This article series is meant to provide crucial information to government contractors regarding the cybersecurity policies of the Unites States Government (“USG”). If you missed Part 1, it began the discussion with a review of FAR § 52.204-21 (the “basic rule”) and DFARS § 252.204-7008 (the “compliance clause”). This second installment in the 3-part series will begin a discussion of DFARS § 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting (the “CDI clause”), focusing on the specific requirement for contractors to provide “adequate security.” The remaining requirements contained in the CDI clause will be covered in Part 3.
DFARS § 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
The purpose of the CDI clause is to ensure that any unclassified DoD information stored, processed, or transmitted through a contractor’s internal information system is safeguarded from cyber incidents. Should a cyber incident occur, the CDI clause’s reporting and damage assessment processes are designed to minimize the damage of the incident. Because of this mission, the CDI clause is required to be included in all DoD solicitations and contracts, with the only exception being solicitations and contracts solely for the acquisition of commercially available off-the-shelf (COTS) items.
The CDI clause contains several important definitions, but perhaps the most important is the meaning of CDI — Covered Defense Information. According to the CDI clause, “covered defense information” means: Unclassified controlled technical information (i.e., non-public technical information with military or space application subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination) or other information as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is–
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Another important definition provided by the CDI clause is of a “covered contractor information system,” which means an unclassified information system owned or operated by a contractor, or by a third-party on the contractor’s behalf, that processes, stores, or transmits CDI (“Covered IT System”).
The CDI clause contains several elements that must be adhered to by Contractors, foremost of which are the requirements to provide Adequate Security and Cyber Incident Reporting. The Adequate Security requirement will be discussed below, with the Cyber Incident Reporting requirement to be discussed in Part 3.
Adequate Security Requirement
The CDI clause requires contractors to provide “adequate security” on all Covered IT Systems. This is, by far, the most extensive requirement of the CDI clause, requires a great deal of consideration and action by the contractor.
For any Covered IT System not operated on behalf of the USG — meaning the system is operated for the contractor’s own purposes, and is simply used in the contractor’s performance under its government contract — the contractor is required to meet the security requirements in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” as in effect at the time the solicitation was issued (or as authorized by the CO). The stated purpose of NIST SP 800-171 is to provide federal agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (“CUI”) residing in non-federal systems. CUI is defined generally as any non-classified information that is required by law, regulation, or government-wide policy to have safeguarding or dissemination controls.
NIST SP 800-171 does not prescribe specific and detailed security controls, but rather enables contractors to comply with the security requirements by using or adapting the systems and practices the contractor already has in place. In September 2017, the DoD released guidance on meeting the security requirements of NIST SP 800-171. The DoD guidance explained that NIST SP 800-171 essentially requires a contractor to determine what its company policy should be on an issue (e.g., the interval between required password changes), and then configure its IT system to meet that policy. NIST SP 800-171 notes that there is no one method that contractors must use to implement the security requirements, or even assess compliance with those security requirements. For most contractors implementing the security requirements of NIST SP 800-171, the starting point is to examine each of the requirements to determine if it is covered by current company policies or processes, and if not, determine how the company should implement a change in its IT policy or processes to meet the requirement. The DoD guidance on NIST SP 800-171 suggests that smaller companies may accomplish many of the security requirements manually, using means such as configuration management or patch management. On the other hand, larger and more complex systems may require automated software to perform the same task.
Ultimately, it is up to the contractor to determine which of the requirements can be handled in house, and which require outside assistance. While numerous IT companies can help a contractor meet the NIST SP 800-171 requirements, it is the duty of the contractor to ensure compliance. The DoD does not require, authorize, or recognize third party assessments of compliance with NIST SP 800-171, nor will it certify that a contractor is compliant. Rather, NIST 800-171 allows contractors to demonstrate implementation (or planned implementation) of the security requirements with a System Security Plan and associated Plans of Action.
A System Security Plan should be used by a contractor to describe how it will meet the security requirements, including the system to be used, the operational environment, and the relationship with other systems. Because contractors are given a great deal of leeway as to how they will meet the security requirements of NIST SP 800-171, a System Security Plan also should be used to describe any enduring exceptions to the security requirements. A Plan of Action should be used to describe how the contractor would correct deficiencies and reduce (or eliminate) vulnerabilities in the contractor’s system. However, as reiterated in the DoD guidance, there is no required format for either a System Security Plan or Plans of Action. Contractors can develop these as separate or combined documents, and in any chosen format.
NIST SP 800-171 contains over 100 security requirements organized into 14 “families.” Each of the 14 families contains the requirements related to the general security topic of the family. For example, the System Security Plan and Plans of Action are two of the requirements in the “Security Assessment” family. The 14 families of NIST SP 800-171 are as follows:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
While there is no defined procedure for the DoD to diagnose if a contractor meets the security requirements of all 14 families, NIST SP 800-171 gives procuring agencies the ability to include an offeror’s implementation of NIST SP 800-171 in the procurement process. For example, a procuring agency may consider an offeror’s implementation of NIST SP 800-171 (through the System Security Plan or otherwise) in determining the risk inherent in processing, storing, or transmitting CDI on the offeror’s IT system. Procuring agencies can also establish compliance with the CDI clause (and by extension, NIST SP 800-171) as a separate technical evaluation factor.
If a procuring agency decides to use in the evaluation process an offeror’s implementation of NIST SP 800-171, as documented in the System Security Plan or otherwise, it is required to include the evaluation scheme in the solicitation so that offerors are on notice. In addition to the evaluation process, an agency also has the option to incorporate (usually by reference) a contractor’s System Security Plan into an awarded contract. In such a case, it is vitally important for contractors to properly mark its System Security Plan with an appropriate restrictive notice indicating the proprietary nature of the document.
The requirements to provide Adequate Security necessitates an honest and comprehensive assessment of a contractor’s company policies and processes relating to cybersecurity. However, the Adequate Security requirement is but one element of the CDI clause. The additional requirements of the CDI clause, including the Cyber Incident Reporting requirement, will be covered in Part 3 of this article series.
If you have questions about this or any other cybersecurity matter, please contact me firstname.lastname@example.org.
ABOUT BRYAN KING
Bryan King focuses his practice on federal contracting matters, including handling all aspects of bid protests and appeals. He has represented numerous government contractors before the U.S. Court of Federal Claims, Government Accountability Office (GAO), Small Business Administration (SBA) Office of Hearings and appeals, the Civilian and Armed Services Boards of Contract Appeals, and other government agencies on procurement related issues. Click here to learn more about Bryan and his practice.
ABOUT OFFIT KURMAN
Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.
You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.
MARYLAND | PENNSYLVANIA | VIRGINIA| NEW JERSEY | NEW YORK | DELAWARE | WASHINGTON, DC