In October, 2016 the Federal Government published Defense Federal Acquisition Regulation Supplement 252.204-7012 requiring all non-Federal entities doing business with the Department of Defense that process, store, transfer or have access to controlled unclassified information (CUI) to be in compliance with the security requirements published in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Contractors and their subcontractors were directed to implement NIST SP 800-171 standards no later than December 31, 2017.
The National Archive and Records Administration’s (NARA) plans to publish a General Federal Acquisition Rule (FAR) CUI Rule in 2019 that – when finalized – will obligate all federal agencies to require cyber protection of CUI, per NIST SP 800-171, in all contracts and agreements. As currently envisioned, the FAR clause will put the burden on the contracting agency, as part of the contracting process, to identify all CUI expected to arise in the course of performance. This would include not only CUI provided by the government, but also CUI generated by the contractor.
Contractors are asked to self-certify compliance with the DFARS -7012 clause and 800-171. Increasingly, however, cybersecurity is becoming a factor in proposal evaluation, leading to program-level reviews of security controls. Some contracts contain provisions for post-award audits of self-reported cybersecurity compliance. In addition, the DoD Inspector General has undertaken targeted compliance audits, and the Defense Contract Management Agency (DCMA) has been given some cybersecurity compliance oversight responsibility. DoD and NIST personnel have recognized this problem and have indicated that it is anticipated there will be one “government-wide” assessor of compliance in the near future.
Bottom line: In 2019 all contractors doing business with the Federal government that process, store, transfer or have access to CUI, must comply with NIST SP 800–171 security controls and be able to prove it.
Historically companies have pursued one of several avenues to achieve regulatory cybersecurity compliance requirements:
- They have implemented and managed the controls themselves;
- They have contracted professional services to implement the controls and then managed them internally; or
- They have contracted with an external service provider to implement and manage the controls and their security on their behalf.
Larger defense contractors with established security programs can implement the required controls and achieve compliance internally. Small and medium sized companies that are not experienced with federal security requirements and have fewer resources struggle with implementation and compliance. To establish a compliant program requires time and resources. Time to assess, implement, test, and document security controls. And the resources consisting of the right security tools, software/hardware and security expertise; knowing what tools to purchase, how to properly configure them, and how to effectively manage them. Finding experience and talented security professionals is time consuming and expensive. For most companies, even with the right people, and the right tools achieving compliance can take six to nine months.
Because of this, an increasing number of companies are hiring external service providers to manage specific security initiatives, or in some cases, outsourcing their entire security program. This approach is especially beneficial to companies that have limited IT resources, lack internal security expertise, struggle to hire security talent, or simply need to implement a security program faster than they could in-house. However, for smaller contracts/contractors it can be cost prohibitive.
As stated earlier, larger organizations with an established presence in the defense market have been dealing with either the DoD Information Assurance Certification and Accreditation Program (DIACAP) or the newer Risk Management Framework (RMF) for years, and although they still struggle to effectively implement security programs and achieve and maintain compliance, they have the expertise and resources required. Their smaller subcontractors have hidden in their shadows until the new DFARS requirement was published.
Even with a willingness to comply, contractors face constraints in achieving compliance. A shortage of personnel, exorbitant costs and lack of time can be major impediments to smaller companies.
- Available resources. An analysis of the cybersecurity job market looking back from 2014 and projecting out to 2019, reveals the top paying cybersecurity job is a security software engineer with an average annual salary of $233,333, according to a recent report from the job board Dice. That exceeds the salary for a CSO which averages $225,000. Additionally, the cybersecurity labor market has a severe workforce shortage. More than 200,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years, according to a 2015 analysis of numbers from the Bureau of Labor Statistics by Peninsula Press, a project of the Stanford University Journalism Program.
- Cost. One of the most pressing concerns for many businesses as they work to implement NIST SP 800-171 is the cost of compliance. Upgrading security systems can run anywhere from a few thousand to over a million dollars, depending on the size and complexity of the business. Because of this, it’s difficult to estimate a specific dollar figure on what it will take to bring a business into compliance. Discussions about compliance cost ultimately boil down to a matter of scope. The more aspects of a business affected by CUI, the higher the cost is likely to run.
- Speed. The December 31, 2017 deadline has passed and companies that have not met the requirements are under pressure to become compliant now or do so before winning new work. This will force companies to begin addressing the issue or risk losing contracts and the associated revenue. Typical assessments and remediation efforts can take six months or longer. Beyond the deadline looking into 2019 and beyond, contractors will continue to face pressure to become compliant rapidly to win new work and become compliant after contract award.
Because of the cost and effort involved, companies are doing the absolute minimum required to pass a compliance audit, not necessarily taking the steps to make the themselves actually secure.
As the DFARS requirement becomes more widely known the market for NIST compliant solutions has grown. Traditional security tool/service providers and external service providers are offering what they advertise as NIST compliant solutions. The majority offer consulting services to assist customers in bringing their existing environments into compliance or they offer a tool or service that provides compliance for specific NIST controls. Although numerous companies offer managed security services, there is a smaller, but growing, subset of companies that offer NIST 800-171 compliance services. Many companies have adopted the NIST Compliance tag as a marketing/sales gimmick. When they only offer limited coverage for specific controls or only offer advice towards compliance. As the compliance requirement expands to the entire federal government, adoption of the DFARS to a FARS requirement, more companies will be drawn to this market.
Smaller contractors can be provided a secure Platform-as-a-Service (PaaS) offering in the cloud that meets NIST SP 800-171 compliance for business operations that handle CUI. Reducing or eliminating DFARS compliance challenges with a secure, compliant, easy and affordable solution. A compliant PaaS solution would bridge the gap between end-users and cloud service providers, the PaaS would act as a Cloud Service Creator and Cloud Broker to quickly and efficiently migrate workloads to the cloud and provide a reliable and highly secure environment. Each deployment accompanied by the necessary security documentation to include policy templates, Systems Security Plan (SSP) and Plan of Action and Milestones (POAM). As new technology, software and security patches are made available, they would be seamlessly integrated into the environment to ensure continued compliance.