DOD Cybersecurity

 

If you are a DOD contractor and you are not complying with DFARS/NIST 800-171 your business is at risk!

DFARS 252.204-7009(b)(5) states that noncompliance can lead to criminal, civil, administrative, or contract penalties. These consequences may include: Breach of Contract damages, False Claims Act damages, Liquidated Damages, Termination for Default, Termination for Convenience, Poor Past Performance, Suspension/debarment

The University of Tennessee Center for Industrial Services uses a multi-step process to provide professional assessment and implementation of your company’s cyber security practices.

Step 1: Discovery - The professional assessment of your company’s practices related to the new standard. If necessary, a gap analysis will be completed to document the scope to be remediated

  • Pre-Discovery - Our pre-discovery checklists and early proof documents will center on your organization’s existing policies, training programs, IT systems documentation, and the flow of data through your organization.
  • Assessment - DFARS/NIST 800-171 mandates 110 controls that contractors must abide by. Our assessment will map all 110 requirements of the NIST 800-171 standard to the applicable areas of your business and provide informed analysis as to whether those requirements currently are being met. The assessment will serve as a focal point for all proof documentation, compensating controls, explanations of how applicable each requirement is to your organization, and will be cross-referenced with your remediation plan. This assessment also will include a gap analysis, which will allow your organization to understand how you are compliant to the standard.
  • Gap Report - Based on the results of our assessment, a Gap Report will be developed and presented to your organization for review. This report will contain all the steps required to bring your business within the NIST 800-171 standard

Step 2: Remediation - This phase supports all necessary fixes to ensure compliance.

  • Upon selection and approval of remediation services from UT CIS will track the successful completion of implementation milestones and monitor the completion of milestones against the timelines identified in your remediation plan.
  • During the attainment of certain milestones in your remediation and implementation process, and upon completion of your remediation plan, UT CIS will provide comprehensive updates and reporting, for use internally and with interested third parties.

STEP 3: TEST AND VALIDATE - This phase verifies that all technology and physical security aspects are working properly.

  • Based on the scope of your organization’s systems and your contractors’ needs for certifications, UT CIS will recommend the appropriate tests, audits and scans and connect your organization with any relevant providers in our partner network.

STEP 4: MONITORING/REPORTING - This phase establishes ongoing monitoring and scanning of the required enterprise network as required in the standard. It also creates a working process to log, remediate and report cyber-attacks.

  • Based on the scope of your network systems and certain NIST requirements for continuous monitoring, UT CIS will connect your organization with our partner network of appropriate monitoring providers and provide standardized processes and procedures for reporting cybersecurity events to the office of the DoD CIO, per federal regulations.

 

DFARS NIST SP 800-171 Compliance

The U.S. Department of Defense (DOD) is getting serious about cyber security. The DOD put forth the Defense Acquisition Federal Regulation Supplement (DFARS) clause 252.204.7012 which states that government contractors (and in many cases subcontractors) must be NIST 800-171 compliant before December 31, 2017.

Defense Acquisition Regulation Supplement (DFARS) 252.204-7012 requires defense contractors to protect the security of Controlled Unclassified Information (CUI). The issue now for these businesses is that the technical deadline for compliance with NIST 800-171 was December 31, 2017.

If you are subject to DFARS clause 252.204-7012 and you are not compliant with the security requirements in NIST Special Publication 800-171 or have a detailed and credible Plan of Action and Milestones to become compliant in a short time, you are violating the terms of your contract.

Failure to show proof of compliance documents and progress towards compliance could result in your company losing contracts to competitors or others who are ensuring DFARS compliance.

What Does the DFARS Clause require contractors and subcontractors to do?

  1. Provide “adequate security” to safeguard “covered defense information” that resides on or is transmitted through a contractor’s internal information system or network.
  2. Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to DoD’s Cyber Crime Center.
  4. If requested, submit media and additional information to support a DoD damage assessment.
  5. Flow down these requirements in subcontracts to subcontractors involved in “operationally critical support,” or where subcontract performance involves covered defense information.

The full text can be found here: http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm

 

Self-Assessment Handbook - NIST Handbook 162

The National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook was developed to assist U.S. manufacturers who supply products to the DoD implement NIST SP 800-171 as part of the process for ensuring compliance with DFARS Clause 252.204-7012.  It should be noted that this Handbook can be utilized by any DoD contractor to help them assess their NIST SP 800-171 compliance. The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.

The handbook can be found here: http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

 

Cybersecurity Template

This is a 127-page template, developed by the Georgia Tech Procurement Assistance Center (GTPAC), designed to help contractors create a Security Assessment Report, System Security Plan, and Plan of Action.  The template is a Word document, designed for easy customization.  It is intended to be used in conjunction with the NIST-MEP Cybersecurity Self-Assessment Handbook linked above.

http://gtpac.org/wp-content/uploads/2017/12/Cybersecurity-Template-Final-Version-12.15.17-v2.docx

 

For further assistance with complying with DoD’s contractual cybersecurity requirements, contact your local Solutions Consultant

 

Cybersecurity Assessment Tool

The NIST MEP Cybersecurity Assessment Tool (https://www.surveymonkey.com/r/Z7RVFWV) allows U.S. small manufacturers to self-evaluate the level of cyber risk to their business.  The assessment is based on the National Institute of Standards and Technology’s (NIST) Cyber Security Framework.  This tool is to be used only for guidance and does not imply approval by NIST MEP or UT CIS and cannot be used to demonstrate compliance.