Enterprise Security Policies

Policies need to be established and signed off by C-level management. Implementation of policy flows through standards, guidelines, and procedures. Before jumping to writing policies, consider establishing a framework. See NIST "Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, 16 April 2018. Another comprehensive example is provided by the DoD - a framework built upon 4 goals:  1. Organize, 2. Enable, 3, Anticipate, 4. Prepare. For details, see the Build and Operate a Trust DoDIN Cybersecurity-Related Policies and Issuances IA Policy Chart.

Since compliance with NIST standards, SP 800-53 for DoD and federal agencies and SP 800-171 for DoD contractors, a good starting point is policies that are aligned with the NIST SP 800-53 controls families. As of NIST SP 800-53 Rev 4, there are 18 control families, with 8 more included if the Privacy Overlay applies. I-Assure RMF Templates are available for the following:

• AC - Access Control
• AT - Awareness and Training
• AU - Audit and Accountability
• CA - Security Assessment and Authorization
• CM - Configuration Management
• CP - Contingency Planning
• IA - Identification and Authentication
• IR - Incident Response. Follow NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover). 
• Incident Response Plan (Tech Pro Research, 2017)
• MA - Maintenance
• MP - Media Protection
• PE - Physical and Environmental Protection
• PL - Planning
• PM - Program Management
• PS - Personnel Security
• RA - Risk Assessment
• SA - System and Services Acquisition
• SC - System and Communications Protection
• SI - System and Information Integrity

Other policies and procedures:

• Cloud Computing Policy. See http://www.techproresearch.com/downloads/cloud-computing-policy/. 
• Business Impact Analysis (BIA). First step in disaster planning. Identify systems, services, processes, and workflows in the organization and prioritize recovery (i.e. set RPO, RTO).
• Business Continuity Plan (BCP). Describes how to meet the availability objective defined by the BIA.
• Why your business needs a continuity plan and how to create one (TechRepublic, February 5, 2019).
• Disaster Response Plan (DRP). Should be invoked based on some threshold defined in the Incident Response Plan (IRP). 
• Disaster Recovery:  How to Prepare for the Worst (TechRepublic, 2019)
• Electronic Communications Policy. What tool(s) to use, what medium(s) to use (email, blog, social media), define restrictions.
• Electronic Communication Policy (TechRepublic, 2/2017)
• Employee Termination Process
• Employee Termination Checklist (TechRepublic)
• Inventory Management
• Lifecycle Management
• Preventive Maintenance Plan
• Portable Media Policy (covering PDAs, iPods, iPads, flash devices, cameras, portable hard drives, cell phones, thumb drives, digital recorders)
• Personnel Fitness Devices (PED)
• Wireless Networking Policy
• Privacy
• Password Policy.
• Media Disposal
• Pre-hire
• Contracts and Agreementsf
• Disciplinary Action
• Virtual Private Network (VPN)
• Telecommuting/telework Policy
• NIST SP 800-114 Revision 1​, "User's Guide to Telework and Bring You Own Device (BYOD) Security," July 2016
• For DoD, DD2496 (Department of Defense Telework Agreement) is required. ​When Controlled Unclassified Information (CUI) including competition sensitive or source selection data is authorized for use at the telework location, criteria for proper encryption and safeguarding of such information and data must be consistent with Enclosure 3, subparagaphs 3.f.(1) through (3) of DoDI 1035.01​, Telework Policy.
• Office of Personnel Management (OPM) Telework Site. Also see https://www.telework.gov/federal-community/telework-employees/making-your-case-for-telework/
• Fort Gordon DoD Telework Guide.

Virtualization Policy. 

Anti-malware

Acceptable Use

Software Licensing

Streaming Media Policy.

End User Backup Policy.

Network Traffic Management (inbound, outbound, priority)

DHCP Usage Policy

Information Classification (proprietary, confidential, public)

Nondisclosure Agreements

Resource and Data Recovery Policy and Procedures. Explain processes for reporting and recovering information if it becomes lost, stolen, or inaccessible.

Severe Weather and Emergency Policy.

Data Retention Policy

IT Hardware Procurement Policy

Secure Web Browser Usage Policy

"Cybersecurity Quick Reference Card." Should be printed out and displayed at every user workstation. Include:  contact information for Service Desk, symptoms of a malware infection or network attack, warning to lock system when away, incident response procedures.

