DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires organizations doing business with Department of Defense to provide “adequate security” for covered defense information that is processed, stored, or transmitted on their internal information system or network. To provide adequate security, the organization must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than December 31, 2017.
Compliance with NIST SP 800-171 is the organization’s responsibility through self-attestation that requires demonstrating implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.” The System Security Plan (SSP) requires developing and documenting system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. The Plans of Action also known as Plan of Actions & Milestones (POAM) to document timelines designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. Demonstrating compliance with NIST SP 800-171 after December 31, 2017 will require organizations to affirm meeting requirements as covered within their SSP. The SSP may need to be referenced in technical proposals.
The Deadline is Here!
Active DOD RFP’s are already requiring compliance with NIST SP 800-171. DOD agencies have started acting on this deadline and a number of active procurements clearly lay out the need to demonstrate compliance with DFARS and NIST SP 800-171. Here are some samples of active procurements and awards with requirements to meet DFARS 252.204-7012 compliance.
SERVICE & CALIBRATION OF LABORATORY EQUIPMENT
Solicitation Number: N4523A18R3003
Agency: Department of the Navy
Office: Naval Sea Systems Command
Location: Puget Sound Naval Shipyard (PSNSY) and IMF
Project Management Services
Solicitation Number: W912NS-17-Q-3007
Agency: Department of the Army
Office: National Guard Bureau
Location: 139 MSG/MSC, MO ANG
Compliance with NIST SP 800-171 is the organization’s responsibility through self-attestation that requires demonstrating implementation or planned implementation of the security requirements with a “system security plan” and associated “plans of action.” The System Security Plan (SSP) requires developing and documenting system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Meet DFARS compliance deadlines with AWS East/West or AWS GovCloud
Organizations looking to meet DFARS and NIST SP 800-171 requirements must consider time to compliance, financial investment and complexity of the systems involved. Given that the deadline for implementation is December 31, 2017, time to compliance is critical. FedRAMP accredited cloud services at the moderate level (based on FIPS 199) or commensurate DOD IL-4 are viable options and allow organizations to inherit and leverage existing controls. Amazon Web Services (AWS) East/West and GovCloud regions are readily available hosting options. The GSA FedRAMP Program Office and DISA have provided the Authority To Operate (ATO) for both AWS East/West and AWS GovCloud regions at the FedRAMP Moderate level. This allows organizations to take advantage of an existing certified infrastructure as a service (IaaS) environment. Organizations have the option to consider AWS East/West or AWS GovCloud – in the event there are ITAR responsibilities then AWS GovCloud should be considered.
Infrastructure Carve-out for DOD and Government Work
There are multiple strategies to meet DFARS requirements related to NIST SP 800-171 compliance. Many organizations are considering creating separate dedicated environments just for government and defense related work. This approach helps reduce the cost and adoption impact especially if DOD or Government work is just a sub segment of the overall business portfolio. There are a number of on-demand services and solutions such as Storage, File Shares, Virtual Desktops and potentially even Email or Portal services for exchanging information using AWS.
Architect for Compliance
The process of implementing a compliant architecture begins with reviewing FedRAMP approved AWS services. Once the available services are analyzed, the detailed solution architecture blueprint must be created that accommodates the 109 controls required to ensure the solution will meet NIST SP 800-171 requirements. Once the solution is developed, supporting documentation in the form of a System Security Plan (SSP), Plan of Actions & Milestones (POAM) and a IT Contingency Plan (ITCP) should be developed with evidentiary information describing how the controls have been satisfied in the developed solution.
If you are a DOD contractor or sub-contractor and are concerned about DFARS and NIST SP 800-171 compliance then please send us an email at solutions at stackArmor dot com or feel free to read some of our blogs below.