Department of Defense Further Clarifies Its Defense Federal Acquisition Regulation Supplement Cybersecurity Requirements
On January 27, 2017, the Department of Defense (DoD) issued an updated Frequently Asked Questions (FAQ) regarding the application and requirements of DFARS 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Though questions remain regarding various nuances of the rule, the FAQ is a helpful document for those contractors still working on implementation of DFARS 252.204.7012. Divided into three sections ¾ (1) General Application, (2) Security Requirements, and (3) Cloud Computing ¾ the FAC provides answers to 59 commonly asked questions and provides greater clarity on a number of important points, which are discussed in greater detail below.
How do you handle contracts with conflicting security requirements: As DoD has now issued multiple versions of this rule over the last several years, some imposing different security standards, contractors may have contracts that require different and conflicting security requirements. The FAQ acknowledges this reality and informs contractors that DoD has instructed its contracting officers to work through these issues with contractors, with the goal of working towards consistent implementation of the most recent version of the rule. Contractors with older versions of the rule in their contracts are therefore well advised to engage their contracting officers and work towards a modification of outdated security requirements.
What is the application to commercial item contracts: The FAQ clarifies that DFARS 252.204.7012 is not required for solicitations and contracts where the only items being procured are commercial-off-the-shelf (COTS) items. However, the clause is required for all other solicitations and contracts where covered defense information (CDI) is involved, including the acquisition of commercial items involving CDI. What remains unclear is whether the clause needs to be flowed to subcontractors where the prime contract may not be solely for COTS items but where the subcontract is.
How does DFARS 252.204.7012 interact with the NARA CUI Rule: In September 2016, the National Archives and Record Administration (NARA) issued a final rule regarding the protection of controlled unclassified information (CUI). The FAQ notes that the NARA Rule is consistent with DFARS 252.204.7012, as CDI falls under the NARA Rule’s definition of CUI, in that it is unclassified information that requires safeguarding or dissemination controls pursuant to laws and regulations. Furthermore, both the NARA Rule and DFARS 252.204.7012 establish National Institute of Standards and Technology (NIST) Special Publication 800-171 (SP 800-171) as the minimum security standard for protecting both CUI and CDI. Thus, the two rules are not in conflict. Still to come, however, is a final FAR rule that imposes 800-171 to civilian agencies.
What are the different security standards for contractor internal systems and DoD information systems: The protections required to protect Government information are dependent upon the type of information being protected and the type of system on which the information is processed or stored. Thus, different information is subject to different protections depending upon whether it is housed on contractor or DOD systems. A breakdown of these divisions is captured in the diagram below, which is included in the FAQ.
What are the requirements for multifactor authentication: The primary difference between the security requirements imposed by earlier versions of DFARS 252.204.7012 and the current version is the addition of multifactor authentication as a minimum security standard. The FAQ clarifies that this requirement necessitates authentication using a combination of (1) something you know (e.g., password); (2) something you have (e.g., a One-Time Password generating device like a fob, smart-card, or a mobile app on a smart-phone); and (3) something you are (e.g., a biometric like a fingerprint or iris). The FAQ further notes that the physical location of an individual does not fall under one of these three categories. Accordingly, presence within a secure facility cannot be used as a substitute for one of the factors under multifactor authentication.
How Should Contractors Handle CDI on Smartphones and Tablets: The FAQ provides three points of clarification on this issue. First, multifactor authentication is not required for access to the smartphone or tablet, regardless of whether CDI is stored on the device or the device is merely used to access systems with CDI. Second, when CDI is stored on the device, such information must be encrypted to segregate it from the other information on the device. Third, when the device is used to access information systems with CDI, the information system must be protected by multifactor authentication, which can be entered through the device.
What security requirements apply when using the cloud to process or store CDI: The FAQ clarifies that there are three potential security standards that may apply when a contractor uses a cloud solution to either process or store CDI.
First, the DoD Cloud Computing Security Requirements Guide (SRG) applies when (a) a cloud solution is being used to process data on DOD’s behalf, (b) DoD is contracting directly with a cloud service provider (CSP) to host or process data in the cloud, or (c) a cloud solution is being used for processing that DoD normally conducts but has outsourced.
Second, NIST SP 800-171 standards apply when a contractor uses an internal cloud as part of its internal enterprise network systems to process data when performing under a DoD contract requirement (i.e., designing a new aircraft for DoD and using the cloud solution internally (not a third party CSP) for the engineering design).
Third, security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline apply when a contractor intends to use an external CSP to store, process or transmit any covered defense information for the contract. Contractors must also confirm that the CSP complies with requirements in DFARS 252.204-7012 for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
When does DFARS 252.204.7012 flow down to a CSP: A contractor is only required to flow down DFARS 252.204.7012 in its entirety when a CSP is considered a subcontractor for a specific contract and will be handling CDI. However, in instances where the CSP is not a subcontractor but nonetheless has is provided access to CDI by the contractor, the contractor must ensure that the CSP meets the security requirements of the FedRAMP Moderate baseline.