Enterprise IT Context for the CTO

Bob Gourley

Subscribe to Bob Gourley: eMailAlertsEmail Alerts
Get Bob Gourley via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

New DoD Rules For Contractors Focus On Enhancing Security and Incident Response

On 26 August 2015 the Department of Defense (DoD) published a new rule entitled the "Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018). You can read the details of this new rule here:

Download “DoD Rules On Protecting Data In Contractor Systems” 26-Aug-Federal-Registrar-New-DoD-Rules-For-Cyber.pdf – Downloaded 7 times – 290 kB

This rule represents a significant expansion of the mandate on defense contractors and their subcontractors to protect information and report on breaches.

The rule is in immediate effect. It was promulgated with urgency and all contractors and subcontractors are expected to take this with the required amount of seriousness.

The DoD expects these rules will apply to about 10,000 contractors.  The rules are meant to ensure that all DoD contractors and subcontractors (not just IT providers, but ALL contractors) take appropriate steps to mitigate risks and enhance their security. It also makes it clear that if DoD information is involved in a breach there are reporting requirements.

Here is what you need to know:

  • All DoD contractors and subcontractors must report cyber incidents that result in compromise or other potentially adverse effects on covered DoD information.
  • All DoD contractors will have a security program that meets specific requirements and controls expected by the government.
  • Mandated security controls flow from NIST guidelines as articulated in NIST Special Publication 800-53 and a new NIST  Special Publication 800-171 on Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The SP 800-171 is specially tailored for protecting sensitive information in contractor information systems.
  • Covered DoD information includes just about any information you will get or produce for DoD. It is covered by this rule if it is "any DoD information provided to the contractor or collected, developed, received, transmitted, used or stored by or on behalf of he contractor in support of performance of a government contract"
  • Any incident must be reported within 72 hours of discovery.
  • Processes must be in place to respond to incidents and DoD has the right to inspect systems and conduct forensics themselves.
  • The rules also spell out how cloud computing services will be leveraged. Cloud service providers will be contractually obligated to maintain all government data in the U.S. unless otherwise authorized in writing by the contracting officer. DoD intends to acquire and use commercial cloud computing services using commercial terms and conditions, but will only do that with firms that have obtained at least a provisional authorization by DISA.
  • Contractors will also be required to let the government know whether or not they anticipate that cloud computing services will be used in performance of any contract or subcontract resulting from this solicitation.

Actions we recommend all DoD Contractors Take Now:

  • Read the full rule yourself, slowly. It is not that long. Download it from the link at the bottom of this article.
  • Consider external assistance in ensuring your processes, technologies and controls are compliant with this rule. Contact Cognitio for help with this. Ask about information on our Cyber360 offering.
  • Consider joining the Defense Industrial Base ISAC.  Although their purpose is defense against security threats, this is also a great means to collaborate with others on issues of common concern.
  • Take the CTOvision Survey on these new rules here. This will help us understand your views and will inform our future writing. It will also provide us with information we will use in feedback to the government on these rules (we are providing a free copy of our book The Cyber Threat to all DoD contractors who take this survey).
  • Sign up for the Daily Threat Brief, which provides insights on adversaries designed to inform your decision-making and reduce your risk.

Download “DoD Rules On Protecting Data In Contractor Systems” 26-Aug-Federal-Registrar-New-DoD-Rules-For-Cyber.pdf – Downloaded 7 times – 290 kB

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com