ROADMAP TO DFARS COMPLIANCE ARE YOU READY FOR THE 12/31/17 DEADLINE? In our ebook, we have answered the most common questions we receive from companies preparing for DFARS compliance. Don t risk terminated contracts and lost business opportunities. Gain a major competitive advantage over non-compliant competitors and start on the path to compliance today! The clock is ticking.
According to the World Economic Forum s 2016 Global Risks Report, cybercrime will cost the global economy $445 billion in 2017, higher than many country s national incomes. 2017 has been marked by high profile cyberattacks, including the WannaCry ransomware attacks, multimillion dollar bank heists, and a series of major data breaches. In our increasingly connected world, the threat of cyberattack only increases, especially for those handling sensitive information. Federal defense contractors today are a prime target of sophisticated and coordinated cyberattacks. To protect our country s crown jewels, Department of Defense (DoD) contractors must demonstrate compliance with the newly issued Defense Federal Acquisition Regulation Supplement (DFARS) requirements by December 31, 2017. DFARS contains a number of provisions and clauses that can be complicated and confusing to navigate for large and small businesses alike. The regulation has two primary requirements for all contractors, subcontractors, and other relevant business partners: 1. The implementation of National Institute of Standards & Technology (NIST) Special Publication (SP) 800-171 controls 2. The establishment of cyber incident reporting procedures.
Table of Contents Does DFARS apply to my company?...4 What are the consequences of non-compliance?...4 What information does DFARS protect?...5 What clauses and provisions do I need to comply with?...6 What is the roadmap to DFARS compliance?...8 How can Aronson help my company achieve compliance?...9 AronsonLLC AronsonLLC.com 3
Does DFARS apply to my company? DFARS compliance requires all defense contractors to safeguard Covered Defense Information (CDI) within their custody. If you answer yes to any of these questions, then DFARS requirements apply to your company: Is your company a DoD contractor, subcontractor, or other business partner?...very Likely. Does your company work with CDI, Controlled Unclassified Information (CUI), or Unclassified Controlled Technical Information (UCTI)?...Absolutely. Is DFARS Provision 252.204-7008 in the language for a solicitation you are bidding on?...absolutely Is DFARS Clause 252.204-7012 used in your existing contract requirements?...absolutely. What are the consequences of non-compliance? The deadline for DFARS compliance is December 31, 2017. Non-compliant contractors will at this time be debarred or disqualified from any new DoD contracts. Companies who meet the DFARS requirements will enjoy a competitive advantage and continued business relationship with the DoD. Defense contractors should select teaming partners with great care to avoid teaming with non-compliant companies. Prime contractors should seek assurances from subcontractors that, to their knowledge, they have not been excluded from participation in any relevant procurement involving the DOD. AronsonLLC AronsonLLC.com 4
What information does DFARS protect? DFARS enforces standardized controls for how the following types of sensitive information are processed, stored, and transmitted in non-federal information systems (i.e. defense contractors systems). CDI: COVERED DEFENSE INFORMATION UCTI or other information (as described in the CUI Registry) requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies: Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. (DFARS 204.7301). CUI: CONTROLLED UNCLASSIFIED INFORMATION Information that law, regulation, or government wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended (NIST 800-171). CTI: CONTROLLED TECHNICAL INFORMATION Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination (DFARS 204.7301). AronsonLLC AronsonLLC.com 5
What clauses and provisions do I need to comply with? DFARS will be enforced through clauses and provisions associated with the procurement process. Clauses are terms or conditions used in contracts and solicitations. A clause either applies after contract award or both before and after award. Provisions are terms or conditions used in solicitations that apply only before contract award. DFARS Section 204.7304 details the following solicitation provisions and clauses. DFARS 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls This provision requires defense contractors to implement NIST SP 800-171 controls no later than December 31, 2017. NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations includes 110 controls organized by 14 families. Table 1 below lists the number of controls within each of the NIST SP 800-171 control families. NIST SP 800-171 CONTROL FAMILIES Access Control (22) Identification & Authentication (11) Personnel Security (2) Awareness & Training (3) Incident Response (3) Physical Protection (6) Audit & Accountability (9) Maintenance (6) Risk Assessment (3) Configuration Management (9) Media Protection (9) Security Assessment (4) System & Communications Protection (16) System & Information Integrity (7) Table 1 AronsonLLC AronsonLLC.com 6
DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting This clause requires contractors to implement adequate security on all covered contractor information systems by implementing NIST SP 800-171 controls. A covered contractor information system is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits CDI. Adequate security is defined as protective measures that are commensurate with the consequences and probability of loss, misuse, unauthorized access to, or modification of information. These requirements do not apply to contractor information systems that are not part of an IT service or system operated on behalf of the government. This clause also details the approved medium for reporting cyber incidents, the types of incidents that should be reported (e.g. malicious software) along with media preservation and protection measures. Related requirements regarding post-incident analysis are included. All incidents must be rapidly reported, which equates to within 72 hours of cyber incident discovery. Finally, this clause allows for contractors to identify situations in which a required control might not be applicable or an alternative control exists. If a potential exemption has been determined, then the request must be submitted to the Contracting Officer (CO) for consideration. The request should sufficiently detail the rationale for the exemption, which could be due to compensating controls. Subcontractors must notify the prime contractor (or next higher tier) of the request submission. An authorized representative of the DoD Chief Information Officer (CIO) will provide the final decisions on exemption requests. DFARS 252.204-7009: Limitations on the Use or Disclosure of Third- Party Contractor Reported Cyber Incident Information This clause requires that defense contractors use CDI for appropriate purposes which are in accordance with contract requirements. It also details safeguards the contractor must implement to protect such information, which includes requiring employees to be aware of their non-disclosure obligations. This clause must also be included within any subcontracts. DFARS 252.239-7010: Cloud Computing Services This clause details cloud computing security requirements when used to perform a contract. The requirements include the implementation and maintenance of administrative, technical, and physical safeguards in accordance with the Cloud Computing Security Requirements Guide. Cyber incidents related to cloud computing must also be reported accordingly. For all contracts awarded prior to October 1, 2017, the contractor must notify the DoD CIO, via email at osd.dibcsia@mail.mil, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award. AronsonLLC AronsonLLC.com 7
What is the roadmap to DFARS compliance? In order to meet the December 31, 2017 deadline, time is of the essence! As there are 110 controls in NIST SP 800-171, there is no time to waste. Our structured approach, featuring a gap analysis, will help your business focus its efforts and make informed decisions on a remediation approach for deficient areas. Figure 1 below summarizes the Aronson DFARS Roadmap Compliance Stages. Applicability Continuous Monitoring ARONSON DFARS COMPLIANCE Readiness Assesment Remediation Figure 1 DID YOU KNOW: The cost of DFARS compliance is considered an allowable cost under Federal Acquisition Regulation (FAR) and Cost Accounting Standards (CAS)? AronsonLLC AronsonLLC.com 8
Evaluate Applicability Perform Readiness Assessment Review contracts to identify relevant DFARS clauses and provisions. Review DFARS to determine the type of CDI or CUI that may be in use. Confirm applicability with CO as needed to establish mutual understanding. Determine system boundaries support compliance. Conduct control gap analysis against NIST SP 800-171. Develop recommendations for identified deficiencies. Hold discussions with subcontractors and other business partners as needed to ensure they are on track for compliance as well; this includes coordin ation for breach management and notification. Execute Remediation Plans Conduct Continuous Monitoring Develop or revise controls as needed to remediate control gaps with NIST SP 800-171. Conduct validation testing after remediation is completed to confirm controls are designed and operating effectively (as determined by management). Develop continuous monitoring program including tools, templates, reports, and metrics. Conduct monitoring activities and provide status updates to relevant stakeholders on performance. How can Aronson help my company achieve compliance? For more than 35 years, Aronson has focused on serving the unique needs of the government contracting industry, which today is the single largest segment of our business. We work with more than 800 government contractors, including many emerging small businesses, established government contractors, and large commercial companies entering the government market for the first time. Our Technology Risk Services Group is committed to helping government contractors better manage technology risks and navigate the complexities of compliance. Our dedicated team members offer significant experience supporting both federal agencies and contractors with IT control compliance and remediation projects. Our combined experience in these areas provides our team with a unique perspective and a level of knowledge that is unparalleled. Whether your company needs help with conducting all or some of the compliance roadmap stages, our team is ready to partner with you to support your achievement of DFARS compliance on time and on budget. AronsonLLC AronsonLLC.com 9
Don t risk the consequences of non-compliance Contact Payal Vadhani today and secure a major competitive advantage against non-compliant competitors. Payal Vadhani Technology Risk Services Group Lead Partner 301.231.6259 pvadhani@aronsonllc.com AronsonLLC AronsonLLC.com 10