SSP in house is that it forces internal IT staff to take time away from their core duties, which could cause day to day operating difficulties for your business.

Another option for creating an SSP is to hire a NIST 800-171 consultant to do it for you. Many small DoD contractors shy away from this option because they assume it will be expensive, but in fact it can be much more cost-effective than trying to create your own SSP in house.

Which Option for Creating an SSP is Best For Your Business?

The advantage of working with a specialist NIST 800-171 consultant is that you can be sure that the SSP they create on your behalf will meet all the requirements set out in DFARS. Reputable IT companies that specialize in working with DoD contractors have a lot of experience of writing SSPs on behalf of businesses like yours, which means they are likely to be able to complete the job much more efficiently and effectively than your in house IT staff. All you have to do is ensure you choose a reliable IT company that has a strong background in helping DoD contractors meet the requirements of DFARS and NIST 800-171.

How to Get Started With Creating an SSP

Every contractor that hopes to win contracts with the DoD must produce an SSP that gives an overview of their systems and the security measures they have in place. To take the first step toward producing a robust SSP that can help your business compete for and win DoD contract awards, get in touch with SysArc today.

This a simple, straight-to-the-point guide on what DoD Contractors need to do to comply with NIST 800-171 quickly and effectively so that they can continue provide services to the Department of Defense. While this guide was written to be simple for company executives and management to understand, the requirements and language of 800-171 absolutely require either an experienced IT department or an outside consultant, such as a Managed Security Service Provider (MSSP) who specializes in DoD compliance.

A detailed guide specifically written for IT professionals is out of the scope of this guide. Fortunately, the National Institute of Standards and Technology (NIST) has already made available the documentation necessary for an experienced IT department to follow.

With that said, here’s what DoD Contractors need to do to comply with NIST 800-171…

The Documents: SSP & POA&M

As we recently reported, the Department of Defense has released its final guidance with respect to how DoD Contractors are to address DFARS/NIST 800-171 cyber security requirements during the contract award process. The guidance specifies the delivery of two documents by the DoD contractor:

1. Security Systems Plan (SSP) and;
2. Plan-of-Action and Milestones (POA&M)

These two documents serve as the basis for providing evidence of compliance with NIST 800-171 to the Department of Defense. While this is not an official requirement by the DoD, contractors who do not include these documents are at a severe disadvantage against contractors who are. Subcontractors who deal directly with Prime contractors may also find themselves required to provide proof of compliance to the Prime.

Security Systems Plan (SSP)

The Security Systems Plans goes over the DoD contractor’s approach for complying with the NIST 800-171 guidelines during the pre-contract phase and the security measures that they currently have in place. If the organization wants to continue doing business with the DoD, they need to ensure that the Security Systems Plans are up to par and formatted in a way that’s usable for the bidding process.

Options for Developing an SSP:

DoD Contractors have two options to develop a System Security Plan:

1. NIST SSP Template: DoD Contractors who have an internal IT Department who has cyber security knowledge can opt to develop an SSP in-house. The DoD has a SSP template available to assist in the process. To download the SSP template, click here.
2. Outsource to an MSSP: A Managed Security Service Provider who provides NIST 800-171 compliance services can develop the SSP for you for a fee. To view learn more about our compliance services for NIST 800-171, click here.

Plan-of-Action and Milestones (POA&M)

Compliance gaps identified during this process need a Plan-of-Action and Milestones on how the contractor intends on fixing the issues and what controls they’re putting in place that go beyond the minimum standard. The DoD uses NIST 800-171 as a baseline for the cybersecurity requirements that it wants to see from contractors working with CUI.

Options for Developing an POA&M:

DoD Contractors have two options to develop a Plan-of-Action and Milestones:

1. NIST POA&M Template: DoD Contractors who have an internal IT Department who has cyber security knowledge can opt to develop a POA&M in-house. NIST has a POA&M template available to assist in the process. To download the POA&M template, click here.
2. Outsource to an MSSP: A Managed Security Service Provider who provides NIST 800-171 compliance services can develop the POA&M for you for a fee. To view learn more about our compliance services for NIST 800-171, click here.

NIST 800-171: At the Heart of the SSP & POA&M

At the heart of both documents is the framework developed by the National Institute of Standards and Technology (NIST), known as NIST SP 800-171. The framework was designed to provide guidance on the best practices for protecting Controlled Unclassified Information (CUI), which is the objective of Defense Acquisition Federal Regulation Supplement (DFARS). Your IT network configuration and the way you handle CUI will need to comply with this framework.

