Cybersecurity Compliance Basics for Government Contractors
Key Details: Cybersecurity threats and risk mitigation strategies are a growing area of focus for the government and contracting marketplace. With federal contract spending reaching almost $700 billion in fiscal year 2020, it is imperative for the government to tighten cybersecurity requirements to lower the threat of security breaches.
For the contracting community, this means strict compliance with cybersecurity requirements for government contractors and increasing reporting requirements to continue competing for contracts. This heightened focus led to the Department of Justice’s recent Civil Cyber-Fraud Initiative, which we will cover in both next week’s blog post and President Biden’s May 12, 2021, Executive Order titled “Improving the Nation’s Cybersecurity” (EO 14028).
The following portion of this article will highlight the most frequently encountered cybersecurity requirements government contractors must be aware of. Compliance with these requirements is essential for not only capturing and maintaining contracts, but also ensuring the safety of sensitive U.S. information. As each of these standards contain copious amounts of regulations and requirements, it will be essential for contractors to speak with a trusted advisor.
Most Encountered Cybersecurity Requirements for Government Contractors
The most frequently encountered security standards clauses include:
- FAR 52.204-21: Basic Safeguarding of Covered Contracting Information Systems.
- DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.
- DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements.
- DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements.
Through compliance program development, standards development, and the acquisition clauses listed above, the Federal Government has provided explicit, baseline guidance on system requirements, security standards, and incident reporting. Specifically, NIST SP 800-171 itself contains 110 controls spread across 14 control families.
Regardless of the clauses in your contract, all federal contractors, at a minimum, must:
- Review the requirements in the above clauses and NIST SP 800-171.
- Conduct and internal self-assessment of covered systems.
- Perform gap analysis of covered systems against compliance standards.
- Develop a plan of action to remedy any weaknesses.
- Draft comprehensive cybersecurity and incident response policies and procedures.
Contractors without adequate internal resources to assess their systems, apply the standards, and develop a compliance plan are advised to seek expert, professional assistance.
FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
Overview: The primary objective of clause FAR. 52.204-21 is to ensure federal government contractors are following and applying the below requirements to their cybersecurity systems and infrastructure to protect covered contracts.
Per FAR 4.1903 Contract Clause, “the contracting officer shall insert the clause at 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in solicitations and contracts when the contractor or subcontractor at any tier may have Federal contract information residing in or transiting through its information system.”
The broad scope of FAR 52.204-21 means the clause likely applies to any federal contract at the prime or subcontractor level. Hence, it is imperative that federal contractors meet these requirements regardless of whether FAR 52.204-21 has been explicitly cited in a solicitation, award document, or subcontract. Prime contractors are also required to flow-down this clause to subcontractors performing work under the contract.
FAR 52.204-21 Requirements
At a minimum, FAR 52.204-21 cites compliance with the following system basic safeguarding requirements:
- Limiting information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
- Limiting information system access to the types of transactions and functions that authorized users are permitted to execute
- Verifying and controlling / limiting connections to and use of external information systems
- Controlling information posted or processed on publicly accessible information systems
- Identifying information system users, processes acting on behalf of users, or devices
- Authenticating (or verifying) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems
- Sanitizing or destroying information system media containing Federal Contract Information before disposal or release for reuse
- Limiting physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals
- Escorting visitors and monitoring visitor activity; maintaining audit logs of physical access; and control and managing physical access devices
- Monitoring, controlling, and protecting organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems
- Implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks
- Identifying, reporting, and correcting information and information system flaws in a timely manner
- Providing protection from malicious code at appropriate locations within organizational information systems
- Updating malicious code protection mechanisms when new releases are available
- Performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed
DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
Overview: The primary objective of the DFARS 252.204-7012 requirement is to ensure contractors provide adequate security for defense information that is covered, processed, stored, and transmitted via the contractor’s internal system and network. Other requirements include reporting any cyber incidents that will impact the contractor’s information system and submitting malicious software discovered during a cyber incident. DFARS 252.204-7012 also requires compliance with National Institute of Security and Technology (NIST) standards.
To provide “adequate security” federal contractors must meet and implement NIST SP (Special Publication) 800-171. NIST SP 800-171, titled “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” was developed to provide a single set of performance-based security requirements.
This requires contractors to protect any uncontrolled and unclassified information in nonfederal systems. The basic security requirements of this standard follow FAR 52.204-21 where system access is limited to certain authorized users and to transactions and functions that authorized users can execute while other controls are a step-up from FAR 52.204-21.
NIST SP 800-171 Requirements
NIST 800-171 contains 110 controls throughout 14 control categories, contractors must conduct an assessment to ensure their cybersecurity systems are in accordance with requirements. Other security requirements per NIST SP 800-171 include:
- Controlling the flow of CUI in accordance with approved authorizations
- Separating the duties of individuals to reduce the risk of malevolent activity without collusion
- Employing the principle of least privilege, including for specific security functions and privileged accounts
- Using non-privileged accounts or roles when accessing non-security functions
- Preventing non-privileged users from executing privileged functions and capturing the execution of such functions in audit logs
- Limiting unsuccessful logon attempts
- Providing privacy and security notices consistent with applicable CUI rules
- Using session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
- Terminating (automatically) a user session after a defined condition
- Monitoring and controlling remote access sessions
- Employing cryptographic mechanisms to protect the confidentiality of remote access sessions
- Routing remote access via managed access control points
- Authorizing remote execution of privileged commands and remote access to security-relevant information
- Authorizing wireless access prior to allowing such connections
- Protecting wireless access using authentication and encryption
- Controlling connection of mobile devices
- Encrypting CUI on mobile devices and computing platforms
- Verifying and controlling / limiting connections to and use of external systems
- Limiting the use of portable storage devices on external systems
- Controlling CUI posted or processed on publicly accessible systems
Additional Cybersecurity Requirements for Government Contractors
NIST SP 800-171 also requires awareness and training for these security requirements. This includes ensuring users of organizational systems are aware of policies and procedures relating to security risks. Personnel must also be trained to carry out their security responsibilities and be trained to recognize indicators of insider threat. Other requirements under NIST SP 800-171 include:
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communication protection
For a complete description and definition of all 110 controls and 14 control categories, please reference the full NIST SP 800-171 publication.
DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
Overview: DFARS 252.204-7019 requires federal contractors to meet the regulations under NIST SP 800-171, highlighted above, and is part of the three interrelated clauses that extend the original DFARS 252.204-7012 clause. This specific clause details the requirements contractors must meet when reporting and maintaining their self-assessments under NIST 800-171.
Specifically, this provision requires a current NIST SP 800-171 DoD Assessment on record (no older than three years). Thus, each contractor will be required to have a Basic, Medium, or High assessment that is completed at least every three years. The Basic level is a self-assessment / attestation that also requires a System Security Plan to be submitted. The Medium and High-level assessments are conducted by the DCMA (Defense Contract Management Agency).
Basic assessments are required for all new contracts and the DoD may conduct further Medium or High-level assessments as needed. All federal contractors, especially DoD contractors, must determine if they have submitted or need to submit a basic self-assessment as submission and compliance will impact contract awards, renewals, and option exercise. This assessment will be used by contracting officers in deciding the award of contracts.
The assessment will be posted in the Supplier Performance Risk System (SPRS) in a score format. SPRS is used to assess, identify, and monitor unclassified performance for the acquisition community of the DoD. Contractors that have the following are on track to meet the DFARS 252.204-7019 requirements:
- Have a current SPRS assessment on file
- Follow the NIST SP 800-171 DoD Assessment Methodology. (This guide also provides instructions on how to prepare and submit a self-assessment)
- Have an up-to-date System Security Plan (if required)
- Have an up-to-date Plan of Action and Milestones (if required)
This clause at minimum applies to all DoD solicitations going forward, except for those that are solely to acquire commercially available off-the-shelf items. This means new contracts and modifications and extensions made to existing contracts will need to comply with these standards.
Given that DoD has developed the assessment and CMMC framework (see next section below), it is likely that other agencies will adopt similar standards in the near future. Hence, it is imperative that all federal contractors familiarize themselves with NIST SP 800-171 and at minimum conduct an internal compliance self-assessment, create system gap analysis against the NIST SP 800-171 standards, and develop a plan of action to address any weaknesses.
DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements
Overview: The DFARS 252.204-7 clause requires federal contractors to have a CMMC (Cybersecurity Maturity Model Certification) certification. The level of the contract at the time of the award determines the level of CMMC certification required. Maintenance of a certain CMMC level is required throughout the duration of a contract. Prime contractors who utilize subcontractors must also ensure this CMMC compliance flows down to all levels.
The first version of the CMMC was released on January 31, 2020, by the Department of defense. The aim of this requirement is to create a unified standard for streamlined implementation of cybersecurity requirements across the defense industrial base.
5 Levels of CMMC
The CMMC has five levels of certification that represent the reliability and maturity of a contractor’s cybersecurity system. The five levels of the CMMC are as follows:
Level 1: The company performs “basic hygiene practices.” This includes utilizing antivirus software and ensuring employees change their passwords frequently.
Level 2: The company documents “intermediate cyber hygiene” and implements some of the requirements under NIST 800-171.
Level 3: The company performs “good cyber hygiene” and has a management plan to safeguard CUI and follows NIST standards.
Level 4: The company has a process to review and measure their cybersecurity practices and has additional processes used to detect APTs (advanced persistent threats).
Level 5: The company has an optimized and standardized process throughout the entire organization and utilizes additional enhanced cybersecurity practices that can respond to APTs.
Federal government contractors should learn the various levels of requirements under the CMMC framework and understand what level their contracts require. Evaluation of current practices and implementing additional processes to enhance cybersecurity infrastructure may be required as additional contracts are awarded.
The DoD expects that by October 1, 2025, all entities who received contracts and orders will be required to have a CMMC. This does not apply to those for commercially available off-the-shelf items or those valued below the micro-purchase threshold. For more information regarding CMMC, please read our article here.
With the intensified focus on compliance with the above cybersecurity requirements for government contractors, it is crucial for contractors to analyze if their cybersecurity infrastructure against published standards and contract requirements. Contractors should continuously monitor their cybersecurity protocols and procedures and their CMMC level to ensure they qualify for future contracts. Reviewing your government contracts and determining if you have CDI or non-public federal contract information stored will also be essential.
Understanding the NIST SP 800-171 standards and implementation of these procedures is the first step towards compliance. The recent Initiative announced by the DoJ adds an additional layer of complexity to cybersecurity regulations, read our article on this next week and contact Ryan & Wetmore today to speak with an expert.
Today’s Thought Leaders
Contact us today by calling 301-585-0506.
About Peter Ryan
Partner, Co-founder, & CPA
Peter T. Ryan co-founded Ryan & Wetmore in 1988 with business partner Michael J. Wetmore. Peter provides clients with the best strategies for success. His expertise extends across various industries, including government contracting. Peter obtained a Master of Business Administration in Finance from the University of Baltimore and a Bachelor of Arts in Accounting from the Catholic University of America.
Read Pete’s full bio.
About Rosie Cheng
Rosie Cheng is a Finance Consultant at Ryan & Wetmore. She focuses on government contracting services and produces many of the firm’s government contracting newsletters. Rosie graduated from Georgetown University with a Master of Science in Management and from William and Mary with a Bachelor of Business Administration.