Critical Security Requirements for Defense Contractors
29 September 2016
Companies in regulated industries are under an enormous amount of pressure to keep data secure and adhere to the specific regulatory reporting requirements of the industries in which they operate. This is especially true for defense contractors, which are subject to the rules and regulations of the Department of Defense (DoD).
The DoD has stringent security and regulatory requirements around how sensitive information is shared, used and stored. For instance, just take a look at the Defense Federal Acquisition Regulation Supplement’s (DFARS) Network Penetration Reporting and Contracting for Cloud Services rule, which mandates security requirements for defense contractor IT systems that receive, develop, transmit, use or store Covered Defense Information (CDI) pursuant to any DoD contract or subcontract. CDI is a broad category of sensitive unclassified information that is provided to a contractor by or on behalf of the DoD in connection with the performance of a contract and includes:
- Information with a defense or space application that is subject to controls, including but not limited to access, use, reproduction and disclosure;
- Export controlled data whose export could reasonably be expected to adversely affect national security or nonproliferation objectives;
- Data critical to operations security that is vitally needed by our adversaries; and
- Any other information requiring protection under U.S. law, regulation or government-wide policy or so designated in the applicable contract (e.g., personally identifiable information or intellectual property).
These requirements are applicable anywhere on any IT network, system or device owned or operated by or for a defense contractor or subcontractor that processes, stores or transmits CDI.
A Regulatory Change towards Improving Cybersecurity Controls
The DoD is using its enormous purchasing power to improve the strength and consistency of cybersecurity controls in place at private sector companies that contract with the DoD and hold, use or share CDI. Many factors have prompted the DoD to raise the level of cybersecurity requirements for defense contractors so dramatically, including:
- Recent large-scale cyberattacks with severe consequences
- Vast amounts of CDI held within defense contractor IT systems
- Continued onslaught of sophisticated cyber threats on contractor networks
The DFARS Network Penetration Rule’s security requirements first became effective on August 26, 2015 when they were issued as an interim rule with immediate effect. In fact, this rule’s requirements are often referred to as the “DFARS Interim Rule” because the DoD felt compelled to skip the customary regulatory process of starting with a Proposed Rule followed by an Interim Rule and ending with a Final Rule implementing new regulatory requirements (with opportunities for public comments in between each stage). However, and based on substantial objections from the defense industry, in a second interim rule published in December 2015, the DFARS’ cybersecurity compliance date was pushed back to “as soon as practical” but no later than December 31, 2017.
How Organizations can Comply with the DFARS Network Penetration Rule
Defense contractors must comply with the DFARS Network Penetration Rule’s safeguarding obligations by implementing the 109 security requirements in the National Institute of Standards and Technology’s (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations on all networks and systems where CDI is stored, processed or transits.
As the clock ticks down to the end of 2017, the sense of urgency is rising for defense contractors to become fully compliant with the DFARS Network Penetration Rule’s cybersecurity requirements. But, achieving compliance isn’t a quick or easy feat. In addition to implementing the NIST 800-171 security requirements within their own IT infrastructures, defense contractors must ensure that those same levels and types of protection and control apply to the CDI that they need to share externally with and between the various suppliers throughout all levels of their supply chains. When a subcontractor at any supply chain tier receives or develops CDI in support of DoD contract performance, the contractor must ensure that the subcontractor also complies with the NIST 800-171 security requirements.
That leaves the big question of how can the security and control of CDI be maintained when these kinds of sensitive information must be shared and used widely throughout a complex web of potentially hundreds of specialized suppliers in order to successfully deliver a defense weapons system? The next article in this series will examine how to tackle this difficult challenge. Stay tuned…
Rick Comeau is a Security Advisor for the Intralinks Enterprise-Commercial Sales Team. He previously led the Center for Internet Security (CIS) program that develops consensus-based, secure configuration guidance and automatable assessment and remediation content, which is recognized as authoritative security guidance by leading standards bodies such as the National Institute of Standards and Technology (NIST) and Payment Card Industry (PCI) Security Standards Council.