NIST 800-171 Requirements

There are 14 primary requirements in this publication that the DoD contractor needs to account for when assessing their compliance efforts. Agencies that fail to comply with these security controls can find themselves missing out on DoD contracts.

• Access Control: Only a limited set of users and devices should have access to CUI.
• Awareness and Training: Everyone working at DoD contractors should have a role-appropriate awareness of the common cyber threats that can lead to a data breach.
• Auditing and Accountability: The DoD contractor’s systems should be capable of leaving a digital paper trail.
• Configuration Management: The wrong configuration can lead to many vulnerabilities, so a security-centric option is necessary.
• Identification and Authentication: The contractor’s systems need a way to confirm that users are who they claim to be.
• Incident Response: The DoD contractor should be prepared for common situations that could lead to the CUI being at risk of a breach.
• Maintenance: The DoD contractor’s information systems and infrastructure require proactive maintenance to remain up-to-date.
• Media Protection: Any media that stores CUI needs sufficient protection to protect it from breaches, along with procedures in place to wipe the media before destroying it.
• Personnel Security: The DoD contractors need to screen employees who are working with CUI and ensure that login information is not valid after someone leaves the organization.
• Physical Protection: Physical protection is required for the servers and hard drives that contain CUI.
• Risk Assessment: Regularly scheduled risk assessments keep the DoD contractor on top of any new risks to CUI.
• Security Assessment: Security audits are another important compliance measure in this publication.
• System and Communications Protection: The DoD contractor’s information systems need IT security measures that control all access of information and actively monitor for a potential intrusion.
• System and Information Integrity: The organization’s information systems should have sufficient defenses against malware, bugs and other vulnerabilities.

To view the complete documentation, please see “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” document provided by NIST.

Options for Meeting the Requirements

DoD Contractors have two options to meet the requirements:

1. IT Department: DoD Contractors who have an internal IT Department with cyber security knowledge and experience may be able to understand and implement the network environment and security protocols necessary to meet 800-171 security controls.
2. Outsource to an MSSP: A Managed Security Service Provider who provides NIST 800-171 compliance services will have an experienced team equipped with the tools and processes to help contractors meet the security controls. To view learn more about our compliance services for NIST 800-171, click here.

Technical Assistance is Available

We hope this guide gets you closer toward achieving NIST 800-171 compliance. If you have any questions about which options work best for your company, please feel free to give us a call at (866) 583-6946. We’ve helped DoD Contractors and IT departments all over the U.S. navigate the complexities of NIST 800-171. We’re more than happy to jump on the phone and point you in the right direction.

In December 2018, the Inspector General of the Department of Defense (DoD) released a report on the recent audit of the U.S. Ballistic Missile Defense System (BMDS). This audit found that security protocols that should protect networks and systems containing technical information about the BMDS were not put in place. While the audit was performed on the Department of Defense’s own systems, DoD Contractors now have the chance to learn from the audit and take action to ensure their compliance with the Department’s cyber security mandates such as DFARS.

Lessons for DoD Contractors

DoD contractors can use the released report to learn what they may expect if the DoD decides to audit their company’s System Security Plans (SSP). While there is no guarantee that this audit will be similar to the audits performed on DoD Contractors’ systems, they can still use the audit to gain insight into the criteria the DoD uses to assess Security System Plans and work out how to improve security measures and avoid making the same mistakes as BMDS.

Objectives of the DoD’s Security Audit

The key objective of the DoD’s security audit was to determine whether DoD Components implemented security controls and processes at DoD facilities. These security controls should protect BMDS technical information from both internal and external cyber threats.

Findings of the DoD’s Security Audit

In the failed audit, the DoD found that officials did not consistently implement security controls and processes to protect technical information regarding the BMDS. Some network administrators had not put in place multifactor authentication to secure access to BDMS technical information. This increases the chance that an experienced hacker could break into the systems and steal important classified information.

Three of the five Components that the DoD audited did not identify and mitigate known network vulnerabilities. They also, in many cases, did not consistently verify the effectiveness of the security controls they had implemented. Without careful consideration of the security risks and the adequacy or inadequacy of the security controls in place to protect against them, BMDS has no way of knowing whether they have taken enough action to keep their data safe.