References:

• NIST Cybersecurity Framework
• Tech Pro Research IT Policies
• USACE Cyber Quick Reference Card

Multi-factor Authentication (MFA) for Office 365

As part of our NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) and DFARS 204.73 (Safeguarding Covered Defense Information and Cyber Incident Reporting) compliance effort, KINEX enabled multi-factor authentication (MFA) for our Office 365 users. MFA for Office 365 requires your password and an additional step to login to your account, including a text message, phone call, or email message to an alternate/non-Office 365 email address. You can also use an app password or the Microsoft Authenticator. The following URL provides information for users on how to setup their account to use 2-step verification for Office 365:

Set up 2-step verification for Office 365

 

References:

• Plan for multi-factor authentication for Office 365 Deployments
• How to get Azure Multi-Factor Authentication
• Set up multi-factor authentication for Office 365 users
• Set up 2-step verification for Office 365
• Use Microsoft Authenticator for Office 365
• Create an app password for Office 365
• TechRepublic How to set up two-factor authentication for your favorite platforms and services (free PDF)

File Sharing Tools

• Dropbox.
• Google Docs.
• OneDrive.
• OneDrive for Business.
• Hightail (formerly YouSendIt)
• SAFE. AMRDEC Safe Access File Exchange (SAFE) is designed to provide AMRDEC and its customers an alternative way to send files other than email. SAFE supports file sizes up to 2 GB and is authorized for up to unclassified data, to include Privacy Act data. As of December 2018, the AMRDEC SAFE site has been shutdown. Use the ARL site (PII/PHI not allowed).
• ARL SAFE.  
• DISA Secure File Gateway (SFW) Relay Service
• DoD Secure File Sharing Tools on milSuite
• Send Anywhere. Supports iOS, Android, web, and desktop client for macOS and Windows. Free (with ads), $5.99/month for Pro. Retrieve files using a 6-digit code, QR code, or link. Expires after 48 hours. Not sure if that is configurable.

Other resources:

• ​​"Moving Large Files Fast with Signiant and Microsoft Azure," 5 AUG 2015​. Channel 9.

Removable Media Use on Army Networks

ARCYBER OPORD 2017-009, "Removable Media Use within Army Networks," 6 October 2016, applies to NPR, SIPR, DREN, and SDREN. This order superseded OPORD 2012-347. Army G2, DAMI-IM policy governs removable media use on JWICS.

Removable Media (RM) is defined as any portable data storage medium which can be connected to or inserted into and removed from a computer, and is used to store data, such as magnetic, optical, solid-state devices, flash drives, and external drives. RM has no independent processing capabilities.

Data Transfer Agents (DTA) and HBSS exceptions are necessary to enable write operations to removable media.

Appendix 2 to Annex T is the Checklist for use of Removable Media (RM).

Encryption Tools

• ​​Encryption Wizard. Encryption Wizard (EW) is a simple, strong, Java file and folder encryptor for protection of sensitive information (FOUO, Privacy Act, CUI, etc.). EW encrypts all file types for data-in-transit protection and supplements data-at-rest protection. Without requiring installation or elevated privileges, EW runs on Windows, Mac, Linux, Solaris, and other computers with Standard Edition Java. Behind its simple drag-and-drop interface, EW offers 128- or 256-bit AES encryption, hashing, searchable metadata, archives, compression, secure deleting, and PKI/CAC/PIV support. EW is GOTS - Government invented, owned, and supported software​.

• ViaSat KG-201 Inline Media Encryptor (IME). Achieves Data at Rest (DAR) compliance (J-6 6510.01E) and DISA IASE ​Removable Storage and External Connection Technologies STIG finding ​V-24177 (associated DoDI 8500.2 IA Control ECCT-2). NSA Type 1 Certified for TS/SCI and below. TEMPEST Compliant NSTISSAM 1/92. USB 2.0 interface. Handle as unclassified controlled cryptographic item (CCI) device when cryptographic ignition key (CIK) is removed. Uses two-factor authentication - CIK and PIN. Meets NSA Crypto Modernization Initiative (CMI) and Key Management Infrastructure (KMI) standards.

McAfee Host Based Security System (HBSS) components are listed below. The McAfee Agent (MA) is installed first which serves as the container for delivery of the components.

Data Exchange Layer (DEL)
Host Intrusion Prevention (HIPS)
Policy Auditor Content Update (PAC)
Data Loss Prevention Endpoint (DLP)
Advance Host Assessmetn Content Update (AHA)
Policy Auditor Advance Host Assessment (PAA)
Policy Auditor (PA)
Tchon Endpoint (TE)
Asset Configuration Control Module (ACCM)
Endpoint Security (ENS)
Policy Auditor Agent (PAA)
VirusScan Endpoint Anti-Spyware Endpoint (VSE)

Hosting Environment Decision Criteria for AGC

Persistent Storage Cost. AGC needs to warehouse a large volume of imagery data for dissemination via applications such as the PKE web site and CMB. The entire archive must be available all the time; moving infrequently accessed data to lower tier storage (in terms of availability and/or retrieval time) may not be acceptable for the end user.

Geographic Distribution of Data. Users downloading data from AGC applications tend to do so in large chunks (i.e. bigger than a CD or DVD). The end user experience is improved if the hosting environment provides the capability to distribute data closest to users according to the geographic location they are accessing the service from, much like operating system providers or media distribution services mirror their content around the globe.

Independence. Applications that share common data sets need to stay with each other in the same hosting environment. Applications that are self-contained can go in any environment.

Confidentiality Categorization. Does the application receive, process, store, transmit or display controlled unclassified information (CUI)? If yes, an environment that is categorized {x,M,x} or Impact Level 4 is required. If the application or data meets the criteria for a National Security System (NSS) per NIST SP 800-59, then an Impact Level 5 environment is required.

