Companies doing business with the Department of Defense are required to protect government information. The Defense Federal Acquisition Regulation Supplement (DFARS) clauses apply to prime and subcontractors and describe expectations for the handling of Controlled Unclassified Information (CUI) in non-federal systems in compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2.
At the core of this process you will be required to conduct a self-assessment against the NIST 800-171 framework. It is common for businesses to wonder how to go about this process, and further wonder just what all of this incoming information means!
Alluvionic has you covered. In this blog, we will start with the basics of completing the NIST assessment, and then drill down into some of the most commonly “non-compliant” controls in your organization, to give you context of what you need to do to meet the requirements.
The Basics of NIST
DFARS is a set of regulations designed to ensure defense contractors maintain adequate cybersecurity measures. We cover the ins and outs of DFARS requirements here.
- DFARS 252.204-7012: safeguard to cover defense information which contractors and subcontractors must implement in NIST SP 800-171.
- DFARS 252.204-7019: requires companies maintain a record of NIST 800-171 compliance within the Supplier Performance Risk System (SPRS).
- DFARS 252.204-7020: requires companies provide Government access to facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment.
So, how do you get started?
First, check out our blog post, “What is SPRS” for a quick guide on SPRS, how to create an account, and how to submit your data. SPRS is a risk management tool that helps organizations meet Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7012 compliance. Once you have established the appropriate account access in the SPRS, it’s time to take the assessment. Often – when a company commences completion of the self-assessment, they aren’t sure what to do, and may not understand what is being asked with the controls.
The simple answer is – a company should determine if each control is implemented, partially implemented, or not implemented. The assessment score starts at a perfect 110, and points are deducted for each area of deficiency for a possible score of negative 203. The controls are weighted at 1 point, 3 points, or 5 points, depending on their criticality.
Confused by what the controls are asking?
To complete the assessment, it is imperative that your organization understands what the controls mean in order to determine if they are implemented in your environment. This can be tricky if you aren’t a cyber pro.The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) curated a list of the top NIST 800-171 requirements that have been determined as other than satisfied (OTS) during DIBCAC assessments.
Below, find a deep dive into four of those most commonly non-compliant controls to help you get on track; Multi-factor authentication, Risk Assessment, Incident Response, and FIPS Validated Encryption.
Identification and Authentication (IA) 3.5.3 – Multi-Factor Authentication
To protect CUI, it’s important to limit access to authorized users, to do this effectively you need to verify the identity of those users. That is where multi-factor authentication comes into play. Multi-factor Authentication is the means used to confirm the identity of a user, process, or device, a system which requires more than one distinct authentication factor for successful authentication. Multi-factor authentication includes three factors; something you know, such as passwords and personal identification numbers; something you have, such as a cryptographic identification device token; or something you are, such as biometrics. Authentication uses two or more different factors to achieve authentication.
Risk Assessment (RA) 3.11.1 – Periodically Assess Risk
The DoD expects organizations handling CUI to annually assess organizational risk as a means of keeping information safe. So what are the best practices your organization should consider implementing to comply with this control? First, the control references “periodic” assessments. These should be conducted at a minimum of an annual basis to support the development of a risk management plan. Consider the following as part of your risk assessment process:
- Assess and mitigate cybersecurity risks to ensure protection of networks and data against potential threats.
- Evaluate the nature of the data being processed and stored and the potential threats against that data.
- Develop, tailor, and implement mitigation strategies to the identified risks and include measures such as security controls and contingency plans.
- Monitor the environment for changes that could impact data security.
Incident Response (IR) 3.6.3 – Test Your Incident Response Capabilities
The Incident Response requirements within the NIST 800-171A and Cybersecurity Maturity Model Certification (CMMC) v2.0 framework requires an organization seeking certification to establish and test an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
With ever-evolving threats, incident response testing capabilities have become necessary components of information security programs. IR testing can include tabletop exercise, functional exercises, and tests which simulate attacks to examine your incident response procedures:
- Tabletop Exercises are facilitated, discussion-based exercises where personnel meet to discuss roles, responsibilities, coordination, and decision-making of a given scenario.
- Functional Exercises allow personnel to validate their readiness for emergencies by performing their duties in a simulated environment.
- Tests are evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment. A test is conducted in as close to an operational environment as possible.
System Communications & Protection (SC) 3.13.11 – FIPS Validated Encryption
This is number one on DIBCAC’s list of most commonly non-compliant controls, and for good reason. A FIPS-validated cryptographic module is one that has been tested and approved by a NIST-approved laboratory per the Federal Information Processing Standard (FIPS) 140-2 U.S. Government standard. The NIST 800-171 control 3.13. 11 requires FIPS-validated cryptography to be used when protecting the Controlled Unclassified Information – whether you are storing it in your system(s) or transmitting it across the internet. Cryptography is the use of mathematical algorithms to ensure secure data communication. Encryption is the process of applying a cryptographic algorithm on data to transform into a new form that only an authorized party is able to understand. It’s like wrapping that sensitive information up in a bubble so that only desired and authorized recipients of the data can access it.
So, how do you comply with this standard? You will need to implement FIPS Validated Encryption in your systems that handle CUI. You will need to document this in policy, process and procedural documents – AND in your System Security Plan. BitLocker is an example of a FIPS-validated system, but it requires a setting before encryption that ensures that the encryption meets the standards set forth by FIPS 140-2.
Still struggling, let Alluvionic help!
We have supported dozens of companies by facilitating completion of the NIST Basic Assessment. Let our SME’s educate you on each control – while populating the score, documenting how your organization is currently meeting the requirements and providing guidance to the best way to move forward.
If you’re looking for other places to start, try reading up on the basics of CMMC or you can even check out What is SPRS.
Ready to complete your NIST Basic Assessment? Reach out to our experts at www.Alluvionic.com or call 321-241-4510.
