Abstract background blue with "cyber attack" in red letters

With the renewed emphasis within the U.S. Department of Defense (DOD) on trustworthy information systems and supply chain security, it is essential for companies in the DOD vendor supply chain to have the capability to express their information security policies and procedures with clarity and specificity.  This will demonstrate compliance with, at a minimum:

  • DFARS Subpart 204.73
  • NIST Special Publication 800-53, Rev.4
  • FIPS Publications 199 & 200
  • NIST Special Publication 800-37
  • NIST Special Publication 800-39

These regulations are authorized by the 2002 Federal Information Security Management Act (FISMA) information technology requirements and emphasize, among other things, the supply chain protection elements DOD must consider when procuring systems, components, and services necessary for mission success. To ensure to DOD that a company has such capabilities a demonstration of the security controls that a company in the supply chain currently has in place must be made.  And, according to regulations issued in November, 2013, and updated December, 2014, this demonstration must be made in accordance with best practices as outlined in the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Appendices F & G.  If such controls are found to be insufficient in an initial assessment, a step-by-step remediation plan should be outlined and implemented according to a systematic schedule.

Background

Vendors in the DOD supply chain have a responsibility to meet the requirements of DFARS Subpart 204.73 (added November 18, 2013) for safeguarding “unclassified controlled technical information” residing on or transiting through unclassified information systems. DOD vendors are also responsible for reporting an incident to DOD within 72 hours of discovery in accordance with criteria set forth in FAR Subpart 252.204-7012. A cyber incident would include exfiltration, manipulation or other loss or compromise of data or any other activity that constitutes a breach of authorized access.  Incident data that must be reported includes:

  • Data Universal Numbering System (DUNS)
  • Contract numbers affected unless all contracts by the company are affected
  • Facility CAGE code if the location of the event is different than the prime Contractor location
  • Point of contact if different than the POC recorded in the System for Award Management (address, position, telephone, email)
  • Contracting Officer point of contact (address, position, telephone, email)
  • Contract clearance level
  • Name of subcontractor and CAGE code if this was an incident on a Sub-contractor network
  • DoD programs, platforms or systems involved
  • Location(s) of compromise and date discovered
  • Type of compromise (e.g., unauthorized access, inadvertent release, other)
  • Description of technical information compromise.

Summary of Controls

The key controls that a company must ensure are divided into 14 major categories

  • AC: Access Control
  • AT: Awareness and Training
  • AU: Auditing and Accountability
  • CM: Configuration Management
  • CP: Contingency Planning
  • IA: Identification and Authentication
  • IR: Incident Response
  • MA: Maintenance
  • MP: Media Protection
  • PE: Physical & Environmental Protection
  • PM: Program Management
  • RA: Risk Assessment
  • SC: System & Communications Protection
  • SI: System & Information Integrity

Specific controls that map back to NIST SP 800-53 are called out in the DFARS.  From 12 to 3 specific controls have been specified within each of the 14 categories and, when combined and fully operational, the control set is aimed at building a defense-in-depth cybersecurity strategy.

Compliance Challenges

According to several interviews with DOD prime contractors that purchase goods and services from specialty firms, many of their suppliers are smaller firms without the in-house information technology capabilities to implement FAR 204.  These small and medium-sized enterprises (SMEs) must first perform a baseline assessment of their current conditions in each of these categories.  They must then map their current implementation to applicable regulatory controls and assign priorities to each.  They must then begin a systematic process for upgrading their administrative, technical and operational controls to meet the NIST 800-53 Standard.  This is an expensive and time-consuming process that will take these SME personnel away from their core responsibilities, and divert them toward a regulatory and compliance activity that will not help their bottom line.  However, given the uptick in cyber-attacks on US targets, this is likely to be a time-consuming, but necessary process.

The Defense Industrial Base – Information Sharing and Analysis Center (DIB – ISAC) has developed a program for verifying compliance in accordance with these rules; CyberVerify.  CTIN is currently developing a SaaS-based software application to make the compliance process less painful for the small companies subject to these rules; VendorCET. Contact us at: rjg (at) ctin.us for more information.

author avatar
Jane Ginn CTIN President & Co-Founder
Jane Ginn ~ As the co-founder of the Cyber Threat Intelligence Network (CTIN), a consultancy with partners in Europe, Ms. Ginn has been pivotal in the development of the STIX international standard for modeling and sharing threat intelligence. She currently serves as the Secretary of the OASIS Threat Actor Context Technical Committee, contributing to the creation of a semantic technology ontology for cyber threat actor analysis. Her efforts in this area and her earlier work with the Cyber Threat Intelligence (CTI) TC earned her the 2020 Distinguished Contributor award from OASIS. In public service, she advised five Secretaries of the US Department of Commerce on international trade issues from 1994 to 2001 and served on the Washington District Export Council for five years. In the EU, she was an appointed member of the European Union's ENISA Threat Landscape Stakeholders' Group for four years. A world traveler and amateur photojournalist, she has visited over 50 countries, further enriching her global outlook and professional insights. Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=janeginn
Translate »