On Demand Access. Applications that can be turned-off when not needed. Aside from workstations used to index CMB data, all of AGC's services need to be available 24/7.

Cloud-Specific Services. Does AGC have applications that can take advantage of a service unique to a specific cloud provider such as Amazon Redshift?

Scalability and Elasticity. Does AGC have workloads that can scale up/down based on the client load? To my knowledge, current applications are not designed to take advantage of this cloud capability; they are overprovisioned in order to be able to handle the maximum anticipated workload. Note the difference between scalability and elasticity is scaling is a one-way increase in resource allocation in response to usage demands; whereas, elasticity is increasing or descreasing capacity in response to user demands.

Virtualization. Does the application have to be hosted on bare metal hardware (this is a yes for MBPS, C2IE).

Data Egress. Is the application a dissemination or visualization type where a lot of data would be downloaded or streamed to the end user? This is a factor if the cloud provider charges for that (true in AWS, Azure, but I don't think so in milCloud). Examples are PKE web site, CMB, GeoGlobe.​
Multiple Classification Level Deployments. Is the application hosted in multiple classification environments (e.g. unclassified, S, and TS)? Having a common environment for each deployment may simplify design, implementation, and O&M. Does the CSO CSP have a DoD PA in each of the target environments (IL 4, 6, C2S)?

Device Sanitization

​References:

• ​​​​US CERT​

• Unauthorized Disclosure of Classified Information (see clean up procedures)

Decision Support Tools for Cloud Migration

​Costs to be considered for a cloud migration include IT infrastructure (servers, switches, routers, firewalls, etc.), data center equipment (HVAC, racks, UPS, emergency power), real estate, software licenses, systems engineering and O&M staff. Cost models not only need to take into account resource consumption in the cloud, but also the variation in the workload (e.g. does the application get busier during certain times of the year, month, or day?).

• ​Decision Support Tools for Cloud Migration in the Enterprise White Paper. Cost modeling tool which uses ​a Unified Modelling Language (UML) diagram to build a cloud deployment profile that is built as part of the Eclipse IDE. it extends UML deployment diagrams to include:  Virtual Machine, Virtual Storage, Application, Data, Database, Remote Node, Communication Path, and Deployment. Once the model is created, it can be applied to a cloud provider to determine the computational resources needed. Baseline usage is set for each resource and then an elasticity pattern defines variations in use by day, month, or year. The usage patterns for each node are multiplied by the per unit cost of that resource over the simulation period. Per unit price is determined by the cloud provider specified by the user using an WML file that stores cloud provider prices from over 600 prices from AWS, Azure, FlexiScale, Rackspace, GoGrid, and ReliaCloud.​​

Insider Threat

​References:

• National Insider Threat Task Force ​(NITTF) Insider Threat Program Maturity Framework, 1 November 2018. NITTF is co-directed by the FBI and the National Counterintelligence and Security Center. It was established in October 2011 by Executive Order 13587 which directed federal departments and agencies with access to classified information to establish insider threat detection and prevention programs. The NITTF was established to assist agencies in developing and implementing these programs.​
• NITTF Insider Threat Competency Resource Guide (CRG), August 30, 2017
• DoDD 5205.16, "The DoD Insider Threat Program," 30 SEPT 2014
• DoDI 5240.26, "Countering Espionage, International Terrorism, and the Counterintelligence (CI) Insider Threat, 15 OCT 2013
• DoD Secretary of Defense Memorandum, "Insider Threat Mitigation, 12 JUL 2013. See USCYBERCOM SIPR web site.
• Presidential Memorandum (National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs), 21 NOV 2012​​

• Committee on National Security Systems Instruction 4009, "National Information Assurance (IA) Glossary," 6 APR 2015
• DoDI 5240.16, "Counterintelligence Functional Services (CIFS), 15 OCT 2013

• DoDM 5105.21, Volume 1, "Sensitive Compartmented Information (SC) Administrative Security Manual:  Administration of Information and Information Systems Security," 19 OCT 2012

• DoDM 5105.21, Volume 2, "Sensitive Compartmented Information (SCI) Administrative Security Manual:  Administration of Physical Security, Vistitor Control, and Technical Security, 19 OCT 2012​

• DoDM 5105.21, Volume 3, "Sensitive Compartmented Information (SCI) Administrative Security Manual:  Administration of Personnel Security, Industrial Security, and Special Activities, 19 OCT 2012

• DoD Final Report of the Insider Threat Integrated Process Team, 24 APR 2000

• HQDA EXORD 217-13, "Insider Threat Mitigation Requirements and Reporting," 20 SEP 2013

• Army Directive 2013-18 (Army Insider Threat Program), 31 JUL 2013
• Executive Order 13587 - Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, October 07, 2011

• Army Regulation 381-12 (Threat Awareness and Reporting Program), 4 OCT 2010

Where can I search for documents?