Some auditors found that physical security at DoD facilities was inadequate. For example, server racks that are not locked up can be compromised by workers or intruders. Similarly, some officials failed to adequately protect classified data that was stored on removable media, which can easily fall into the wrong hands.

In addition, DoD auditors discovered failures to encrypt BDMS data when it was being transmitted. Some audited organizations also failed to put in place systems to detect attacks on classified networks, which means they could be unaware of threats.

Recommendations of the DoD’s Security Audit

The DoD audit report had four main recommendations to keep data safe at DoD facilities:

• Use multifactor authentication
• Respond quickly to vulnerabilities
• Protect data on removable media
• Implement the ability to detect intrusions, both on computer networks and in physical facilities

Options for DoD Contractors that are Selected for Audit

DoD contractors that are selected for audit must meet the recommendations that the audit report outlines. Contractors can choose to put the responsibility for meeting these requirements onto their in-house IT department, or seek the help of a cyber security consultant who specializes in NIST SP 800-171.

To handle security in house, contractors will need to use the guidelines given in the Self Assessment Handbook – NIST Handbook 162. The National Institute of Standards and Technology (NIST) created this handbook to help DoD contractors comply with all SP 800-171 security requirements. While this handbook is very useful, many contractors still find it difficult to handle all their security needs in house.

For many DoD contractors, working with a third-party Managed Security Service Provider (MSSP) is a better option than trying to handle DFARS compliance in house. Consultants who specialize in DFARS NIST SP 800-171 compliance know exactly how to meet the requirements and are therefore less likely than in-house employees to overlook security holes or make mistakes in the development and implementation of security protocols.

MSSPs can provide the following services to help DoD contractors become compliant:

• Security Assessment: Audit the DoD contractor’s current system against NIST SP 800-171
• System Security Plan: Develop a compliant System Security Plan (SSP) and Plan of Action and Milestones (POAM)
• Remediate: Implement items called out in the POAM
• Compliance Monitoring and Maintenance: Ongoing advanced cybersecurity monitoring and incident response capabilities are required to remain compliant.

For more information, please see our complete Guide to DFARS Compliance developed specifically for DoD Contractors.

Importance of Compliance for DoD Contractors

With the DoD factoring in cyber security into contract awards, it is very important for all DoD contractors to make security a priority. If a DoD audit finds that a contractor is not in compliance, the auditors can issue a stop-work order, which prevents the contractor from carrying out any work on behalf of DoD until they can prove they have put suitable security measures in place. In some extreme cases, the DoD can terminate contracts with contractors who have failed an audit and even bar them from working with the DoD in future.

DoD contractors who need help to comply with DFARS and pass a DoD audit can get in touch with a Managed Security Service Provider (MSSP) who specializes in DFARS/NIST SP 800-171 Compliance Solutions. A compliance consultation from SysArc is free and can help contractors find out whether they are doing enough to keep their Controlled Unclassified Information (CUI) safe.

The U.S. Department of Defense (DoD) has released final guidance on assessing contractor compliance with NIST SP 800-171 during the contract award process. Based on the guidance, this article focuses on what is required of DoD Contractors to prove compliance with DFARS in their pre-award solicitations and post-award contracts with the Department of Defense in accordance with NIST SP 800-171.

Proof of compliance relies heavily on the development and implementation of two documents: A Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M). Guidelines on how these two documents fit in the contract award process with the DoD can be found below.

Pre-Award Guidelines:

1. Admit Compliance: In accordance with DFARS 252.204-7008, the solicitation must include self-attestation of compliance with DFARS 252.204-7012 and implementation of NIST SP 800-171. The DoD interprets “self-attestation” as admission of compliance, and “implementation” of NIST SP 800-171 as having a completed Systems Security Plan (SSP) and a Plan-of-Action and Milestones (POA&M) in accordance with NIST SP 800-171. NIST provides templates for both SSPs and POA&Ms. For DoD prime and subcontractors who do not have the resources or expertise to develop and implement an SSP and POA&M, see our NIST Compliance Services.
2. Detail Enhanced Security Measures (if applicable): In accordance with DFARS 252.204-7008, should the requirements of the requiring activity deem it necessary for the contractor to implement enhance security measures in addition to NIST SP 800-171, the contract must include a Statement of Work (SOW) detailing the implementation of the additional security measures.
3. Support Evaluation Process: The Compliance Guidance reveals how the DoD will conduct the assessment of a contractor’s compliance status. The DoD’s evaluation process is based on four objectives:
• Establish ‘Go/No Go’ evaluation criteria threshold. The Contractors SSP and POA&M will be scrutinized against this criteria and an “acceptable” level of compliance will be established.
• Establish a separate technical evaluation factor, which would also require delivery of the SSP(s) and POA&M(s) with a more detailed description of how compliance would be judged in Section M.
• Conduct on-site assessments of the contractor’s internal information systems using NIST SP 800-171A.
  Identify Tier 1 suppliers and their plans for flowing down the requirements of the DFARS Cyber Rule and for assuring subcontractor compliance.

