Current

Cybersecurity requirements are listed in both solicitations and contracts. These requirements can vary significantly from one agency to another. Therefore, it is important for companies to thoroughly review each solicitation and contract to identify and understand the necessary cybersecurity measures.

Companies should pay close attention to both provisions and clauses cited or referenced and ensure they have the capabilities to meet these requirements. Provisions apply to solicitations, while clauses can apply to both solicitations and contracts.

For assistance with these reviews, companies can contact the Wisconsin Procurement Institute at 414-270-3600 or via email at info@wispro.org.

Familiarize

  • Access and review the following clauses and provisions:
    • FAR 52.204-21
    • DFARS 252.204-7008 (Provision)
    • DFARS 252.204-7012
    • DFARS 252.204-7019 (Provision)
    • DFARS 252.204-7020
    • NIST SP 800-171 r2
    • DoD Basic Assessment
    • Review requirements for obtaining a Medium Assurance Certificate

 

Determine Requirements

  • FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems applies to all FAR-based contracts. This clause lists 15 basic safeguarding requirements and procedures for protecting covered contractor information systems when a contract involves Federal Contract Information (FCI). FCI can be provided by or generated for the Government. Most importantly, FCI is not intended for public release.
  • Companies performing DoD contracts or which are attempting to be awarded DoD contracts will need to implement the requirement of DFARS 252.204-7012. This DFARS clause requires that the contractor provide “adequate security for all covered contractor information systems.” Adequate security includes as a minimum implementing the 110 security requirements of NIST 800-171 r2 and fulfilling the requirements of DFARS 252.204-7012.

 

Document and Describe

  • Document the company’s current cyber security program in a System Security Plan (SSP) NIST 800-171 r2 requirement (3.12.4) “The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems.” Page 9, NIST 800-171 r2.
  • Companies may need more than one SSP. For example, the primary SSP should be developed for the main (primary) office. All work involving CUI may not be limited to one location. Additional plans or annexes to the primary plan should cover various routine and authorized locations such as – work from home, coffee shops, conferences, hotels, and the use of other open access portals. The goal is to not restrict work to only one location but to allow the needed flexibility while ensuring that sensitive data remains secure.

 

Assess

  • Assess the current SSP using DoD Self-assessment guide. The SSP is required to address the 110 requirements delineated in NIST 800-171 r2.
  • Determine:
    • Which requirements have been fully completed
    • Which requirements have not been addressed
    • In some cases, which (if any) requirements are not applicable. Complete documentation is required

 

Score the Assessment

  • Determine the company’s score (110 to -203).
  • A perfect score is 110. As stated in Annex A of the referenced document, the specified points are subtracted from the company’s score when a requirement has not been implemented.
  • For each security requirement, there are three possibilities:
    • 0 – the requirement has been implemented
    • 1,3 or 5 – as listed; the requirement has not been implemented
    • 3 to 5 – items 3.5.3 and 3.13.11
    • NA – SSP – 3.12.4

 

Create a POA

  • Identify NIST 800-171 r2 requirements not implemented and for which points were deducted from the total score.
  • Document these items in the company’s Plan of Action (POA) NIST requirement (3.12.2).
  • Determine resources required to complete, correct items on the POAM (budget, technical, purchase, other).
  • Determine a date by which the item will be corrected internal use.

 

Record

  • Add cyber role to an existing Supplier Performance Risk System (SPRS) account, if no SPRS account exists, create one and add cyber role. Often, smaller businesses will need to contact Ogden EB to assist with the creation of the cyber role.
  • Note: Access to SPRS requires CAM activation.
  • Collect and record the following information:
    • CAGE Code
    • Date the Assessment was completed
    • Assessment Score
    • Type of Plan
    • Name of the Plan
    • Date when a score of 110 is expected to be achieved

 

Monitor

  • Monitor computers, network devices, and software.

 

Take Action

  • Flag questionable activity and/or suspicious software.
  • Investigate and take appropriate action required by DFARS 252.204-7012 paragraphs (c – m).
  • Include flow down clauses as required by DFARS 252.204-7012 paragraph (m).
  • Recognize that these requirements are critical, but they may not be the only safeguarding and handling requirements. Each program and each category of information may have distinct handling requirements.

 

Report

  • Companies have reporting obligations under both FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems b(1)(xii) and more formally under DFARS 252.204-7012 – SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (c).
  • Under the DFAR requirements a company must:
    • Perform an investigation
    • Preserve and protect images of all known affected information systems – for at least 90 days
    • Preserve all relevant monitoring/packet capture data – for at least 90 days
    • Conduct a review for evidence of compromise of covered defense information, including but not limited to, identifying compromised computers, servers, specific data, and user accounts
    • This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support
    • Rapidly report cyber incidents to DoD at https://dibnet.dod.mil
    • Rapidly report means within 72 hours of discovery of any cyber incident
    • Report submission requires an active Medium Assurance Certificate
  • Contractors (prime and subcontractors) also have an obligation to watch for and report malicious software that may have been used in conjunction with a cyber incident.
  • If malicious software is found, the active component is to be neutralized and the email forwarded to the contracting officer.

 

Review, Correct and Update

  • Assessments are requirement at a minimum, every three years.
  • The goal is for all DoD contractors who require access to Controlled Unclassified Information (CUI) to have a perfect DoD Basic Assessment Score of 110.
  • Progress is not required every week. The expectation is that contractors will diligently work to correct deficiences, reassess, update their SPRS score and update their POA&M on a routine basis.