Draft guidance could spell trouble for contractors not up to speed on cybersecurity

By Justin Doubleday / April 30, 2018

New draft guidance released by the Defense Department last week lays out how contracting officers can use cybersecurity standards in a procurement action, meaning companies who aren't complying with the security controls could soon be deemed too risky for DOD work. 

On April 24, the Defense Federal Acquisition Regulations System released "DOD Guidance for Reviewing System Security Plans and the [National Institute for Standards and Technology Special Publication] 800-171 Security Requirements Not Yet Implemented." Comments are due by May 31. 

According to defense acquisition regulations, DOD contractors must work toward implementing NIST 800-171, a series of 110 security controls contractors can use to protect controlled unclassified information residing in their systems. Unless otherwise specified by the contract, however, companies can demonstrate compliance by documenting their implementation of NIST 800-171 through a system security plan and a "plan of action" for areas where they don't meet the NIST controls. The regime amounts to a self-certification model, Inside Defense reported in March.  

Now, the new guidance provides DOD contracting officers with standard methods for assessing contractors' compliance with the NIST controls as part of an acquisition. The draft guidance, "Assessing the State of a Contractor's Internal Information System in a Procurement Action," provides four overarching objectives the government can use. 

The first objective, which would have the government "evaluate implementation of NIST SP 800-171 at source selection," can be achieved either by requiring implementation of the controls as a condition for competing for the contract, or by assessing the contractor's security controls as a separate technical evaluation factor, according to the document. 

The second objective would "require protections in addition to the security requirements" in the NIST publication and would have the government evaluate the protections at source selection. 

The third objective involves assessing and tracking implementation of the security requirements after contract award, and the draft guidance also allows monitoring of compliance through an "independent government assessment," the document states. 

The fourth and final objective merely details the current requirement, which is that contractors "self-attest" to compliance with implementation of the NIST controls, according to the document. 

The changes will likely be an unwelcome development in some parts of industry, according to Bob Metzger, an attorney and head of the Washington office of Rogers Joseph O’Donnell, which specializes in public procurement matters. 

"It will be seen as an increasing of demands on industry, exposing some in industry to the loss of contract opportunity if their cyber measures are not sufficient, making cyber an evaluation factor for what will be the first time for many contractors," Metzger told Inside Defense. "It also can call for monitoring of cyber measures during performance, and the government can use the system security plan and the plan of actions and milestones to manage contractor performance."

But DOD officials have been signaling their intent to strengthen the cybersecurity of the defense supply chain, especially in recent months, Metzger pointed out. 

"I appreciate for some companies that this will add burden and uncertainty, but by the same token, we have to appreciate that DOD has a bona fide reason to want contractors to do a better job to protect government information in their possession," Metzger said. "With these documents, the government shows that it means business and it's finally putting some teeth behind these expectations."

The outgoing head of U.S. Cyber Command, Adm. Mike Rogers, recently speculated on a role for DOD cyber forces in protecting private contractors from nation-state cyber threats. He has also warned in recent months that the private sector is under attack from states like China and Russia, who are seeking to steal information from the defense supply chain. 

Meanwhile, the heads of U.S. Transportation Command and the Missile Defense Agency both recently said some of their respective contractors don't have adequate cybersecurity, but worried that increasing requirements will turn them off of working with DOD. 

"They're not as stringent as we want them to be," TRANSCOM chief Gen. Darren McDew said at an April 10 Senate Armed Services Committee hearing. "If we push them too fast and too hard, I'm not sure they'll stick with us."

Alan Chvotkin, executive vice president of the Professional Services Council, says every contractor that has to implement the security controls under the draft guidance will be worried. The defense acquisition regulation is a mandatory flow-down clause that affects both prime contractors and their suppliers and subcontractors, excluding only those who provide commercial off-the-shelf items. 

"Large companies because of scale [across their supply chains]," Chvotkin told Inside Defense when asked who will struggle with mandatory implementation. "Commercial companies who have a lot of commercial systems and only touch the government a little bit are going to find it difficult because these are really network controls and while many of them make great sense for cyber health, the level of detail of the application and the implementation from DOD could be a challenge. 

"And then small companies are already telling us they're having challenges. First of all, they don't have the sophistication," he continued. "Secondly, they don't have the resources to build out this whole plan and treat it as a mandate. They're certainly not going to be compensated by the government sufficiently to cover this kind of regulatory mandate."

The second of the draft guidance documents released by DOD last week details how contracting officials can review and score a company's cybersecurity by applying a "DOD value" to each of the controls. 

However, Metzger pointed out the guidance does not derive the NIST priorities and values from the 800-171 publication, but rather from NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems and Organizations."

A NIST Special Publication 800-171A, "Assessing Security Requirements for Controlled Unclassified Information," is in its final draft form and is being published to help organizations meet the requirements of the 800-171 publication. Metzger wondered why DOD did not use the 800-171A publication in the guidance for assessing a company's cybersecurity. 

Moreover, in the second document, about 80 percent of the 110 controls are given the highest priority for implementation based on the NIST document and therefore given the highest DOD value. 

"If essentially everything is the 'highest priority' from a security implementation standpoint and most everything is the 'highest impact' from a 'DOD value' standpoint, what exactly are you getting with this table?" Metzger said. "I don't know."

Such discrepancies may be addressed during the review process, as the draft guidance is sure to receive a lot of scrutiny and comments from contractors and industry associations alike before the May 31 deadline. 

"We've sent this out to our members, and we're working on it," Chvotkin said.