Like so many areas of the American political system, federal cyber security regulation is in a period of transition. Some of the change is an effect of the presidential handoff to an administration with a markedly different agenda from the previous one. But an even greater driver has been the failure of some government agencies to protect highly sensitive data.
One of the most substantial security incidents in recent history – the data breach at the Office of Personnel Management – was believed to originate with successful attacks on a third-party federal contractor. In the aftermath of this event and other major cyber events, the Department of Defense (DoD) introduced new requirements for contractors to hold them accountable for implementation of security controls.
A revision to the Defense Federal Acquisition Regulation Supplement (DFARS) that governs DoD procurement practices now requires contractors to meet security standards defined under the NIST Special Publication (SP) 800-171r1 by Dec. 31, 2017.
Initially derived from NIST SP 800-53, the revised SP 800-171r1 contains a total of 109 compliance controls in 14 security control families. Among these, several controls stand out as potential obstacles for DoD contractors. Here are three potentially challenging requirements and how to prepare for them.
- Incident response and reporting: Contractors are required to report any cyber incident that could result in a compromise of an information system. When there is evidence of a potential compromise, the contractor is required to review the evidence and report its review findings to the DoD within 72 hours. Meeting the reporting requirement requires not only a well-defined plan, but ongoing, streamlined execution. An experienced security consultant can help develop custom incident response plans or even provide managed security services to deliver advanced, outsourced incident response capabilities.
- Encryption: DFARS compliance will require contractors to encrypt data at rest, using FIPS-validated cryptography and securely managing cryptographic keys. Often, organizations that think they have encrypted their data encounter flaws in their design structure, which can be overcome with the support of third-party experts.
- Continuous Monitoring: At first glance, it appears NIST SP 800-171r1 requirements do not require continuous monitoring efforts, as no specific control is defined. However, at least 10 of the controls are clearly tied to the ongoing monitoring and investigation of data. Thus, contractors that overlook the need for monitoring and knowledge management capabilities will struggle to comply with these controls. One option for contractors, and particularly those with limited internal security infrastructure, is to outsource monitoring to a specialist in managed security.
While these controls represent only a fraction of the full NIST 800-171 requirements, they should give you a preview of the kind of work your organization may have coming in the months ahead. Lunarline can help you get where you need to be by Dec. 31, 2017, with support across the board for your security efforts – from managed security to network design and implementation.
To learn about our security programs and how they can help your organization, contact us now.