Post-Award Guidelines:

1. Deliver SSP and POA&M: The contractor must incorporate their Systems Security Plan (SSP) and POA&M in the contract. These two documents become a contractual requirement which means failure to comply with them could result in contract performance issues and/or breach of contract. Additionally, contractors must provide an SSP that meets the requirements of the Data Item Description (DID) which is included in the Compliance Guidance. While there is no prescribed format or specified level of detail for an SSP, NIST provides a template. They also provide a template for the development of a POA&M. For DoD prime and subcontractors who do not have the resources or expertise to develop and implement an SSP and POA&M, see our NIST Compliance Services for more information.
2. Support On-Site Assessments: The contractor must include a Statement of Work requiring the contractor to support an independent on-site government assessment of compliance of NIST SP 800-171 in accordance with NIST SP 800-171A by the Department of Defense.
3. Identify CDI including Tier 1 Suppliers: The Data Item Description (DID) included in the Compliance Guidance requires prime contractors to complete the following for every Tier 1 supplier:
• Provide basic identification information,
• Verify that it has flowed down the substance of DFARS 252.204-7012 to the supplier, as well as any additional security requirements;
• State whether the supplier has done a self-assessment in accordance with NIST SP 800-171A; and
  Provide a copy of the supplier’s SSP and POA&M.

Support and Consultation:

If you are a DoD Prime or Subcontractor and have questions about the DoD’s Compliance Guidance and how to develop the required SSP(s) and POA&M(s), a qualified Managed Security Services Provider who specializes in DFARS Compliance can help you meet compliance. As a DFARS/NIST SP 800-171 consultant who has provided compliance solutions for DoD contractors all over the United States, we’re happy to point you in the right direction. We’re available at 800-481-1984.

In September 2018, the Department of Defense published an update to its 2015 Cyber Security Strategy. The changes made in the previous strategy focuses on the cyber threats that exist from other countries. The update echoes the White House’s National Cyber Security Strategy, which was also release in Septemebr. In the 2018 Department of Defense Cyber Security Strategy, it’s stated that “China is eroding U.S. military overmatch and the Nation’s economic vitality by persistently exfiltrating sensitive information from U.S. public and private sector institutions.” This statement sets the tone for the rest of the publication, which addresses cyber threats the way that the DoD handles other types of threats to the nation.

Summary of the 2018 Cyber Security Strategy

“The Department will work with its interagency and private sector partners to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences.”

This goal of the 2018 Cyber Security Strategy emphasizes greater collaboration and transparency to create a landscape with better overall cyber security. It also reflects an environment where public and private sector organizations work with dozens or even hundreds of service providers and other third-parties. Information sharing is an important measure to rapidly respond to emerging cyber threats, limiting the damage that’s possible from a zero-day exploit or large-scale attacks targeting critical infrastructure.

A vulnerability in a partnering business can have the same devastating impact as a security hole in the contractor or federal agency. One of the biggest priorities is defending systems and data connected to the DoD, whether that’s at other government agencies or with DoD contractors. Cooperation between these parties also supports another goal of the 2018 Cyber Security Strategy – improving integration of systems to better assist with military operations and related plans.

The Objectives of the 2018 Cyber Security Strategy

There are five distinct objectives outlined in this publication. Each of these topic areas plays a different role in supporting the overall goals of the DoD.

