The cybersecurity threats companies face have dramatically increased as we provide more services online, digitally store data, and rely on suppliers for a variety of information technology services. Recent high-profile incidents involving DIB supplier systems that Controlled Unclassified Information reinforce the need to ensure security requirements are clearly, effectively, and consistently communicated.
The purpose of this section is two-fold. First, the contents of this section are intended to include materials focused on DoD’s current and ongoing efforts – executed in partnership with industry – to improve the DIB’s cybersecurity. Specifically, it addresses DoD’s effort to ensure that controlled unclassified DoD information residing on or transiting through contractor information systems is safeguarded from cyber incidents. Protecting this DoD information will save warfighter lives. The cyber threat is not going away – we must defend our networks and systems, and the information that resides on them. Cybersecurity is a shared challenge, and we must work together to address it and reduce risk.
Second, we also provide cybersecurity-related content related to other efforts by the U.S. Government and other governments as well as the private sector aimed at defining and maturing the cyber protections that will best protect information systems from the evolving cyber threats that we all face.
Department of Defense Regulations
DoD is issuing an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. DFARS Clause 252.204-7012 is required in all contracts except for contracts solely for the acquisition of COTS items. In addition the Contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support. This resources provides a listing of policy, regulations, and FAQs for DoD Cybersecurity requirements. Effective June 15, 2016, all contracts awarded by any U.S. federal agency, including DoD, must include Federal Acquisition Regulation (FAR) Clause 52.204-21, which requires immediate implementation of 15 controls, which equate to 17 NIST SP 800-171 controls for basic safeguarding of any internal systems with non-public “federal contract information” or FCI. To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. With its streamlined requirements, CMMC 2.0: Simplifies compliance by allowing self-assessment for some requirements, Applies priorities for protecting DoD information, and Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
Other Regulations
The Export Administration Regulations are a set of regulations found at 15 C.F.R. § 730 et seq. They are administered by the Bureau of Industry and Security, which is part of the US Commerce Department. FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires each agency to implement “policies and procedures to cost-effectively reduce information technology security risks to an acceptable level”, recognizing the importance of information security to the economy and national security. This clause is applicable to all NASA contractors and sub-contractors that process, manage, access, or store unclassified electronic information, to include Sensitive But Unclassified (SBU) information, for NASA in support of NASA's missions, programs, projects and/or institutional requirements. The Navy Marine Corps Acquisition Regulation Supplement (NMCARS) establishes uniform Department of the Navy (DON) policies and procedures implementing and supplementing the Federal Acquisition Regulation (FAR) and the Defense FAR Supplement (DFARS).
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. NIST SP 800-171 DoD Assessment Methodology rev 1.2.1, dated June 24, 2020, documents a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012. - Updates made to rev 1.2 dated June 10, 2020: Section 4) updated to address changes made due to COVID-19 and Annex B updated to address changes made in the Supplier Performance Risk System (SPRS). The NIST SP 800-171 provides federal agencies with a set of recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when such information is resident in nonfederal systems and organizations. The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171. NIST SP 800-172 provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI: (1) when the CUI is resident in a nonfederal system and organization, (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and (3) where there are no specific safeguarding requirements for protecting the CUI prescribed by the authorizing law, regulation, or government-wide policy
for the CUI category listed in the CUI Registry.
NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results.
NIST Risk Management Framework
The NIST Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle.
NIST Cybersecurity Framework
Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
National Aerospace Standard (NAS9933)
The Aerospace Industries Association (AIA) has developed a national aerospace standard (NAS9933) that can supplement DOD requirements to achieve a ‘state of security’ beyond minimum compliance.