DFARS 252.204-7012, NIST 800-171 and Continuous Monitoring

By Heather Engel, Sera-Brynn, Executive Vice President 

This article is the fourth in a series

One of Sun Tzu’s more famous quotes from his book, “The Art of War,” is this: “The supreme art of war is to subdue the enemy without fighting.”

Although the cagey, ancient Chinese general could not comprehend a future of hackers, data breaches and cyber warfare, his words resonate today in the arena of cybersecurity. Especially when it comes to protecting data.

For Department of Defense (DoD) contractors and subcontractors, in looking at the cybersecurity landscape in the context of complying with federal regulations, subduing the enemy without fighting can be seen as continuous monitoring.

Background on DFARS

In review from Part I, II and III of this series, it’s incumbent upon government contractors and subcontractors to comply with federal acquisition regulations (FAR). If you do business with the DoD, you must comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 to safeguard controlled unclassified information (CUI) and report cyber incidents to the DoD Defense Industrial Base (DIB) portal (dibnet.dod.mil).

NIST requirements

The National Institute of Standards and Technology (NIST), a federal technology agency that works with industry to develop and apply technology, measurements and standards, has specific requirements for systems not operated on behalf of the government. These are systems used by contractors or subcontractors that are used to develop a product or service, and continuous monitoring is part of the security assessment requirement in NIST SP 800-171, a publication that covers protecting controlled unclassified information (CUI) in nonfederal information systems and organizations.

While NIST 800-171 does not have a specific control tied to “continuous monitoring” as 800-53 does, there are 10 separate controls that reference and require the organization to “monitor” something specific. This can include the “information system including inbound and outbound communications traffic to detect attacks and indicators of potential compromise.”

There are three controls in 800-171 that are directly mapped to the 800-53 control that requires continuous monitoring (CA-7). While you can be compliant without a specific tool or system to handle monitoring requirements, you must then be able to show how it is being done through policy and standard operating procedures. Handling these requirements manually may increase the level of risk and increase the time to detect anomalies that indicate a compromise, so be prepared to adjust risk tolerance accordingly.

The Outlook

Paramount in all of this is remembering that by December 2017, companies and organizations doing business with DoD must show full compliance with DFARS. If you haven’t already, we strongly recommend starting the process now and budgeting for technology improvements to phase in changes that will enhance security maturity.

If you have questions, feel free to reach out to us. We can help with strategic planning and long-term risk management of your DoD contracts as well as compliance with NIST requirements.

About Heather Engel

Heather Engel is a Fully Qualified Navy Validator, which requires credentials that include: Advanced certifications in Information Assurance; A minimum of five years performing Certification and Accreditation on Navy Systems; Additional training in Systems Management; Systems Certification and Risk Analysis; Demonstrated knowledge of Navy IA policies and the responsibilities of a Navy Validator. Engel provides risk management and business intelligence to Sera-Brynn clients across a wide variety of industries, carrying more than 15 years of experience in risk and compliance system integration, disaster recovery, security policy and security testing and evaluation.