Understanding New Cyber and IT-oriented Regulations for Contractors

August 2017

By Karen Schuler and Derrick King

Following widespread cyber attacks like the May WannaCry and more recent Petya ransomware attack that included thousands of ransomware attacks across the globe, protecting against cybersecurity is top of mind in Washington, D.C., and beyond. In efforts to keep sensitive information as secure as possible, government contractors will be held to similar standards to that of the federal government as outlined in The National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171. NIST SP 800-171 provides guidelines for companies to control the security of Controlled Unclassified Information (CUI). This requirement will be imposed government-wide in 2017 via the final Federal Acquisition Regulation (FAR) rule, an expansion of the current Defense Federal Acquisition Regulation Supplement (DFARS) implemented in June 2016—meaning now’s the time to understand how the rule impacts your organization and how you may need to shore up your controls to stay compliant.

NIST SP 800-171 ensures CUI and Department of Defense (DOD) Covered Defense information in non-federal systems and organizations are protected accordingly. CUI is a result of Executive Order 13556, issued on Nov. 4, 2010. The CUI system aims to standardize and simplify how the executive branch of the government handles unclassified information that requires safeguarding or dissemination controls consistent with applicable law, regulations and government-wide policies. There are 22 approved CUI categories covering everything from agriculture to geodetic product information, transportation and everything in between, including documents like drawings and specifications provided by the government.

Both the FAR and DFARS explicitly state that federal contractors must comply with 14 cybersecurity controls to protect their information systems. Of those 14 cybersecurity controls within NIST SP 800-171, seven may be of unique interest to non-federal entities and require additional explanation:
  • Access Control
  • Identification and Authentication
  • Incident Response
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Awareness and Training
According to NIST, there are two classifications of security requirements: basic and derived. The basic security requirements are obtained from Federal Information Processing Standard Publication 200 (FIPS 200), which provides the high-level and fundamental security requirements for federal information and information systems.
The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

Access Control
Basic security requirements for access control include limiting information system access and processes to authorized users or devices. Contractors should limit information system access to the types of transactions and functions that authorized users are allowed to execute.

There are 19 derived security requirements. Examples include encrypting CUI on mobile devices, employing the principle of least privilege—including for specific security functions and auditing the execution of such functions—like limiting unsuccessful login attempts.

Identification and Authentication
For identification and authentication, basic security requirements include identifying information system users and processes acting on behalf of users or devices. Contractors are also required to authenticate, or verify, the identities of those users, processes or devices before allowing access to organizational information systems.
Contractors also are required to enforce a number of derived security requirements, including storing and transmitting only encrypted representations of passwords, preventing reuse of identifiers for a defined period and disabling identifiers after a defined period of inactivity, among others.

Incident Response
Basic and derived security requirements for incident response are minimal. A contractor must establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery and user response activities. Additionally, they are also required to track, document and report incidents to appropriate officials and/or internal and external authorities. Finally, the contractor should test the organizational incident response capability in case of an emergency.

Media Protection
To ensure media protection, contractors are required to physically protect information system media containing CUI. This includes limiting access to CUI on information system media for authorized users and sanitizing or destroying information system media containing CUI before disposal or release for reuse.

Derived security requirements outline, among other things, that a contractor must mark media with necessary CUI markings and distribution limitations, control the use of removable media on information system components, and implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport, unless otherwise protected by alternative physical safeguards.

Personnel Security
While there are no derived security requirements for personnel security, at a basic level, contractors should screen individuals before authorizing access to information systems containing CUI. They should also ensure CUI and information systems containing CUI are protected during and after personnel changes like terminations and transfers.

Physical Protection
According to NIST, basic requirements for physical protection require limiting physical access to organizational information systems, equipment and the respective operating environments to only authorized individuals. Infrastructure for those information systems should be protected, monitored and supported at all times.
Derived security requirements mandate escorting and monitoring visitors, keeping audit logs of physical access, enforcing safeguarding measures for CUI at alternative worksites, and controlling and managing access to physical devices.

Awareness and Training
To ensure proper awareness and training, contractors should confirm all users of organizational information systems are aware of security risks associated with their activities and applicable policies, standards and procedures related to the security of organizational information systems. Contractors should also ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. NIST requirements also mandate that contractors provide security awareness training on recognizing and reporting potential indicators of insider threats.

To make sure you’re prepared for the government-wide implementation of the basic and derived security requirements, begin planning now to ensure compliance. Conduct a gap analysis to understand what needs to be done to meet the requirements and prevent lost business due to non-compliance. There is no one-size-fits-all approach to compliance—make sure your plan reflects your organization’s unique DNA before it’s too late.

Karen Schuler is a partner and National Information Governance Practice Leader and can be reached at kschuler@bdo.com.

Derrick King is a senior manager and can be reached at dking@bdo.com.


Read next article, "In An Uncertain Time, Consider ESOPs"

Return to BDO Knows Government Contracting Newsletter - Summer 2017