Key Takeaways for Executives
- Defense contractors are facing ever more-stringent cybersecurity requirements.
- Many of these are found in NIST (SP) 800-171.
- To cope, contractors should focus on training, shoring up network infrastructure, and protecting CUI.
Defense contractors are facing more stringent federal requirements when it comes to cybersecurity, according to contracting attorneys.
These requirements stem from the evolving cyber threats the department faces, they said.
“Cybersecurity requirements are increasing for contractors due to the growing threat vectors targeted at government agencies,” said Shamlan Siddiqi, chief technology officer for NTT DATA’s public sector business. “Not only are stricter controls being published for contractors to work with government agencies, but also many cybersecurity requirements, such as data encryption, identity management and information assurance, are being incorporated into requests for proposals.”
Siddiqi said some of the most significant requirements for contractors are found in the National Institute of Standards and Technology Special Publication 800-171, which provides standards for non-federal computer systems that store, process, or transmit controlled unclassified information or provide security protections for such systems.
Among other things, he said these standards involve sharing and management service, virtual desktop service for accessing and processing data, multifactor authentication, use of appropriate cloud platforms, and active directory service for centralized access control and management.
Siddiqi said to remain compliant with the new requirements, contractor employees must be properly onboarded and trained. In addition, agencies and contractors should:
- evaluate and adjust current controls, processes and application/infrastructure/network setup to strengthen security;
- move key CUI data to secure storage, while also enhancing centralized access and identity management; and
- conduct continuous impact assessments and risk tolerance analyses across the contractor ecosystem.
Barrage of Guidance
According to Covington & Burling LLP attorneys Susan Cassidy and Ian Brekke, not only do contractors have to comply with NIST (SP) 800-171, they also have to face audits and other compliance hurdles the Defense Department has layered on to cope with evolving security threats. These requirements are outlined in several DOD guidance memos, including November 2018 final guidance for assessing security controls in NIST SP 800-171.
DOD also issued two additional memos to further explain cybersecurity requirements for contractors, including:
- A December 2018 memo from Assistant Secretary of Defense for Acquisition Kevin Fahey providing contractual language requiring activities can use in conjunction with the November 2018 guidance. The memo covers access to and delivery of contractors’ system security plans, access to and delivery of a prime contractors’ plans to track flow-down of CDI to subcontractors, rules regarding flow-down of CDI, and restrictions on unnecessary sharing of CDI.
- A January 2019 memo from Undersecretary of Defense for Acquisition and Sustainment Ellen Lord on using audits of contractors’ purchasing systems to determine whether they have complied with the Defense Federal Acquisition Regulation Supplement cyber clause.
According to Cassidy and Brekke, all of this “piecemeal” guidance, while perhaps well-intended, runs the risk of raising more questions than answers.
“DOD’s evolving cybersecurity requirements present new challenges to contractors that are still working to fully implement all 110 controls in NIST SP 800-171,” they said.
Although DOD says compliance with NIST SP 800-171 is the minimum requirement, “the reality is that the ever-changing approach and the use of guidance issued in a piecemeal fashion has the potential to cause more confusion rather than less,” they said.
Regardless, firms with DOD cybersecurity contracts should take note of the requirements and do their best to meet them.
“Contractors will need to update their subcontract forms and develop an approach for meeting these requirements, as they are likely to begin appearing in solicitations, and [Defense Contract Management Agency] will be expanding its review of contractor purchasing systems with the above requirements,” Cassidy and Brekke said.