• https://www.cnss.gov/CNSS/issuances/Instructions.cfm​

• http://www.dtic.mil/whs/directives/corres/pub1.html​

• http://www.dod.gov/pubs/index.html​

What is "Continuous Monitoring" (ConMon)?

The Risk Management Framework (RMF) requires "Continuous Monitoring" as the last step (6) in the assessment and authorization process. The Information System Owner (ISO) or Program Manager (PM) is responsible for developing a continuous monitoring plan during the RMF process initiation phase/Step 0 (Prepare) and implementing the plan in Step 6 (Monitor). What is continuous monitoring and what should the plan look like?

NIST SP 800-37 Rev 2, RMF Task P-7 Continuous Monitoring Strategy - Organization (see Section 3.1, Prepare, Table 1:  Prepare Tasks and Outcomes - Organization Level),  requires "An organization-side strategy for monitoring control effectiveness is developed and implemented [Cybersecurity Framework:  DE.CM; ID.SC-4]." The particular requirements for Continuous Monitoring are defined in NIST SP 800-53 Rev 4 Security Control CA-7:

“The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].”

NIST SP 800-137, "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations," defines continuous monitoring as:

"Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to suport organizational risk management decisions."

The following is an outline of continuous monitoring activities which should be covered by an organization supporting the DoD:

• Maintain an awareness of our authorization status (e.g. ATO, IATT) including the expiration date, milestones associated with POA&M items, and plan for extension or renewal.
• Maintain an accurate inventory of hardware (physical and virtual) and software used within the environment/accreditation boundary (SANS #1 and #2 Basic CIS Control)
• ​Generate periodic hardware and report. Investigate deviations baseline that have not been approved/documented through the change management process.
• Personnel deemed part of the Information Assurance\Cybersecurity workforce are DoDD 8140/8570.01-M compliant and maintain their status through ongoing training and (re)certification. This includes determination of Cybersecurity Workforce role such as IAT, IAM, CND, baseline IA certification, identification of appropriate computing environment (CE) training or certification, registration in AT&CTS and Skillport, and writing appointment orders that align with the duties to be performed. Maintain record of contractor Cybersecurity Workforce (CSWF) Report in format in accordance with DID DI-MGMT-82160.
• Management and Technical personnel should subscribe to vendor mailing lists and be aware of organizational policy.
• Monitor the DISA IASE web site for updates to STIGs and SRGs, and perform re-assessments of assets (SANS #5 Basic CIS Control).
• Control changes in the environment. Implement the change and release management process as defined by the Configuration Control Board (CCB) and/or Change Management (CM) documents included in the accreditation package, assess the security impact of proposed or actual changes to the information system and its environment of operation. Implement changes through a Change and Release Management process.
• Continue to perform IAVM compliance assessments using ACAS and remediate findings (SANS #3 Basic CIS Control).
• Evaluate Lifecycle Management (LCM) data such as lifecycle replacement dates, end of life, end of support dates for hardware and software used within the environment.
• Review stale and expired accounts, audit privileged role assignments. Review rights and permissions associated with privileged roles (SANS #4 Basic CIS Control).
• Warn users of stale accounts (preferably using automated method)
• Delete expired accounts. Review group membership(s) prdiior to expiration to ensure there is at least one other user in the group. Replace the removed user with another staff member.
• Are privileged roles defined such as to implement least privilege?
• Review training and certification requirements for privileged users.
• Review compliance with training and certification requirements for privileged users.
• Maintain, monitor, and analyze audit logs (SANS #6 Basic CIS Control).
• Review and update policy documents (policies should be assigned a review and update interval at the time they are published). Maintain a body of evidence (BoE) for RMF packages in accordance with Data Item Description (DID) DI-MGMT-82001, "DoD Risk Management Framework (RMF) Package Deliverables.
• Monitor the appropriate web sites and mailing lists for applicable EXORD, OPORD,  TASKORD, ALARACT.
• Monitor PKI certificates for expiration and acquire and apply new certificates.
• Perform annual testing as required by FISMA (security control review, security control testing, and contingency testing).

Other considerations, for Army information systems (IS):

• Per ARCYBER OPORD 2016-129, "Information Assurance Vulnerability (IAVM) Program Implementation," 17 June 2016, Alerts as well as Bulletins must be closed within 21 days. Previous guidance (ARCYBER 2015-363 allowed Bulletins to remain open up to to 45 days).

• Submit a POA&M for overdue IAVMs, including an Operational Impact Statement (OIS), which is routed through the ARCYBER Quarantine Review Board (QRB) (see ARCYBER OPORD 2016-086).

• Critical and High IAVAs are not normally covered by a POA&M and must be mitigated or reported with an OIS through the AO to NETCOM.

• Medium and Low IAVAs require an AO approved POA&M for up to 60 days beyond the original suspense date.

