Meeting the Adequate Security Requirement
To provide adequate security, the contractor must implement information security that, at a minimum, includes the controls based on the guidance under the NIST 800-171. The DFAR still allows for contractors to self-certify compliance, however if a contractor suffers a breach and is later found not to have implemented these controls, they could face debarment.
Contractors that don’t have all of the NIST controls implemented must submit a written explanation of how 1) the required security control(s) is not applicable, or 2) an alternative control or protective measure is used to achieve equivalent protection. This means all controls must be addressed, either through implementation or documented explanation of non-applicability.
The DIB ISAC has developed a process for its membership where they can use an online tool that will explain in great detail how to meet the requirements as outlined in the 800-171 guidance. The tool also provides documentation for a plan of action to meet deficiencies as identified. This documentation including the controls in place can then be used to supply the contracting officer and the prime contractor the verification of the controls in place for compliance.
The i2ACT-800 is a tool specifically designed for cybersecurity compliance auditing and document control developed by Imprimis. It contains over two dozen baselines from 800-53, all DFARS including the newly approved NIST 800-171, FIPS, ICS or 800-82, CNSSI No. 1253, FedRAMP, and provides tailoring or the development of overlays that can be named for individual organizations. This tool contains numerous questions, supplemental guidance, and descriptions of intent and suggested evidence to aid in the assessment process. The i2ACT-800 contains a references section, a risk categorization section, an assessment section, a report section, and a database management section. The document management feature allows combining all entered and attached information and documents into a single file. The report capability will provide the reports needed by contract officers, prime contractors, and auditors. It also allows team collaboration where up to 20 people can work on a single assessment database at one time, saving significant time of internal teams, service providers, and auditors. Finally, it provides DIB ISAC with a consistent standardized format for verification of compliance.
There is no group or company that has the authority to “certify” compliance. The process we have designed provides a low cost solution and the benefits of membership where you will have access to the cyber security expertise needed to assist during the process of securing your data. The cost for DIB ISAC membership has been standardized to $200 per year. Use of the online tool for DIB ISAC membership has been discounted to $400.00 for the 800-171 light tool. Let us help you to become more secure and with the tools you need to ensure your customer and prime contractor that your company is qualified to bid under the 252-204-7012 and related requirements.
Two Main Compliance Components of DFARS 252.204–7012:
• DoD and its contractors and subcontractors must provide adequate security to safeguard DoD controlled technical information resident on or transiting through their unclassified information systems from unauthorized access and disclosure.
• Contractors must report to DoD certain cyber incidents that affect the protected information within 72 hours to DC3 via DIBNET.
So far, the government has implemented no plans for wide scale auditing for verification, leaving a need for some other verification method. In some cases, service providers are providing a letter attesting compliance, but this practice itself lacks standardization and contains a good deal of inconsistency and variability. The DoD does not recognize the ability for any entity to certify or verify compliance. This has led to a litany of cyber security firms charging a great deal of money to help companies to be compliant. We caution those companies in the DIB that paying these large sums do not lead to compliance and in many cases may not be necessary.
Copyright 2014 DIB ISAC.net All rights reserved. DIB ISAC is a trademark of DIB ISAC.