The “Run for the Roses” can be lost by a nose: Split-second decisions by jockeys may determine who wins/who loses in the 145th Kentucky Derby (4 May 2019). A “sure bet” is not guaranteed. Oddsmakers take a long view in their decision-making, however. They study records and performance to reduce the risk of betting on the wrong horse (although some will bet on a 50–1 longshot like this year’s contender, Long Range Toddy, based on recent results).
Pursuing government procurement contracts can sometimes feel like a horse race—days spent grooming proposals, the rush to submit, known competitors with unknown pricing/solution strategies—but, as with the Derby, preparation improves your odds of winning. Manufacturers in the defense/aerospace supply chain that accept DFARS 252.204-7012 provisions must be compliant with the NIST 800-171 guidelines—the requirements flow down throughout all tiers. Meanwhile “implied compliance” or “compliance by association”—that optimistic belief that you are compliant if your client who is one or more tiers ahead of you assumes you are compliant—is no substitute for doing the hard work of preparation and remediation, the defensible evidence that reasonable security practices are being exercised by your organization.
Handicapping Your Odds: Training for Changing Procurement Enforcement Patterns and Prioritized Security Guidelines
Enforcement patterns are changing, and clearer guidance about prioritizing control objectives is available. Another 33 control objectives (with a focus on advanced persistent threats or
APTs) will be added to the current 110 when NIST 800-171 B is released later this year. A summary of procurement developments shared during a recent Cyber Collaboration Center webinar https://www.cybercollaborationcenter.org/ follows here:
ENFORCEMENT PATTERN DEVELOPMENTS
Security has been added as the fourth pillar for procurement evaluations, joining cost, schedule, and performance. The Defense Contract Management Agency (DCMA) is empowering its auditing team with additional training and responsibilities, as previously noted in Simply Cyber.
Self-accreditation and trust have not served well DoD expectations that its suppliers protect CUI and CDI effectively. Although DoD has not announced specific timelines for when security plan reviews, assessments, and scoring will occur, DoD has reserved the right to visit its suppliers and request evidence that security claims are legitimate. Reading through the memos published over the past year make clear its procurement track rules:
- Secretary of the Navy Spencer Letter (12 March 20191)—Released the Cybersecurity Readiness Review with a data hygiene condition assessment and recommendations for needed policies, processes, and resources.
- Undersecretary of Defense Lord Memo (5 February 2019)—Declared inadequacy of current individual contract approach and charged DCMA with planning for assessment of SSPs and POAMs, developing an evaluation approach for cyber security readiness (with level of confidence), and communicating those confidence and readiness levels.
- Undersecretary of Defense Lord Memo (21 January 2019)—Charged DCMA with reviewing CDI flowdown and prime procedures with respect to Tier 1 suppliers.
- Assistant Secretary of Defense Fahey (17 December 2018)—Noted DoD’s lack of leverage over subcontractors and added a SOW clause for access to SSPs and POAMs of primes and their Tier 1 suppliers, and further focused on CDI identification (requirement for post-award conference to convey CDI marking information).
- Defense Pricing and Contracting (DPC) Guidance (November 2018)—Provided additional pre- and post-award methodology tools for contract auditors and procurement specialists.
CURRENT DOD 800-17 REQUIREMENT RISK LEVELS RATED VERY HIGH RISK (EXTREME AND SEVERE)
Ten of the 110 control objectives (11%) are rated by DoD as addressing very high risks. Mitigating the associated risks requires well-defined system end-user privileges and training, limited remote access for system administration, wireless access controls, auditable and reviewed system activity records, and documentation of CUI/CDI repositories.
3.1.1 | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). |
3.1.2 | Limit information system access to the types of transactions and functions that authorized users are permitted to execute. |
3.1.15 | Authorize remote execution of privileged commands and remote access to security-relevant information. |
3.1.16 | Authorize wireless access prior to allowing such connections. |
3.1.17 | Protect wireless access using authentication and encryption. |
3.2.2 | Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities |
3.3.1 | Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. |
3.4.1 | Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
3.4.4 | Analyze the security impact of changes prior to implementation. |
3.14.7 | Identify unauthorized use of the information system. |
CURRENT DOD 800-17 REQUIREMENT RISK LEVELS RATED HIGH RISK (HIGH AND SIGNIFICANT)
Fourteen of the 110 security controls (13%) are rated by DoD as addressing high risks. Implementing the control objectives requires monitoring remote access sessions, managing mobile device use, training users and limiting their system access (e.g., least privilege policy), changing default configurations to systems, practicing change control management, exercising an incident response plan/program, protecting passwords, controlling use of portable media devices.
3.1.12 | Monitor and control remote access sessions. |
3.1.13 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
3.1.18 | Control connection of mobile devices. |
3.2.1 | Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. |
3.3.9 | Limit management of audit functionality to a subset of privileged users. |
3.4.2 | Establish and enforce security configuration settings for information technology products employed in organizational information systems. |
3.4.3 | Track, review, approve/disapprove, and audit changes to information systems. |
3.4.5 | Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. |
3.5.1 | Identify information system users, processes acting on behalf of users, or devices. |
3.5.2 | Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
3.5.10 | Store and transmit only encrypted representation of passwords. |
3.6.1 | Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. |
3.6.3 | Test the organizational incident response capability. |
3.8.8 | Prohibit the use of portable storage devices when such devices have no identifiable owner. |
MOST COMMON AREAS OF NONCOMPLIANCE AMONG PRIME CONTRACTORS
Interesting to note are the high-impact areas of noncompliance after the audit of seven prime contractors. According to the General Greaves’ February 2018 memo, the following areas were most commonly deficient:
- Access control
- Multi-factor authentication (MFA)
- Password rigor
- System lockout
- Least privilege
- Risk assessment and mitigation
- Removable media
- Third-party activity
- System activity log review
Next Steps and Placing Your Bets: Tip Sheet
Implementing a solid program to integrate NIST 800-171 control objectives into your manufacturing environment will not guarantee your place in the winner’s circle—but it will guarantee that a competitor cannot have you disqualified by challenging your claim to security achievements! This is a high stakes game, after all.
Such an implementation will guarantee that you have a solid understanding of what information assets you have, where they are located, who has access to them, how they are being used, and whether they have been compromised. Sometimes it is better to be prepared than be lucky. Such knowledge counts as a “quintefecta” in my book!
- Derby Lesson #1: The most exquisite silks or cleverest of names will not bring home the winning purse.
- Derby Lesson #2: You can never win or lose if you don’t run the race.
- Derby Lesson #3: “Luck is what happens when preparation meets opportunity.” (Seneca ~1st century C.E)