References:

• Qualys Continuous Monitoring A New Approach to Proactively Protecting Your Global Perimeter. 
• NIST SP 800-37, Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach, December 20, 2018​
• NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011
• NIST SP 800-137A, Information Security Continuous Monitoring (ISCM) Programs:  Developing an ISCM Program Assessment, 5/21/2020
• NIST Continuous Monitoring FAQ
• SANS SEC511: Continuous Monitoring and Security Operations
• FedRAMP Continuous Monitoring Performance Management Guide Version 2.0
• FedRAMP Continuous Monitoring Strategy Guide Version 3.2. April 4, 2018
• cloud.gov Continuous Monitoring Strategy
• Center for Internet Security (CIS) Controls​
• ARCYBER OPORD 2016-129, "Information Assurance Vulnerability (IAVM) Program Implementation," 17 JUN 2016.
• AR 25-1
• ARM 25-2
• CJCSI 6510.01
• DoD 8531.01
• DoDM 5200.01
• DoDI 8500.01
• NETCOM Regulation 380-5
• DA PAM 25-1-1
• Army NETOPS Operational Order 05-01

NIST SP 800-171 and CMMC

U.S. government contracts now include clauses that require contractors and subcontractors (at all tiers) to provide “adequate security” to safeguard certain types of government information the resides in or transits their internal systems by including the following Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) contract clauses:

FAR clause 52.204-21 Basic Safeguarding of Covered Information Systems (June 2016). Requires compliance upon award with “basic safeguarding” of covered contractor information systems with  “federal contract information.” 

DFARS clause 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting (Revised December 28, 2017). 

DFARS clause 239.76 Cloud Computing.

DFARS clause 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls (October 2016). Requires that the Offeror represent that it will implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

DFARS clause 252.204-7009  Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information. 

​DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (October 2016). Requires contractors to provide adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. To provide adequate security, the contractor must, at a minimum, implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Requires implementation as soon as practicable, but no later than December 31, 2017, of  NIST SP 800-171, which includes cyber security controls for internal systems with “covered defense information” (CDI). There are 110 security controls selected from 14 control families in NIST SP 800-53 (as of Revision 4, NIST SP 800-53 has 18 control families and an additional 8 if the Privacy Overlay is applied). To have implemented NIST SP 800-171 for purposes of this DFARS clause, companies must have performed a self-assessment of their covered systems, completed a System Security Plan (SSP) and, as applicable, a Plan of Actions and Milestones (POA&M). Contractors must notify the DoD CIO of which controls are not compliant within 30 days of contract award.

DFARS clause 252.204-7019 (concerns self-assessment)

DFARS clause 252.204-7020

DFARS Clause 252.204-7021. Cybersecurity Maturity Model Certification Requirements (November 2020). Requires the contractor to have a current (not older than 3 years) CMMC certificate at the CMMC level required by the contract and maintain the CMMC certificate at the required level for the duration of the contract. The prime contractor must include this clause in subcontracts.

NIST published guidance in June 2018 for the assessment of the security controls discussed in NIST SP 800-171, see NIST SP 800-171A, "Assessing Security Requirements for Controlled Unclassified Information." Currently, compliance is achieved by the contractor or hired outside party performing a self-assessment; the government does not currently have an assessment process in place to formally grant authorization for contractor information systems (e.g. ATO). Per Implementation of DFARS Clause 254.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, September 21, 2017: 
Third party assessments or certifications of compliance are not required, authorized, or recognized by DoD, nor will DoD certify that a contractor is compliant with the NIST SP 800-171 security requirements.
In November 2018, DoD OSD published the following Memorandum:  Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The memorandum references the following two documents for reviewing and assessing contractor compliance with NIST SP 800-171:

• DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented. According to the memorandum, this document will assist acquisition personnel in the following ways:
• Enable the consistent review of System Security Plans and Plans of Action & Milestones
• Address the impact of ‘not yet implemented’ security requirements
• Provide clarification on implementing NIST SP 800-171 security requirements
• Guidance for Assessing Compliance of and Enhancing Protections for a Contractor's Internal Unclassified Information System. The government can require additional cybersecurity requirements above and beyond NIST SP 800-171 by including a Statement of Work (SOW) referencing a DoD approved list of enhanced security requirements in Section C of a solicitation. Section L will require the contractor to describe their implementation of additional cybersecurity requirements which will be evaluated according to the criteria described in Section M. Delivery of the following documentation may be required per Section L with detail on how evaluation of compliance of NIST SP 800-171 will be conducted and requirements for an “Acceptable” (Go/No Go threshold) identified in Section M:
• Contractor’s System Security Plan (or extracts thereof) and POA&M
• Conduct on-site government assessment of each Offeror’s internal unclassified information system in accordance with Section M and NIST SP 800-171A
• Identify known Tier 1 Level Suppliers and request contractor’s plan to: i) track flow  down of covered defense information, and ii) assess DFARS Clause 252.204-7012 compliance of known Tier 1 Level Suppliers
• Identify DoD controlled unclassified information requiring protection in accordance with DFARS Clause 252.204-7012 and NIST SP 800-171

On January 21, 2019, Ellen Lord, the Undersecretary of Defense for Acquisition and Sustainment, issued a memorandum "Addressing Cybersecurity Oversight as Part of a Contractor's Purchasing System Review." She asks Director, Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS clause 252.204-7012. Specifically, DCMA will leverage its review of a contractor's purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration, in order to:

• Review contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 level suppliers.
• Review contractor procedures to assess compliance of their Tier 1 level suppliers with DFARS Clause 252.204-7012 and NIST SP 800-171.

