by Heather Engel, Sera-Brynn Chief Strategy Officer
The Assistant Secretary of the Navy recently released a memo imposing additional requirements on select contracts.
For the last three years, Defense contractors have been working (some more diligently than others) to comply with DFARS clause 252.204-7012 that requires implementation of NIST SP 800-171. I’ve written numerous articles on interpretation, enforcement and reporting in the past several years, these can be found here.
Ever since the evolution of information assurance in the DoD space, the Navy has long led the services in developing and enforcing standards and procedures that go above and beyond the DoD standard, and this time is no different.
In a memo dated September 2018 and immediately effective, a Contract Data Requirement List (CDRL) is required for selected current and future contracts. This memo is titled “Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks” and requirements include:
- Delivery and approval of a System Security Plan. This is a change from the current clause which requires the contractor to HAVE a SSP, but does not require delivery or approval by the government.
- Contractors must allow the Government to VALIDATE the information every three years, ad hoc and with no notice
- Program managers will not approve SSPs that have not fully implemented 800-171 including requirements for multi-factor authentication and FIPS 140-2 validated encryption.
- The Contractor must be able to deliver all information related to a cyber breach within 15 days of an incident
- CUI must be physically or logically separated from contractor-owned information
- Additional requirements from NIST SP 800-53 including encryption at rest
- Contractors must agree to allow NCIS to install sensors on contractor-owned systems if threat intelligence warrants
Government program officers have 30 days (until October 28, 2018) to provide a list of current contracts and upcoming efforts that will be subject to the CDRL.
What does this mean for you?
If you have Navy contracts, it’s time to revisit the work you’ve done to comply with the DFARS clause. If you’ve been slacking on completing POAM items, get going on your implementation and updates!
If you do not employ technical staff with incident response and forensic capability, find a forensic partner.
Remember there are recurring requirements for vulnerability scanning, risk assessments, and training. How often should have been defined in your SSP, and if you are outside the window, schedule time to bring them up to date.
How We Can Help
Just have a few questions or moderate assistance? We offer affordable consulting packages in minimal hour blocks. Need to full gamut of risk assessment and documentation development? Our service offering is deliverables based to assist with cost recovery. Want to do it yourself? We developed Carver to make our analysts more efficient and now subscriptions are available on a limited basis. Need to know who to call if you suspect a breach? Sera-Brynn offers a subscription service for IR and forensics.
I spent many years supporting the DoD and Navy information assurance efforts, and the best way to prepare is to show continued progress. Sera-Brynn has tools, resources, and a team that is world-renowned for our work in this space. Schedule a consult with us and we’ll help you figure out the best path for your business.
Heather Engel has over 17 years of experience in risk management, information assurance, business continuity planning, and security program development. Prior to Sera-Brynn, she assisted government agencies and the Department of Defense in securing advanced information systems and coordinating cyber warfare exercises. Engel also serves as Sera-Brynn’s corporate spokesperson.
She is a Certified Information Systems Security Professional, a Payment Card Industry Qualified Security Assessor, and a Fully Qualified Navy Validator. Ms. Engel holds a Bachelor of Arts from the Pennsylvania State University and an MBA from Florida Institute of Technology. She is a 2015 Inside Business Women in Business Honoree and was appointed by former Virginia Governor Terry McAuliffe to the board of the Virginia Economic Development Partnership.