The Network Penetration Reporting and Contracting for Cloud Services Rule was the subject of two interim rules published Aug. 26, 2015 (80 FR 51739) and Dec. 30, 2015 (80 FR 81472), before being published as a final rule Oct. 21, 2016 (81 FR 72986) and clarified by DoD through answers to Frequently Asked Questions (FAQs), published Jan. 27, 2017.
The rule requires that contractors “implement NIST SP 800-171, as soon as practical, but not later than Dec. 31, 2017. For all contracts awarded prior to Oct. 1, 2017, the Contractor shall notify the DoD Chief Information Officer, within 30 days of contract award … of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.” DFARS 252.204-7012(b)(2)(ii)(A).
During a recent presentation, we learned that many small subcontractors are worried about their ability to comply with the rule. Here are some tips.
- Consider adopting new policies and procedures to comply with the rule. DoD explained that a small business with limited IT or cybersecurity expertise that was compliant with the 2013 Safeguarding of Unclassified Controlled Technical Information DFARS clause with the table of NIST SP 800-53 controls might approach meeting the requirements of NIST SP 800-171 by policy/process changes or adjusting the configuration of existing IT. With the exception of the multi-factor authentication requirement (3.5.3), no additional software or hardware is needed. FAQs, Q17. The answer provides examples of how to comply with the rule.
You can also make the following arguments.
- The rule doesn't apply to commercial off-the-shelf items. “The clause is not required for solicitations and contracts solely for the acquisition of COTS [commercial off-the-shelf] items.” FAQs, Q3.
- The rule doesn't apply if the contractor does not process, store or transmit covered defense information or the contract does not involve operationally critical support. However, the clause “must be implemented when CDI is processed, stored, or transmits through an information system that is owned, or operated by or for, the contractor, or when performance of the contract involves operationally critical support.” FAQs, Q4.
- The rule may not apply to the subcontractor’s work. The clause “flows down to subcontractors … when performance will involve operationally critical support or CDI. The contractor should consult with the contracting officer to determine if the information required for subcontractor performance is covered defense information and if it retains its identity as covered defense information which would require flow-down of the clause. Flow-down is a requirement of the terms of the contract with the Government, which should be enforced by the prime contractor as a result of compliance with these terms. If a subcontractor does not agree to comply with the terms of clause 252.204-7012 then CDI should not be on that subcontractor’s information system.” FAQs, Q5. In other words, if the subcontractor is uncertain of whether the clause applies, the subcontractor has to ask the contractor to consult with the contracting officer to see if they have to comply with the flow-down clause.
- You might avoid a NIST SP 800-171 security control if it doesn't apply or if you can prove you have an acceptable alternative control or protective measure that will achieve equivalent protection. If a contractor thinks a required security control is not applicable or that an alternative control or protective measure will achieve equivalent protection, the contractor must provide a written explanation in their proposal, which the contracting officer will refer to the DoD chief information officer to adjudicate. FAQs, Q18. In FISMA/FedRAMP auditor-speak, an alternative control must be “appropriate, effective, and fit for purpose.” The basis for judging acceptability of an alternative is whether it is equally effective; the acceptability of “not applicable” is if the basis/condition for the requirement is absent. FAQs, Q19.
- You might be able to outsource your compliance obligations by storing the CDI in a FedRAMP-approved cloud. A contractor may use an external cloud storage service provider to store, process or transmit any covered defense information, provided that the contractor requires and ensures “that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complained with requirements … for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.” DFARS 252.204-7012(b)(2)(ii)(D).
Our friends at Lifeline Data Center, a FedRAMP approved cloud storage provider, prepared a NIST SP 800-171 Questionnaire to help contractors understand and meet the required security controls. You can also watch our webinar about the rule here.