The NIST SP 800-171B, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations Enhanced Security Requirements for Critical Programs and High Value Assets," was released for public comment. Comments are due July 19, 2019.   

NIST SP 800-171B is a draft document offering additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure.  When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)).  The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171.  The enhanced security requirements will only be applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

NIST also posted a draft NIST SP 800-171 Revision 2.  This update provides minor editorial changes in Chapter One, Chapter Two, and the Glossary, Acronyms, and list of References.  There are no changes to the basic and derived security requirements.  The public comment period for this document is also June 19 to July 19, 2019.

The draft documents are posted on DIBNet-U and also at: https://csrc.nist.gov/publications/detail/sp/800-171b/draft and https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/draft.

Highlights:

• Controls are selected from the Moderate baseline in NIST SP 800-53 to address Confidentiality (Integrity and Availability are omitted). 14 control families (out of 18) from NIST SP 800-53:  Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Audit (CA), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environmental Protection (PE), Personnel Security (PS), Risk Assessment (RA), System and Communications Protection (SC), System and Information Integrity (SI). The Contingency Planning (CP), Planning (PL), System and Services Acquisition (SA), and Program Management (PM), control families and Privacy overlay are not included due to the tailoring criteria.  Requirements are specified in NIST SP 800-171 Chapter 3; although the requirements are separated by family as defined by NIST SP 800-53, the NIST SP 80-53 controls and control enhancements are not used/do not apply. A mapping of the NIST SP 800-171 Basic Security Requirements to NIST SP 800-53 relevant security controls is provided in Appendix D for informational purposes only.
• The security requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components
• Incidents on contractor network(s) must be reported to the DoD within 72 hours.
• What is the definition of an incident? An incident versus compromise/breach must be defined. Contractor should develop Incident Response Plan (IRP). IRP needs to define the format of the report being sent to DoD, recipient(s), delivery mechanism (e.g. upload to a web site, encrypted email). Is participation in the DoD Defense Industrial Base (DIB) Cybersecurity (CS) program required?
• Appendix E provides the specific tailoring criteria for eliminating a requirement from the Moderate baseline. The requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are:
• uniquely federal (i.e., primarily the responsibility of the federal government);
• not directly related to protecting the confidentiality of CUI;  or
• expected to be routinely satisfied by nonfederal organizations without specification.
• The Government can require delivery of the contractor's SSP (or extracts thereof).
• Organizations that have implemented or plan to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity can find in Appendix D of this publication, a direct mapping of the Controlled Unclassified Information (CUI) security requirements to the security controls in NIST Special Publication 800-53 and ISO/IEC 27001. These controls are also mapped to the specific Categories and Subcategories associated with Cybersecurity Framework Core Functions: Identify, Protect, Detect, Respond, and Recover. 
• Mapping NIST Special Publication 800-53 security controls to the Cybersecurity Framework: https://www.nist.gov/file/372651.
• Mapping NIST Special Publication 800-171 requirements to the Cybersecurity Framework: https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final.
• Compliance is assessed in accordance with NIST SP 800-171A. The assessment methods are to:
•  Examine policy documents, procedures, test results, and other relevant documents or records
• Interview personnel with relevant responsibilities for implementing or testing the control
• Test mechanisms and processes associated with the control.
• Beginning in January 2020, DoD expects to start assessing contractor compliance using a 5-level Cybersecurity Maturity Model Certification (CMMC).

Key Concerns:

