DOD Cybersecurity Strategy Expert Shares Best Practices for Department of Defense Contractors
With the way that technology continues to develop and evolve, so too have the increase in threats facing the Department of Defense or DoD’s unclassified information. More services are available online, data is stored in the cloud, and the DoD relies on contractors for information technology services. In response to recent high-profile incidents that involved government information, the importance of consistent, effective, clearly communicated information system requirements has become a non-negotiable both for government and industry.
Two Types of Information Systems
To understand the impact of compliance requirements, it’s necessary to understand the two types of information systems that are involved in the processing or storage of the DoD’s unclassified information. The first is the contractor’s internal information system (which is owned or operated by or on behalf of a contractor). The second is the DoD information system, which includes any DoD-operated system and/or any information system owned by the DoD.
The protection that is required depends on the information that is to be protected and the type of system on which the information is processed or stored.
What protection is required for DoD information processed on a contractor’s internal Information System?
This scenario falls under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (published as a final rule Oct. 21, 2016).
Under this scenario, DoD contractors, including small businesses, are required to:
- Provide adequate security to safeguard defense information
- Quickly report any cyber incidents
- Submit any malicious software connected to a cyber incident to DoD Cyber Crime Center (DC3) in accordance with instructions provided
- Preserve and protect images of affected information systems along with relevant monitoring and packet capture data for a minimum of 90 days
What constitutes adequate cybersecurity for Department of Defense Contractors?
The minimum security standards are outlined in the NIST Special Publication 800-171 covering these 13 areas:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- System and Communication Protection
- System and Information Integrity
For each area, there is a set of security requirements that need to be implemented. Contractors have to notify the DoD CIO of any security requirements that have not been implemented within 30 days of being awarded a contract and can propose equally efficient alternative measures.
How do small businesses handle DoD cybersecurity compliance?
The standards that need to be attained are referenced in the NIST Special Publication 800-53 document. They can also refer to the NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Sections 3.3 to 3.6. This provides a systematic approach to implementing, assessing, and monitoring the controls.
The requirements may seem overwhelming to start, but because they are laid out in a step-by-step manner, it is possible to use the framework to divide the project into smaller, more manageable sections. Small businesses can also claim for incurred costs under FAR 31.201-2.
Can contractors, including small businesses, outsource these cybersecurity requirements?
Subcontractors can be used by contractors to outsource IT requirements, but contractors will remain responsible for ensuring that their business meets the required cybersecurity standards. As many contractors use cloud computing, it’s important to ensure that the cloud service that they choose to integrate meets FedRAMP’s “moderate” security requirements. It will also need to comply with incident reporting, media, and malware submission requirements.
About ITS Team Security
ITS Team Security in San Diego, California, specializes in assisting DoD contractors to help them achieve cybersecurity compliance by fulfilling the DoD’s exacting requirements, particularly in terms of cloud computing. With extensive experience in the industry, they are the ideal managed cybersecurity partner to ensure that your business is protected against cybersecurity threats.