Today, more than ever, the Department of Defense (DoD) relies upon external contractors to carry out a wide range of missions and shares sensitive data with these entities. Inadequate safeguards threaten America’s national security and put Service members’ lives at risk.
In April 2009, the chief information officers (CIO) of DoD and the Office of the Director of National Intelligence (DNI) launched the Joint Task Force Transformation Initiative to develop a comprehensive set of cybersecurity standards and align the publications produced by different federal agencies. Over the years, Congress added more requirements in the National Defense Authorization Act (NDAA), the National Institute of Standards and Technology (NIST) produced several iterations of cybersecurity standards, and DoD implemented these measures through changes to DoD policies and the Defense Federal Acquisition Regulation Supplement (DFARS).
Under the interim rule issued in December 2015 (DFARS § 252.204-7012), DoD contractors (including small businesses) must adhere to two basic cybersecurity requirements:
(1) They must provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure; and
(2) They must rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.
The set of minimum cybersecurity standards are described in NIST Special Publication 800-171 and break down into fourteen areas:
In each of these areas, there are specific security requirements that DoD contractors must implement. Full compliance is required not later than December 31, 2017. The contractor must notify the DoD CIO within 30 days of contract award, of any security requirements not implemented at the time of contract award. The contractor can propose alternate, equally effective measures to DoD CIO through their contracting officer.
If DoD determines that other measures are required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability, contractors may also be required to implement additional security precautions.
The standards reference another document (NIST Special Publication 800-53) that goes into more detail about the controls. In addition, NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Sections 3.3 to 3.6 may provide small businesses a systematic step-by-step approach to implementing, assessing, and monitoring the controls:
Although these requirements may initially seem overwhelming, small businesses can use this framework to divide the project into small, manageable chunks and work toward attaining compliance. Incurred costs may also be recoverable under a cost reimbursement contract pursuant to FAR 31.201-2.
Contractors may use subcontractors and/or outsource information technology requirements, but the contractor is responsible for ensuring that any outside entities used meet the cybersecurity standards. If a contractor anticipates using cloud computing, they must ensure the cloud service meets FedRAMP “moderate” security requirements and complies with incident reporting, media, and malware submission requirements.
(1) Don’t panic. Cybersecurity occurs in a dynamic environment. Hackers are constantly coming up with new ways to attack information systems and DoD is constantly responding to these threats. So, even if a contractor does everything right and institutes the strongest checks and controls, it is possible that someone will come up with a new way to penetrate these measures. DoD does not penalize contractors acting in good faith. The key is to work in partnership with DoD so that new strategies can be developed to stay one step ahead of the hackers.
(2) Contact DoD immediately. Bad news does not get any better with time. These attacks threaten America’s national security and put Service members’ lives at risk. DoD may have to respond quickly to change operational plans and to implement measures to respond to new threats and vulnerabilities. Contractors must report any potential breaches to DoD within seventy-two hours of discovery of any incident using the online form available at: https://dibnet.dod.mil.
Interpret "potential breaches" broadly to include all actions taken using computer networks that result in actual or potentially adverse effects on information systems and/or the information residing therein. Such incidents include “possible exfiltration, manipulation, or other loss or compromise of controlled technical information from an unclassified information system” and “any unauthorized access to an unclassified information system on which such controlled technical information is resident or transiting.”
Be helpful and transparent. Contractors must cooperate with DoD to respond to security incidents. Following an incident, contractors should immediately preserve and protect all evidence and capture as much information about the incident as possible. They should review their networks to identify compromised computers, services, data, and user accounts and identify specific covered defense information that may have been lost or compromised.
DoD’s Office of Small Business Programs has put together a comprehensive list of cybersecurity resources for small businesses on its website under the CYBER tab:
You are now leaving the DARPA.mil website that is under the control and
management of DARPA. The appearance of hyperlinks does not constitute
endorsement by DARPA of non-U.S. Government sites or the information,
products, or services contained therein. Although DARPA may or may not
use these sites as additional distribution channels for Department of
Defense information, it does not exercise editorial control over all of
the information that you may find at these locations. Such links are
provided consistent with the stated purpose of this website.
After reading this message, click to continue