• Requires the contractor to identify Tier 1 Level suppliers
• Requires the contractor to provide a plan to track the flow of CDI and access the compliance of known Tier 1 Level suppliers
• A standard for the data content and format to be used in NIST SP 800-171 System Security Plans (DI-MGMT-82247). Note that NIST SP 800-18, "Guide for Developing Security Plans for Federal Information Systems," February 2006, provides an SSP Template in Appendix A:  Sample Information System Security Plan Template.
• Adding cybersecurity measures on top of those found in NIST SP 800-171
• Creating an “Acceptable” (Go/No Go threshold) rating, which may require certain “must-have” NIST 800-171 requirements to be in place before an award can be made.
• Incorporate 800-171 compliance as a technical evaluation factor, which often becomes part of the weighted score for contract awards
• Conducting on-site assessments, using NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
• Requiring a contractor to complete a new form titled: ‘Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information’
• Requesting a contractor’s plan to track flow down of covered defense information
• Requesting a contractor’s plan to assess the compliance of their own suppliers
• Develop a Data Classification Guide to identify the CUI and any other information types requiring special handling and protection (e.g. NDA, TA, proposals, pricing data, company proprietary technical data, etc.). Supporting Data Handling Guidelines should state the data lifecycle (Create, Store, Use, Share, Archive, Destroy) and describe how CUI is handled and protected. These guidelines should be communicated to all users in the boundary as part of onboarding training and at least annually thereafter.
• Identify where CDI is received, processed, stored, displayed, or transmitted. This includes servers, desktops, laptops, mobile devices, storage systems, networking equipment. Is it possible for the contractor to limit where CDI resides within their network? If so, then scope of application of security controls can be reduced, effectively reducing the time and effort required to achieve compliance.
• Identify CDI data flows.
• Implement data loss prevention (DLP) solution to control the flow of CDI.
• Provide a mechanism (e.g. encryption) for secure storage and dissemination of CDI.
• Implement multi-factor authentication (MFA).
• Identify different account types:  user, privileged, system, and policies associated with creating, terminating, and authenticating them. 
• Document authorized connections.
• Document storage (digital and media) policies including locations, retention, and destruction.
• Implement an endpoint management solution (e.g. require devices to be authorized for network connection, identify rogue devices, assess health of connected devices).
• Implement a audit log collection and analysis solution.
• ​Develop an Incident Response Plan (IRP) and address the DoD reporting requirement.

Recommended/Required Documentation:
Note that in cases where NIST SP 800-171A requires examination of policies and procedures, the recommended approach is to write a policy document for each control family and include as appendices the specific procedures required to implement the policy.

