Slow Speed Ahead for Contractor Compliance
New DFARS cybersecurity regulations are demanding, especially for small businesses, but solutions exist.
Complying with federal cybersecurity standards, though essential for the defense industrial base and national security at large, presents immense fiscal challenges for smaller businesses that struggle every day to meet the demanding requirements—without breaking the bank.
If not addressed soon, small business noncompliance with the standards spelled out in the Defense Federal Acquisition Regulation Supplement, or DFARS, could have the unintended consequence of severely diminishing the sector’s role in defense contracting, exacerbating concerns about bringing the entire industrial base into compliance. It is a responsibility shared by all businesses doing work for the Defense Department—small, medium and large.
The consternation began in November 2013, when DFARS subpart 204.73 went into effect and required all Defense Department contractors to comply with a designated set of security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53. The publication was issued as a direct response to the growing number cyber espionage incidents where adversaries stole sensitive government information—often from a contractor or subcontractor. The change mandated compliance when unclassified controlled technical information (UCTI) passed through or was stored in defense networks or systems.
In spite of the mandate, not much happened when it actually went into effect.
The DFARS imposition of cybersecurity requirements on contractors for the first time led to considerable confusion—and resistance—about the implementation approach. Contractors did not know, for example, when to apply UCTI restrictions; who would review and enforce the standards from within the government; or who would cover the cost of bringing contractor systems into compliance. In fact, few contracting officers even included the clause in contracts, and most made no effort to validate implementation controls. Large contractors hesitated to hire auditors to inspect their subcontractors, yet held tightly to anxious concerns about liability risks based on their subcontractors’ state of compliance—or lack thereof.
This major issue has slowed implementation of the cybersecurity DFARS clause into contracts. The Defense Procurement and Acquisition Policy (DPAP) tracks and grades contracting practices in all the services and defense agencies such as the Defense Logistics Agency and Defense Contract Management Agency. During the first quarter of 2014, following issuance of the DFARS cybersecurity requirements, less than 20 percent of defense contracts contained the requirement clause. However, midway through 2015, roughly 80 percent contained it—a clear indication that a goal of 100 percent participation is not far away. The take-away is that all defense contractors, going forward, will need a compliant cybersecurity profile to receive contracts. The stakes are high for contractors big and small: If they don’t play by the rules, they will be out of the game.
Although slow, the effort to achieve compliance has recorded some progress. Updated regulations now cover cloud computing. The original DFARS clause pointed to 51 controls and enhancements that required contractors to notify the Defense Department through a special portal within 72 hours of a cyber incident. The new requirements broadly define the information contractors must seek to protect and mandate that breached companies provide copies of preserved images of compromised media. In September, the DPAP published significant revisions that changed the basis of compliance and broadened the definition of protected information to what is now called “covered defense information.” Additionally, the DPAP requires prior approval from the Defense Department’s chief information officer (CIO) for any deviations from compliance and restricts the use of cyber incident information provided by third-party contractors. During the bidding process, businesses also must declare their intentions to use cloud computing or request approval from a contracting officer, who must get the OK—a lengthy and difficult undertaking—from the Defense Department’s CIO.
Compliance can be daunting, requiring an in-depth understanding of the standards, assessments and appropriate remediation procedures. Well-trained in-house staff can perform the assessments, or businesses can hire qualified service providers to do audits. Until recently, however, assessment and compliance tools were labor-intensive spreadsheets and text documents, complicating the already arduous but vital record-keeping process needed for accreditation and certification to do business with the Defense Department.
As it stands, the government offers no certification rules, which means some contractors provide “self-certifications” of compliance. Arguably, the practice presents a serious conflict of interest—if not actual, then certainly at least perceived. In some cases, service providers supply letters attesting compliance, but the practice lacks standardization.
An effective and affordable solution is the Defense Industrial Base Information Sharing and Analysis Center’s (DIB ISAC’s) CyberVerify process and a database software tool called the i2ACT-800, developed by Imprimis Inc., which helps reduce the labor and cost of compliance. CyberVerify, recognized as a qualified third-party cybersecurity auditor, assesses systems of record and offers remediation services as required. The DIB ISAC reviews audit results and awards compliance certificates when contractors meet all requirements. Contractors also can use the Department of Homeland Security’s Cyber Security Evaluation Tool (CSET), but it does not include the NIST 800-171 requirements that outline procedures for protecting UCTI in nonfederal information systems and organizations. It also does not lend itself to convenient auditing of cybersecurity controls and practices.
The i2ACT-800 is designed specifically for cybersecurity compliance auditing and document control and contains more than two dozen baselines from the DFARS and NIST guidelines. The solution can be tailored with overlays designed to fit an organization’s exact cybersecurity requirements, and it uses numerous questions, supplemental guidelines and suggested evidence to aid in the assessment process. It contains various sections, from references to risk categorization, assessment, report and database management. The document-management feature combines information into a single file, and the report-capability component provides contracting officers, prime contractors and auditors with the needed reports. It allows up to 20 people to collaborate on a single assessment database at once, a significant time-saver. Finally, it provides DIB ISAC with a consistent, standardized format for certification.
Case studies indicate that i2ACT-800 decreases the work involved in performing an initial assessment by at least 50 percent and reduces the labor associated with updating an assessment by 75 percent to 80 percent. CyberVerify with i2ACT-800 makes compliance viable for all businesses and provides a model that lets prime contractors rapidly, and in a standardized method, assess subcontractor cybersecurity compliance. And that could be a relief to contractors big and small seeking to do business with the government.
Michael Semmens is president of Imprimis Inc., an organization supporting government and private businesses with cybersecurity compliance tools and space-based technology, advanced engineering and structured training