If you do any kind of military contract work, you are required to implement a minimum set of cybersecurity controls in your organization. The DoD requires all military contractors and subcontractors to adhere to DFARS 252.204-7008 which is essentially just a pointer to NIST SP800-171.
NIST SP800-171 is entitled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. It differs from the NIST Cybersecurity Framework (CSF) in that it focuses only on confidentiality and not on integrity and availability of data. According to NIST:
“Some SP 800-171 security requirements are not mapped to any CSF subcategories due to the scoping of SP 800-171 which is focused solely on protecting the confidentiality of CUI in nonfederal systems (i.e., security requirements supporting availability and integrity are not addressed in SP 800-171) and assumes some security best practices to be routinely satisfied by nonfederal organizations as part of conducting business.”
So what does compliance look like? What do companies have to do? Well, firstly, this requirement became effective on December 31st, 2017, so you’re already over 6 months past due if you haven’t started working toward compliance yet.
Secondly, there are 14 core requirements in NIST SP800-171 and they are:
- Access Control – Least privilege, separation of duties, limit unsuccessful login attempts, screen lock after a certain time, encrypt CUI on mobile devices, wireless must have a password
- Awareness & Training – Security awareness training, training on malicious insider threats (online or in-person)
- Audit & Accountability – Each user’s actions must be able to be uniquely traced, synchronization of IT systems’ clocks, correlation of logs from different systems
- Configuration Management – Server and workstation images that are hardened, application white/blacklisting
- Identification & Authentication – Multifactor authentication, unique user accounts (not shared), minimum password complexity
- Incident Response – Written framework unique to each organization’s requirements. Must be regularly tested.
- Maintenance – Sanitize systems of CUI when it’s not needed anymore, check media with diagnostic/test programs for malicious code before used in an information system.
- Media Protection – Mark media with CUI as having CUI, lock drawers of paper with CUI, encrypt media, prohibit portable devices that don’t have an identifiable owner
- Physical Protection – Escort visitors, log physical building/room access, ensure teleworker sites (work from home) are secure
- Personnel Security – Background checks, pre-employment screening
- Risk Assessment – Vulnerability scanning, periodic risk assessments
- Security Assessment – Periodically assess technical controls, monitor and assess the effectiveness of security controls (Penetration Testing)
- System and Communication Protection – Explicit deny-all, encryption at rest and in motion, effective subnetting
- System & Information Integrity – Protect from malicious code (AV/anti-malware), SIEM / IPS to detect unauthorized use of systems
- If you’ve done nothing to move towards compliance, start with the DFARS gap analysis as this will give you a baseline and focus your remediation and compliance efforts going forward.
DFARS Cybersecurity Gap Analysis (needed to get a baseline and catalog gaps within each of the 14 summary requirements)
Security Awareness Training Program
- NIST SP 800-171 Requirement 3.2.1
Incident Response Policy
- NIST SP 800-171 Requirement 3.6.1
- NIST SP 800-171 Requirement 3.11.1
- NIST SP 800-171 Requirement 3.11.2
Internal & External Combined Pen Test
- NIST SP 800-171 Requirement 3.12.1
Policy Review & Development
- NIST SP 800-171 Various Sections
We can help. If you are a defense contractor in need of DFARS cybersecurity compliance consulting or related IT security services in NJ, NYC or the surrounding areas, contact us.