10 Jun Reality Check: Defense Industry’s Implementation of NIST SP 800-171
Keen insights from certified cybersecurity assessors
Suffolk, Va. – Jun. 10, 2019
As a certified auditor, Sera-Brynn has an inside look at how defense contractors are really doing when it comes to implementing cybersecurity acquisition clauses.
This report analyzes data compiled from two years of compliance assessments to identify areas where defense contractors typically fall short in implementing DFARS 252.204-7012 and the associated NIST 800-171 controls. While it provides a broad overview of industry’s compliance with NIST SP 800-171 from an objective assessor’s viewpoint, the statistics presented here are likely optimistic. Organizations assessed by Sera-Brynn already had concerns about DFARS and sought guidance to ensure compliance.
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 implementation was supposed to be complete in December 2017 for any defense contractor subject to the contract clause. By mandating the implementation of National Institute for Standards and Technology (NIST) SP 800-171 and providing specific requirements for incident response and reporting, DFARS is intended to protect Controlled Unclassified Information, or CUI, and better secure the Department of Defense (DoD) supply chain.
A survey conducted by the National Defense Industrial Association found that less than 60 percent of respondents had read the cybersecurity clause and half of those found it hard to understand. About 45 percent of respondents had not read NIST 800-171 guidelines. In contrast to NDIA’s survey, our analysis was derived from assessments on contractors who were both aware of and motivated to implement the DFARS clause. In general, our findings paint a somewhat rosier picture than the survey, but the overall conclusion is the same: full implementation of NIST 800-171 remains a significant challenge.
NIST 800-171 is a solid cybersecurity baseline for organizations handling sensitive information. However, it has not been well implemented even when required.
Each of our clients has been unique, not only in business type and size, but internal capabilities and leadership support for secure information systems operations. Most often, the IT staff welcomed our findings as they were in agreement with what they already suspected. The security issues rise from the lack of resources (funding/personnel) given to remediate the problems. The DFARS regulation has given IT departments more ammunition to argue for additional security measures within their respective companies, but based on our findings, this has not fully percolated through the Defense Industrial Base.
The DoD has called for structured auditing of controls to begin in 2020. In the meantime, the DoD, in conjunction with its large prime contractors, should ensure that all companies are aware of the requirements and understand the cybersecurity controls of NIST 800-171. The Undersecretary of Defense for Acquisition and Sustainment has directed the Defense Contract Management Agency (DCMA) to begin reviewing prime contractor procedures to assess compliance of their Tier 1 Level Suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.3 Based on our experience of conducting 800-171 assessments, self-attestations or yes/no surveys are not sufficient to determine compliance with the regulation.
We do believe a high-level, but impactful assessment of compliance could be effectively done today through a review of System Security Plans (SSPs). Requiring SSPs to be audited would almost certainly ensure that the organization is aware of the 800-171 control requirements.
– Heather Engel is Chief Strategy Officer of Sera-Brynn. She has nineteen years of experience in cyber security, with an emphasis on cyber risk management including regulatory compliance, incident response, crisis communications, Continuity of Operations (COOP) planning, development and exercise execution; policy development, and computer network operations.
Sera-Brynn is a global cyber risk management audit and advisory firm. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn’s clients include many of the world’s most admired and recognized brands.