Meeting DFARS and NIST regulations for military applications -- not just a check box for trusted computing
The U.S. Department of Defense (DOD) has upped the ante on regulations for information protection and how much suppliers must protect that information.
By Laura Hanks
ANDOVER, Mass. – Clicking the "COMPLY" check box on the list of government requirement flow-downs may seem like a necessary evil of being a supplier to the defense market, but some regulations around information and cybersecurity provide the critical foundations of a trusted computing supply chain.
Cyber and information warfare are the hottest and possibly most contested battlefields in the race for military dominance. Case in point, the U.S. Navy recently changed the name of Space and Naval Warfare Systems Command (SPAWAR) to the Naval Information Warfare Systems Command (NAVWAR), in recognition of how important information warfare to defense strategy.
Similarly, earlier this year, the U.S. Army, announced the evolution of its Cyber Command into the Information Warfare Command, and the U.S. Air Force announced the merger of the 24th Air Force (Air Forces Cyber) and the 25th Air Force, to create a new information warfare focused command.
By all indicators, information currently sits near the top of the food chain of assets requiring protection. To that end, the U.S. Department of Defense (DOD) upped the ante on regulations around what types of information need protection and how much suppliers must protect that information.
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, published in October 2016, and the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 Revision 1, originally published December 2016 and updated in February 2018, are two such regulations.
DFARS 252.204-712, "Safeguarding Covered Defense Information and Cyber Incident Reporting," was designed to protect controlled unclassified information, such as information marked as ITAR (International Traffic in Arms Regulations), EAR (Export Administration Regulations) and FOUO (For Official Use Only).
It covers information technology (IT) cybersecurity from company-owned assets to cloud computing, but possibly more importantly it mandates compliance with NIST 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."
NIST 800-171 contains 110 unique requirements across 14 categories of information control, which contractors must be compliant with to ensure sufficient safeguards are in place to protect controlled unclassified information against cyberattacks. To emphasize the importance of these regulations, the DOD put a deadline for implementation of 31 Dec. 2017.
Of course, 31 Dec. 2017 has come and gone, so all government contractors comply by now, right? Well, not exactly, but to answer that question accurately, we first must understand what "compliance" really means.
Contractors would be considered compliant if able to demonstrate how they met all 110 controls within NIST SP 800-171 in a documented "system security plan," OR that they had a "plan of action and milestones" in place to meet all control requirements at some moment in the future.
Moreover, "complete" was defined as having followed their plan and satisfactorily demonstrated compliance with all controls. Also of note, adherence to requirements would be based on self-assessment. As we approach the three-year mark since issuance of the original DFARS clause, it appears defense contractors are still struggling to meet these standards.
A report issued last month by Sera-Brynn, a cybersecurity compliance firm and certified auditor, noted that on average, companies assessed had only implemented 39 percent of required security controls. Perhaps even more concerning, the report refers to a survey conducted by the National Defense Industrial Association, which found that less than 60 percent of respondents had even read the cybersecurity clause.
Clearly the industry has found these regulations challenging to understand, assuming they bothered to read them, and even more challenging to successfully implement. So if the implementation deadline has come and gone and everyone is in the same boat, what's the sense of urgency for completely implementing all NIST SP 800-171 controls?
Well first and foremost, we are clearly under attack and per the 2018 MITRE study, "Deliver Uncompromised," supply chain, cyber-IT, cyber-physical and human domain are the four primary attack vectors. The controls outlined in NIST are an essential component of the DOD's strategy to address these threats and protect critical information, protect warfighters and ultimately protect the U.S. and their allies.
Secondly, weak controls throughout the supply chain, already have led to a multitude of security breaches with varying degrees of consequences, so there is a growing sense of urgency, as evidenced in a memorandum from the Secretary of the Navy, Richard V. Spencer, calling for a cybersecurity review.
Spencer writes "Securing the Navy's Cyberspace domain is one of my highest priorities…" and indicates "Complacency and an unwillingness to confront this challenge are not an option." And as if that weren't enough, when implemented effectively, these controls not only protect sensitive defense information, they protect precious corporate information and intellectual property.
For companies where security and trust are a core competency and a key differentiator, like all companies involved in delivering trusted computing solutions, not just understanding, but embracing NIST SP 800-171 should be a top priority. This has been the case for a vital few, such as Mercury Systems, which jumped on the DFARS/NIST train as soon as it hit the tracks.
To understand and address these requirements properly, Mercury assembled a cross-functional team with dedicated resources to assess their existing security controls against NIST regulations, put an architecture and plan in place which was aligned to the cyber kill chain, and executed that plan to achieve compliance by the mandated 31 December 2017 deadline and "completeness" by mid-2018. That said, success came at a steep price, with a host of new systems, processes, security protocols and training implemented over a nearly two-year period.
Meeting NIST may be tough, but so is the DOD
There are an elite set of suppliers who have completely implemented their compliance programs and an even smaller set that have had their compliance validated through an independent agency assessment. This will not be the case for much longer as the DOD is moving toward stricter enforcement of the standards and intends to begin scoring contractors on their compliance by 2020, according to a recent Navy report.
Many primes are taking heed and working with their key suppliers to achieve and certify compliance before these heavier mandates hit. These regulations may seem complex and arduous, but they are designed to address an increasingly complex and sophisticated threat and thus must be taken to heart to fulfill the promise of a trusted computing supplier.
Laura Hanks is director of product marketing at Mercury Systems in Andover, Mass.