Part 1: New Rules Go Into Effect December 31.
Federal government agencies rely upon external contractors to carry out a wide range of functions. Many contractors have access to sensitive data that could, if compromised, potentially reveal classified information, threaten national security or even put lives at risk. As a result, cybersecurity is a critical and growing concern for both federal agencies and contractors.
The issue has gained greater urgency, as contractors of all sizes must demonstrate compliance with new federal government rules by December 31, 2017.
Understandably, many small business contractors feel overwhelmed. If you don’t comply, your contracts – and, perhaps, your business – are at risk. Yet you may not know where to begin. Common obstacles to compliance include:
- Lack of knowledge of the rules,
- Not knowing how to meet the requirements spelled out in the rules,
- Lack of access to information security resources, and
- Lack of financial resources to implement required safeguards.
Many small businesses do not employ a dedicated information technology employee or consultant. Often, an owner or key employee performs IT functions in addition to their regular duties. And even Fortune 500 companies with vast resources struggle with information security. No wonder small business owners feel overwhelmed!
Still, when you submit an RFP or sign a contract containing one or more information security clauses, you are affirming your ability to comply with the contract. You need to employ as many best practices as possible to show that you have employed good faith due diligence to achieve compliance. As with any compliance program, you must be able to demonstrate that you are doing – or trying to do – the right thing.
This series of blog posts is designed to help small business contractors prepare to meet the December 31 deadline. We’ll break down compliance into bite-size, manageable and affordable chunks that an average small business of a few to up to 50 employees can tackle. Let’s start with the rules.
Federal Information Security Rules
In June 2016, the US Department of Defense, General Services Administration, and National Aeronautics and Space Administration published a new rule entitled “Basic Safeguarding of Contractor Information Systems.” The new requirements supplement DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which imposes several more requirements on covered DoD contractors.
Safeguarding requirements are based on security requirements published in the Department of Commerce National Institute of Standards and Technology’s Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” However, several other overlapping rules and regulations may apply (see box).
These rules and regulations require contractors of all sizes to comply with two key information security requirements:
- Maintain Adequate Security
- Report any Incidents
In the case of defense contracts, within 30 days of contract award, a contractor must notify the DoD Chief Information Officer of any security requirements not implemented at the time of contract award. The contractor can propose alternate, equally effective measures to DoD through the contracting officer.
Where Must You Maintain Adequate Security?
Security requirements affect any system for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information, including:
- Social media
- Cloud storage
- Online accounts
- Mobile devices
- Personal computers
- Corporate networks
- Storage devices
Requirements under NIST (SP) 800-171
Nearly 80 pages in length, NIST Special Publication 800-171 includes 109 items broken into 14 categories. Under these guidelines, the purpose of computer security is to protect an organization’s valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
The document covers the NIST framework for Improving Critical Infrastructure, details on each of the 14 security requirements, mapping tables and a special section dedicated to acronyms. See below for an outline of each category, with tips for compliance.
1. Access Control: Limit physical access to building and servers. Limit access to accounts and services through assigned users. Only those who need access should be granted access.
Tip: Review active users on accounts at least annually (best practice involves quarterly or semi-annual review). Look for terminated employees and employees whose duties have changed (they no longer need access to a server, site, folder, file, or account). Revoke their access.
2. Awareness and Training: Provide annual training to all employees on existing policies and procedures. Provide updated training as appropriate for changes in laws, regulations, etc.
Tip: Document the training. Be able to prove due diligence in training your employees to do the right thing.
3. Audit & Accountability: Perform internal and external audits. Have someone outside the company or department review policies against actual practices. Hire an outside firm. Have individual team, department, or project managers review user access to their sites, servers, folders, files, and accounts.
Tip: Document the audit, as well as any remedial training, new policies, or other mitigation strategies that arise as a result of the audit.
4. Configuration Management: Keep track of hardware and software. Know who has possession of equipment and what is installed on each machine. Ensure that users have limited ability to download and install software. Have a defined list of preapproved software. Have a formal process to request and vet new software.
Tip: Perform audits of your system and software. See #3 above.
5. Identification and Authentication: Identify and authenticate any user gaining access to your facility, servers, or accounts. Assign unique logins for each user; do not use shared logins. Use electronic key cards for physical access to facilities and rooms. Authenticate users through some other tool such as a password, PIN, one-time password, or biometrics. Access to server rooms may require a key card and PIN.
Tip: Review access control on regular basis. See #1 above.
6. Incident Response: Document an incident response process including roles and responsibilities. Incident response should include or be coordinated with your disaster recovery plan. With government contracts and data breaches, there are specific reporting requirements.
Tip: Your response plan must specify how you are notified internally, who you need to notify and how (such as customers and government entities), response times, and public relations outreach.
7. Maintenance: Keep all hardware, software, and firmware updated with the latest patches. Perform routine preventive maintenance such as backups and destruction of backups.
Tip: Automate as much as possible. Have a calendar to track needed items. Document all updates.
8. Media Protection: Physically limit access to the media. Limit or prohibit use of removable media or portable storage devices such as thumb drives. Protect backup media the same as live data.
Tip: Enable system/network protocols that identify removable media or portable storage devices.
9. Personnel Security: Screen personnel before providing access. This may be as simple as validating a need-to-know for basic access and as complex as performing background checks on individuals with advanced access or responsibilities.
Tip: Ensure terminated employees are removed from all access and accounts.
10. Physical Protection: Allow only authorized access to systems, equipment, and facilities. Maintain audit logs of physical access (may be automated with electronic key cards), monitor and escort visitors.
Tip: Implement a visitor policy and process with logs and badges.
11. Risk Assessment: Perform a risk analysis to identify vulnerabilities. If this happened, what would it mean to us, our business, our reputation. Compare analysis to existing policies and practices, and then remediate accordingly.
Tip: Perform a risk assessment when acquiring another company, moving locations, adding new technology, or changing providers.
12. Security Assessment: Assess effectiveness of existing controls. Are controls doing what they’re supposed to do? Can someone bypass a control?
Tip: Perform spot checks on controls. These should be unannounced “audits.” See if an unauthorized user can gain access to a facility, server, folder, or file.
13. System and Communications Protection: In comparison to protecting the storage of data, this is meant to protect the flow of data between systems. It also includes boundaries between systems such as between private and guest networks.
Tip: Deny network communications by default. Permit authorized communication by exception.
15. System and Information Integrity: Monitor activity to detect flaws, irregularities, and malicious code. Perform system and file scans for viruses and malware. Irregularities may include size, volume, and timing of network traffic.
Tip: Install antivirus and malware protection. Perform routine system and file scans.
From Understanding to Compliance
After reading this summary, you should have a general understanding of what the new rules require. Although the topic may still seem overwhelming, our next post will help you get a handle on practical steps you can take to comply by the December 31 deadline. We’ll review information security requirements for individual systems, with a discussion of best practices and affordably priced tools suitable for small business use.
As always, if you have questions about information security or any other aspect of government contract compliance, you can reach me at Robert@LeftBrainPro.com or by calling (614) 556-4415.