On October 18th I attended a day-long workshop on the Department of Defense’s standards for information security. It was a great session, and if I had to summarize the event in one phrase it would be: tough love.
The CUI (Controlled Unclassified Information) Security Requirements Workshop was organized by the National Institute of Standards and Technology (NIST). The conference brought together experts from NIST, the Department of Defense (DOD), and the National Archives and Records Administration (NARA).
While there were no surprises, there were important messages for small to mid-sized businesses (SMBs) working with the federal government.
In short, they’re willing and eager to help SMBs understand the requirements, but they’re done with excuses.
Here are what I feel are the most important takeaways:
The Defense Department Doesn't Care if You're Small
I got the distinct impression that the DOD is sort of fed up with the private sector’s poor security undermining its efforts to defend the country.
Adversaries are stealing fighter jet data and submarine technology from contractors. Data breaches from healthcare providers or even dating services can be combined with the OPM data theft to blackmail targets with access to desirable intelligence.
“It’s irrelevant how big the company is,” said one presenter. "If you’re providing critical services to the DOD, you have to do whatever it takes to protect that data."
More than one speaker emphasized that SMBs cannot hide behind safeguards being too expensive to implement for their organizations.
Do what it takes to protect critical data or risk a non-performance finding.
Create Real Security Plans and Be Involved in the Process
Downloading a template from the Internet or using a cookie-cutter plan provided by a security vendor will not meet the requirements in NIST 800-171 R1.
If you’re receiving help from security experts, that’s fine, but the resulting plans need to be truly your own and should be created in collaboration with the provider.
One presenter reported that some companies are being offered plans and templates that emphasize a security firm’s own services, not necessarily what’s required for 800-171 R1 alignment.
Take ownership of the process and use the plan creation exercise as a time to (re)familiarize yourself with 800-171’s requirements.
Continuous Improvement is NOT Optional
The DOD expects you to revisit your plans annually, take what you’ve learned or how you’ve changed over the course of the year, and revise your plans as appropriate.
Don’t put yourself in the position of having a plan that lists responsible staff who left your company three years ago!
Take the time to validate your compliance. If you assert that you retain logs from a given system, it’s important to verify that you really do have those in hand.
How much verification will be required and how stringent does it need to be? That depends on the data you are safeguarding. The more critical the data, the more thorough your validation needs to be.
You Need to be ALL IN for 800-171 R1
“Requirements in 800-171 aren’t weighted. The expectation is that you will comply with all of them.”
The System Security Plan Is the Core of Your Efforts
Over and over again, presenters returned to the idea that a comprehensive system security plan should form the core of any DFARS cybersecurity effort. I’ll provide some advice on creating your own plan in a future post, so stay tuned.
800-171 May Not Just Be for Defense Contractors Much Longer
The federal acquisition process (FARS) also may be adopting the standards in 800-171 Revision 1. If you do business with the federal government in any form, you may want to start thinking about reviewing your security standards and evaluating how they align.
Some useful links:
- The DOD Procurement Toolbox FAQ
- NIST 800-171 Revision 1
- NIST’s guide to assessing an organization’s implementation of 800-171
- Defense Logistics Agency’s small business site
If you have any questions or would like to discuss this further, don't hesitate to reach out to us and we'll be happy to help.