• “Ensuring the Joint Force can achieve its missions in a contested cyberspace environment.” Cyber attacks can hinder military operations, from slowing down development to actively interfering with communications.
• “Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages.” Cyber warfare can make a significant difference in operations and provide new ways to handle conflict. Countering ongoing cyber attacks can disrupt foreign actors and make it more difficult to steal information that’s vital to the security of the United States.
• “Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident.” Cybercriminals can disrupt information systems that are critical in many areas. Without protection, these attacks can lead to many negative consequences. This strategy embraces a concept called “Defending Forward,” which is a proactive approach to cyber security that seeks to stop attacks before they have the opportunity to cause damage to information systems.
• “Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks.” DoD data is of great interest to many state actors, as well as private hackers. This valuable information must be protected to avoid unauthorized access.
• “Expanding DoD cyber cooperation with interagency, industry, and international partners.” Improved transparency, information sharing and integration can help agencies harden their defenses against attackers.

How Objectives 4 and 5 Relate to Private DoD Contractors

The two objectives of greatest relevance to private DoD contractors are four and five. They reflect the following statement in the 2018 Cyber Security Strategy publication: “We will hold DoD personnel and our private sector partners accountable for their cybersecurity practices and choices.”

The good news is that DoD contractors already complying with the Defense Federal Acquisition Regulation Supplement in publication NIST 800-171 have these objectives covered. DFARS regulations cover everything related to Controlled Unclassified Information and keeping it protected through cybersecurity measures, procedures and policies.

Objective number five may require some changes, depending on the DoD contractor’s current information systems and the policies that they have in place. Complying with these regulations helps all parties in the DoD ecosystem as attack methods continue to grow in complexity and frequency over time.

Working With an Experienced Compliance Partner

DoD contractors that have insufficient cybersecurity measures in place will find themselves failing to secure new contracts or being able to properly protect sensitive data that resides on their information systems.

As new cyber security strategies get published to address the latest changes in the IT landscape, contractors need an experienced partner on hand to provide the necessary resources to stay up to date. They may have all of their in-house IT staff dedicated to fulfilling the contracts that they have with the DoD and other federal agencies. If they pulled those staff members off of those jobs, it could impact the ability to secure more work in the future.

An IT support company fills in the gaps and brings subject matter knowledge of all relevant regulations, including the latest cyber security strategies. DoD contractors can keep their information systems and data complying with the latest updates to avoid fines and penalties. They also provide a better experience overall for the agencies that they end up working with.

If you’re a DoD Contractos and need help complying with the Department of Defense, see our DFARS/NIST SP 800-171 Compliance Solution. If you would like more information about your options for DFARS Compliance in accordance with NIST SP 800-171, see our Compliance Guide.

Cyber criminals cause a lot of problems for organizations, from locking down critical files through ransomware to using social engineering to get access too sensitive data. You know that you need to minimize your cyber security risks, but choosing the best options for your needs may be challenging. Outsourcing your cyber security may be exactly what you need. Here are five benefits you receive when you have a specialized provider helping your IT department with hardening your defenses against threats.

1. Lower Cost. No Salaries

The salary of cyber security professionals is a major roadblock when it comes to bringing them in-house. They are in-demand and the supply is low, leading to a recruiting environment that is costly and time-consuming. When you work with a cyber security provider, you reduce your costs because you don’t have to worry about salaries. Instead, you have a fixed monthly price that’s not going to suddenly spike when massive enterprises do aggressive recruiting campaigns for their IT security teams.

You also reduce your indirect costs, such as the time and resources that the HR team would otherwise spend on finding and interviewing candidates. The cyber security service provider is the one going through the process of finding experts that are capable of addressing the needs of your organization. Your HR team and hiring managers can focus on recruiting for other parts of the company and building around the fact that you have IT security professionals readily available from the service provider.

2. Immediately Gain a Team of Experts with Knowledge

When you bring in a cyber security provider, you end up with specialists who have spent a lot of time addressing cyber threats in many types of business environments. They take educational opportunities to discover the latest cyber security best practices, how to solve the changing needs of modern businesses and the newest solutions on the market.

You have access to many experts, rather than relying on a handful of full-time employees. They have more flexibility due to the amount of hands-on experience they have, compared to a single person who may have only worked in one or two environments. This background is particularly useful when it comes to proactively responding to potential breaches and quickly taking action following an intrusion.

3. Gain Outside Perspective

Sometimes it’s difficult to see the forest for the trees. Your in-house IT team knows your infrastructure inside and out, which can sometimes prevent them from seeing potential cyber security issues or identifying solutions that could improve overall protection.

