Simply Cyber (vol 13): The Reqs They Are A-Changing

Come gather ’round people
Wherever you roam
And admit that the waters
Around you have grown
And accept it that soon
You’ll be drenched to the bone.
If your time to you
Is worth savin’
Then you better start swimmin’
Or you’ll sink like a stone
For the times [reqs] they are a-changin’.[i]

Bob Dylan may not have had a lyrical voice, but he had critical vision (that led to his Golden Globe, Academy, and 10 Grammy Awards, as well as a Nobel Prize). Unlike the entertainment industry, the award season for government contracts is year-round. How can your company better position itself for success as product or service provider in the federal government supply chain?

Navigating the competitive shoals of government contracting has always been tricky—and unqualified agreement to the cyber security provisions contained in the DoD Federal Acquisition Regulations System DFARS is becoming an optimistic gamble that contract fulfillment will go smoothly and no audit will follow. In the words of Clint Eastwood cum Dirty Harry: “You’ve got to ask yourself one question: ‘Do I feel lucky?’”

Recent activity indicates an attitudinal shift in governmental tolerance of failure to address and provide operational evidence for DFARS 252.204-7012 compliance, which was required by 31 December 2017. Enforcement activities have been announced or implemented: in recent statements from the DoD Undersecretary for Acquisition and Sustainment (21 January 2019) and the DoD Deputy Secretary (19 September 2018); provisions from the FY19 National Defense Authorization Act on defense industrial base (DIB) manufacturing activity (signed by President Trump on 13 August 2018); guidance in the MITRE Corporation report, Deliver Uncompromised (13 August 2018); and the Defense Contract Management Agency (DCMA) auditor training initiative through the Defense Acquisition University (DAU). Evidence for the shift to an enforcement mentality on the part of the federal government include the following clarifications:

The example given at the January DAU cyber security boot camp training illustrated the problem with “feeling lucky” as a cyber security strategy. A Tier 1 supplier was visited by DCMA auditor who asked a company representative to see the company’s system security plan (SSP). The response—“What’s an SSP?”—was unfortunate, at best. Rather than file a contract action report (CAR) against the Tier 1, however, the CAR was filed against the prime for failing to validate supplier claims to NIST 800-171 compliance. Not a recommended way to make friends and influence people with your prime contractor client!

Rather than consulting your company’s horoscope to check how its stars are aligned, the more risk-averse question to guide decision making is: “How can my company be more competitive?”

Deputy Secretary of Defense Patrick M. Shanahan announced in September 2018 that cyber security would be the fourth critical measurement for reviewing government vendor qualifications by saying, “We’ve got quality, cost, schedule, but security is one of those measures that we need to hold people accountable for.” DFARS-type requirements will also be rolled into FARS (non-defense) government procurement requirements as well. Cyber security requirements are not going away and are being incorporated into government solicitations at the state and even local level. As an example, a January 2019 request for bid (RFB) from the County of Los Angeles for video production services related to health care systems includes cyber security requirements that effectively mirror those in DFARS 7012—and also allow for security audit reviews by County officials. The Automotive Industry Action Group (AIAG) has also adopted supply chain security guidelines that align closely with NIST 800-171.

Maintaining—and honing—your company’s competitive edge requires a balance of compliance with requirements and innovation. A robust cyber security program can promote both. MITRE’s Deliver Uncompromised observed that “Risk-based security should be viewed as a profit center for the capture of new business rather than a ‘loss’ or an expense harmful to the bottom line.”

Manufacturers that implement a system security plan (SSP), plan of action and milestones (POAM), incident response plan (IRP), and employee training/awareness program will be able to compete. Importantly, they will also protect their hard-earned investment in intellectual property (IP).

Nation states are perpetrating repeated, serious compromis of intellectual property that introduce national security risk: an estimated $600B per year in unauthorized “sharing” of US-developed innovative practices, technologies, and products. Innovation has been one of the hallmarks of US manufacturing. It deserves protection.

The revised NIST 800-171 guidelines are scheduled for release in March 2019. Please check back for more details about those changing requirements as well as specifics on the NIST Risk Management Framework 2.0.

. . . For he that gets hurt
Will be he who has stalled
For the times [reqs] they are a-changin’.[ii]

[i] The Times They Are A-Changin’ (Witmark Demo – 1963) lyrics © Audiam, Inc.

BACKGROUND NOTES

Unresolved items between DoD OIG and MDA with respect to financial penalties to primes that are not sufficiently diligent with respect to cyber security practices, specifically, NIST RMF guidelines (from the December OIG report dated 9 January 2019—and seriously redacted):

The DoD OIG made multiple recommendations, including that the MDA Director for Acquisition include penalty clauses in awarded contracts to levy monetary sanctions on contractors that failed to implement physical and logical controls for protecting classified and unclassified ballistic missile defense system technical information. The MDA Director, responding for the MDA Director for Acquisition, disagreed, stating that the MDA would not focus on punishing contractors financially but on strengthening network protections and business practices for improving information protection. The Director stated that a “liquidated damages” clause would be more appropriate than imposing fines for noncompliant contractors, which he stated would be counterproductive to the MDA’s goal of protecting unclassified controlled technical information. However, the Director stated that the MDA was working with contractors to ensure that preliminary controls were in place to protect ballistic missile defense system technical information and that the MDA would continue to assess when and how to use penalty clauses, award fees, and incentive fees as a way to encourage future compliance with DoD policy. The DoD OIG stated that the comments from the MDA Director did not address the specifics of the recommendation. The DoD OIG considered all six recommendations to the report unresolved (p. 32 of 56; https://media.defense.gov/2019/Jan/11/2002078551/-1/-1/1/DODIG-2019-044.PDF)

As of September 30, 2018, we identified that the DoD needs to take action to close 266 open DoD cybersecurity-related recommendations—255 unclassified and 11 classified—from reports dating as far back as 2008. For example, the NAVAUDSVC had two recommendations that remain open for 10 years.24 The AFAA had two recommendations that remained open for over 8 years—one from a 2009 report and one from a 2010 report.25 The GAO and the DoD OIG each had recommendations dating back to reports issued in 2012. The figure shows the age of all open cybersecurity-related recommendations by fiscal year of report issuance.

AppendixesDODIG-2019-044 │ 3511.Report No. DODIG-2018-094, “Logical and Physical Access Controls at Missile Defense Agency Contractor Locations,” March 29, 2018

SEE PAGES 46 AND BEYOND FOR USEFUL MATRICES

BACKGROUND NOTES

AppendixesDODIG-2019-044 │ 3511.Report No. DODIG-2018-094, “Logical and Physical Access Controls at Missile Defense Agency Contractor Locations,” March 29, 2018

SEE PAGES 46 AND BEYOND FOR USEFUL MATRICES