Simply Cyber (vol 16) – All Aboard: Destinations DFARS Compliance and NIST 800-171 Rev 2!

The Department of Defense is launching an acquisitions and procurement model that specifically targets supply chain security and is bringing in third-party auditors to promote enforcement. The draft version of NIST 800-171 Rev 2 (the promised next iteration of the DFARS 7012 clause enforcement effort) was released for comment on 19 June 2019. A companion piece, NIST SP 800-171B, which includes 32 recommended tools to address advanced persistent threats (APTs), was also released. The APT threats are often from nation-state or similar bad actors that have the resources to gain entry into an information system and quietly collect information or access privileges over a longer period of time—even years after the initial breach. The particular concern with these more sophisticated threats is that higher level information, including intellectual property and national security information, are generally at risk.

With the second revision, DoD will take more direct action to validate and evaluate the cybersecurity condition of its supply chain beyond the prime contractor level. The three pillars of procurement—cost, performance, and schedule—will remain the factors by which competing proposals are evaluated. In order to qualify for competition—basically, in order to be considered —proposers will first be evaluated on, and certified according to, their cybersecurity level of maturity. The five maturity levels are described in the DoD’s Cybersecurity Maturity Model (CMM). In order to compete on a given DoD solicitation, proposers will have to have a certification level equal to or greater than that identified in the solicitation (Sections L and M).

The DOD 5000 acquisitions document is currently scheduled for release in July 2019, with sections L & M significantly updated to define cybersecurity items. The aggressive timeline shows September 2020 as the vendor target for meeting the required security level contained in a DoD solicitation will be the basis for a go/no-go decision on further consideration. Companies that have been proactive about working through the current NIST 800-171 guidelines to develop their plan of action and milestones (POAM) will have an edge over competitors who are still pondering whether to board the NIST 800-171 train.

How will I pay for this?
The DoD relies on the diversity, resiliency, and security of its industrial base. The size of that base has eroded over the past decade, however, and multiple cyber breaches point to the need for DoD to invest in its supply chain’s security efforts. In some cases, and likely dependent on the contracting vehicle structure (e.g., time and materials, cost-plus), costs related to cybersecurity improvement will be allowable by DoD. Additional details will be forthcoming at the series of information sessions being planned this summer for 12 US cities. According to DoD’s Katie Harrington (staffer to Kevin Fehey, Assistant Secretary for Defense Acquisition, Office of Undersecretary of Defense for Acquisition and Sustainment), the CMM Certification program will use “third-party cybersecurity certifiers and a semi-automated tool to conduct audits, collect metrics, inform risk mitigation for the entire supply chain.”