The cyber security managed service provider delivers an outside perspective that’s built with hundreds or thousands of hours of experience with a variety of business environments. They may have innovative solutions that are tried and tested against the latest threats.

The in-house IT team may have its attention divided between user support, development, maintenance and hundreds of other tasks outside of cyber security. They don’t always have the opportunity to go to workshops or read the latest news in the cyber security world. Since a cyber security service provider is entirely focused on this part of the technology world, they have the time to keep up with cutting-edge developments.

4. Full Proof Gap Analysis and Remediation Plans

Do you know exactly what’s missing with your company’s cybersecurity measures? Outsourced cyber security can find the vulnerabilities that put you at risk of an attack, whether you’re missing a critical piece of defense or your policies fail to address cyber security. They work with you to develop a remediation plan that meets NIST cyber security standards so that you can minimize your risk profile.

This process is not one-and-done. Security standards and regulations frequently change, especially as new technology comes out. When you’re proactive about working with a security team to identify the gaps in your defenses, you stay ahead of potential attackers and keep your infrastructure protected.

5. Scale Your IT Security Team on Demand

The amount of risk that your organization faces varies based on many factors. For example, if you’re gearing up for a large expansion, you may be more vulnerable to opportunistic attacks. Another situation that could create a weaker environment is immediately following a data breach. Until you know how the hackers got in, you don’t have a way to fix the exploit to prevent a repeat attack.

Outsourced cyber security streamlines the process of scaling your IT security team as needed. You don’t always need an increased number of specialists on hand, but they’re invaluable during riskier situations. Once this period has passed, you can ramp back down to the level of service you used previously. That’s a lot easier than hiring and firing a bunch of in-house employees every time you think you’re going to have increased cyber security needs.

Your IT department has to deal with a constantly changing cyber security landscape, where new threats are waiting just around the corner. They don’t always have the resources required to respond appropriately. By augmenting your in-house IT team with outsourced cyber security services, you give them exactly what they need to keep things secure.

If you’re interested in how a Managed Security Service Provider (MSSP) can help your current IT department, give us a call or schedule a consultation. We help companies all over the United States protect their assets and comply with cyber security regulations.

SysArc is committed to helping Department of Defense contractors comply with the government’s DFARS mandate in accordance with NIST 800-171 and 800-171A. Our IT Risk Management and Compliance services give contractors the expert resources they need to stay in compliance without overwhelming their in-house teams.

In accordance with this commitment, we’re attending the NIST Cyber Security Workshop to continue offering cutting-edge cyber security compliance services to Department of Defense Contractors throughout the United States.

The Controlled Unclassified Information Security Requirements Workshop is an informational session with Federal Government representatives. The topics discussed include the expectations of evaluating evidence, advice on how to implement the necessary CUI security requirements, best practices for this process, and the lessons that experts have learned along the way.

By going to these sessions, SysArc has the opportunity to get detailed information and updates on DFARS compliance directly from the people and agencies responsible for it. This first-hand knowledge is key to helping our clients prepare for changes to the regulations and to have the best possible implementation available.

The sessions that are scheduled to take place during this workshop are:

• Overview of Controlled Unclassified Information, the CUI Registry and the CUI Rule
• Overview of the Defense Acquisition Regulations System (DFARS) Safeguarding Covered Defense Information and Cyber Incident Reporting Clause
• Overview of NIST Special Publication (SP) 800-171, Protecting CUI in Nonfederal Systems and Organizations
• Overview of NIST Special Publication (SP) 800-171A, Assessing Security Requirements for Controlled Unclassified Information
• Government Panel: Expectations for Evaluating the Implementation of CUI Security Requirements in NIST SP 800-171
• Industry Implementation of CUI Security Requirements: Best Practices and Lessons Learned

The speakers at the NIST Cyber Security Workshop come from many federal agencies, including NIST, the National Archives and Records Administration, the Department of Defense, as well as companies such as Leidos, Stackarmor, and Exostar. Dr. Ron Ross, a NIST Fellow at the Information Technology Laboratory, is the keynote speaker for this workshop.

This event takes place on Thursday, October 18th, 2018 at the NIST Red Auditorium at 100 Bureau Drive, Gaithersburg, MD 20899. It runs from 8:30 AM to 5:00 PM Eastern Standard Time.