U.S. responds to breaches with new IT security rules
Mandatory cyber security regulations for military contractors' IT system take effect at the end of 2017
The National Institute of Standards and Technology (NIST) released a draft IT security standard in August. Compliance with the new cyber protections is mandatory for prime contractors and their suppliers under the Defense Federal Acquisition Regulation Supplement. DFARS spells out acquisition regulations that DoD program officials and contractors must follow for the procurement of military goods and services.
The deadline for contractor compliance with the new cyber security regulations is the end of 2017. Industry experts doubt there's much chance the deadline would be extended.
The new cyber regulations focus on safeguarding "covered defense information," broadly defined as unclassified information provided to military contractors in connection with a specific procurement. The CDI category covers U.S. export controls, operational security data, so-called "critical information," and "anything marked that requires safeguarding," explained Heather Engel, a former Pentagon official who now serves as executive vice president for risk and compliance at contractor consultant Sera-Brynn.
The cyber regulations also spell out how contractors report a data breach and what steps need to be taken to respond to an attack. "This is big, this is something everybody is going to have to comply with," added security consultant Gerard Brennan.
Provisions of the new DFARS cyber rules also cover the specific privacy controls used to safeguard contract data as well as cloud computing services increasingly used to process and store contractor data.
"Contractors must now fully understand what covered [DoD] information they store, process or transmit in the course of doing business with the Department of Defense and be prepared to provide adequate security using controls" specified under the NIST cyber security guidelines, according to Sera-Brynn, the cyber security consultant. "A company must also be able to detect and respond to incidents."
(The Virginia-based advisor also notes that the cost of compliance is reimbursable under accounting guidelines in federal acquisition regulations.)
The NIST revisions also spell out how military contractors demonstrate compliance with the new cyber security regulations. For example, contractors would be required to formulate a cyber security plan and meet milestones for implementing an action plan.
According to Engel, compliance with the cyber regulations includes four phases: "scoping," or determining where covered defense information "lives," or is stored; development of an "incident response plan"; access controls and other information system protection plans; and auditing and accountability, or identifying who is using information and what are they using it for.
The final step includes identification and authentication steps required for compliance, including security measures such as passwords and tokens.
Meanwhile, the incident response provision requires that contractors report breaches to DoD within 72 hours of discovery. Suppliers also will be required to retain images of affected IT systems for "forensic investigation."
Engel also stressed during a webinar this week that existing penalties for non-compliance with the new cyber regulations are already on the books, including the False Claims Act, contract terminations for default and the risk of being categorized as a "supply chain risk."
She estimated is would take 30 to 60 days to develop an action plan, and another six to nine months to implement a security framework. Her advice? "Start early to ensure you have [enough] time to implement."
Responding to a series of massive breaches of government IT systems, U.S. cyber and acquisition officials are moving to tighten security standards for protecting "controlled unclassified information" that is processed, stored or transmitted on military contractors' IT platforms.