• System Security Plan (SSP). NIST SP 800-171 Security Requirement 3.12.4 (System Security Plan) — Requires contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. See Data Item Description (DID) Contractor’s Systems Security Plan and Associated Plans of Action to Implement NIST SP 800-171 on a Contractor’s Internal Unclassified Information System, DI-MGMT-82247 contained in Tab 1 and 2 within GUIDANCE FOR ASSESSING COMPLIANCE OF AND ENHANCING PROTECTIONS FOR A CONTRACTOR’S INTERNAL UNCLASSIFIED INFORMATION SYSTEM. There is no prescribed format or specified level of detail for how that information is conveyed. There is no requirement for the government to approve the system security plan or any associated plans of action for the Contractor’s internal unclassified information system, but the government may request that the Contractor submit the system security plan (or extracts thereof), and any associated plans of action, such that the government may review the Contractor’s implementation of security requirements.
• Network Topology Diagram
• Data Flow Diagram
• Accreditation Boundary Diagram
• Description of the operational environment
• Relationships with or connections to other systems
• Hardware/software/firmware List
• Plan of Action and Milestones (POA&M). NIST SP 800-171 Security Requirement 3.12.2 (Plans of Action) — Requires contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
• Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information. This document may be required as a Contract Data Requirement List (CDRL) in Section J of a contract solicitation or award. See How to Meet New DoD Requirements for Managing Suppliers’ NIST 800-171 Compliance for guidance on how to prepare this document. See Data Item Description (DID) Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense Information, DI-MGMT-XXXXX contained in Tab 3 and 4 within GUIDANCE FOR ASSESSING COMPLIANCE OF AND ENHANCING PROTECTIONS FOR A CONTRACTOR’S INTERNAL UNCLASSIFIED INFORMATION SYSTEM.
• Document identifying DoD controlled unclassified information requiring protection in accordance with  DFARS Clause 252.204-7012 and NIST SP 800-171.
• Access Control Policy. Required per AC security control family. Describe how access to systems is limited to authorized users. Describe who has access to CDI and how that access is limited and controlled. Describe the roles used in the organization (e.g. user, admin, developer, guest), assignment of least privilege, separation of privileged accounts accounts (e.g. .SA, .NA, .DBA, etc.), limitations on service accounts (e.g. no interactive login, logon restricted to specific systems), limitations on shared accounts, how accounts are requested (e.g. form, training or certification requirements, briefing acknowledgement(s)) and approvals), and other applicable account management procedures. Describe the use of warning banners, controlling remote access, account lockout threshold, session locks and timeouts, mobile device connection rules (including encrypting data-at-rest and in transit), removable storage media (e.g. external hard drives, flash drives) rules such as whitelisting, public-facing web site policy (e.g. public affairs officer must approve content).
• Security Awareness and Training Policy and Materials. Requires establishing training and/or certification requirements for IT and IA\cybersecurity staff (e.g. DoDD 8140/8570.01-M) and also providing awareness of the security risks associated with the any user's activities. Identify company policies, standards, and procedures and provide training for awareness, understanding, and compliance. Insider Threat Program as required by NISPOM may be usable. Required per AT security control family.
• Auditing and Accountability Policy. Establish policy for creation, protection, retention, and review of system logs. Describe mechanism to collect and review logs. Require use of named accounts (e.g. no Administrator, root other than system setup). Eliminate or restrict use of shared accounts. Control service accounts (i.e. do not allow interactive login, restrict permissions and rights including scope). Define audit log retention policy and ensure it is supported by backup implementation. Define log sources and delivery mechanism(s) (e.g. syslog, SNMP TRAP, Splunk Universal Forwarder). Define responsibility and frequency for reviewing logs. Define alerts (e.g. failed login, failed object access, account lockout, account expired, etc.). Define authoritative clock source and synchronization method. Separate Auditor function from Administrator function. Required per AU security control family.
• Configuration Management Policy. Document network and services infrastructure (e.g. hardware//software/firmware list) and change procedure. Need to establish and enforce security settings - DISA IASE STIGs and SRGs are an example that can be used, but not required; another option is the Center for Internet Security (CIS) Benchmarks. Changes to organizational systems must be tracked, reviewed, approved/disapproved, and logged. Provide security impact analysis (look for example, such as FedRAMP template) for proposed changes. Disable or do not install unnecessary services, features, or applications. Restrict firewall rules to only necessary inbound and outbound ports, protocols and services (PPS); review the risk associated with firewall exceptions against the DISA Category Assurance List (CAL). Maintain whitelist and blacklist or approved and unapproved software. Required per CM security control family.
• Identity and Access Management (IdAM or IAM) Policy for identifying and authenticating the information system users and devices. Required per the IA security control family. Describe realms (e.g. private Active Directory, Azure Active Directory) and authentication/verification methods for accessing resources. Describe multifactor authentication (MFA) implementation(s). Describe policies for password complexity, length, re-use, and age. Describe procedures for establishing and terminating accounts. Describe method(s) to distribute initial user passwords.
• Incident Response Plan (IRP). Required per the IR security control family. Describe preparation, detection, analysis, containment, recovery, and user response activities concerning incidents. Describes how anomalies are detected and severity of incidents and threshold for when a compromise is declared and reported to DoD Cyber Crime Center (DC3) within 72 hours. May require participation in the Defense Industrial Base (DIB) Cybersecurity Information Sharing Program (CIS). May require Contingency Planning Policy although the NIST SP 800-53 CP family of controls are not included in NIST SP 800-171 requirements. Define period for testing plan (no less than annually) and document test results.
• Maintenance Policy and Procedures. Describes how periodic maintenance is performed, including application of updates and patches. Identify repositories for vendor updates and notifications (e.g. mailing lists). May include patch management plan. Describe method of sanitization of equipment sent off-site for repair. Inspect media (e.g. malware scan) before using in organizational systems. Describe escort procedures for personnel not authorized for access to facilities and systems. Describe corrective/repair maintenance, compliance maintenance, and preventive maintenance (e.g. checking storage utilization and provisioning additional storage and/or archiving files). Required per the MA security control family.
• Media Protection Policy and Procedures. Describe protection, sanatization, and destruction of media containing CUI. Required per the MP security control family. Describes how media containing CUI (both digital and paper) should be marked and protected from unauthorized users and how media containing CUI should be handled for disposal (e.g. destruction) or release (santiziation) for reuse. Also needs to cover protection of CUI when stored in backups in storage locations. Describe mechanism for inventorying CUI help by the organization (e.g. media custodian). Describe rules for transporting CUI outside of controlled areas and encryption when stored on removable storage media (e.g. BitLocker To Go, Encryption Wizard).
• Personnel Security Policy. Required per the PS security control family. Describes how users should be screened prior to granting access to information systems containing CUI, and how systems should be protected during personnel changes such as terminations or transfers.
• Physical and Environmental Protection Policy. Required per the PE security control family. Describes how physical access to data centers, information systems and storage systems containing CUI should be limited to authorized users.  Require escorts and maintain audit logs of access and control and mange access to physical devices.
• Risk Assessment Policy. Required per the RA security control family. Describes operational risks associated with processing, storing, or transmitting CUI and how they should be periodically assessed (see NIST SP 800-30 for guidance). Scan for vulnerabilities using Security content Automated Protocol (SCAP)-validated scanning tools (e.g. Nessus, SPAWAR SCAP Compliance Checker (SCC)) and remediate vulnerabilities.
• Security Assessment and Authorization Policy and Security Planning Policy. Required per the SA security control family. Define the policy for assessing, monitoring, and correcting deficiencies and reducing or eliminating vulnerabilities in information systems. Describes how to assess the effectiveness of security controls on an on-going basis and how to address inefficiencies to limit vulnerabilities. Describe how the System Security Plan (SSP)  and Plan of Action and Milestones (POA&M) are maintained. This can mean periodically reviewing and updating the SSP and performing a self-assessment. May require a Continues Monitoring Plan which defines reports, dashboards, etc. which demonstration ongoing compliance.
• Systems and Communications Protection Policy. Define how to monitor, control, and protect data at the boundaries of the system, and employ architectural designs, software development techniques and system engineering principles the promote effective information security. Required per the SI security control family. Describes the use of secure design, development, and engineering principles to promote effective security within information systems. Also describes how to monitor, control, and protect information transmitted or received by organizational information systems. For example, using a guest network for wireless systems, or DMZ for Internet-accessible systems, implementing a default deny firewall rule, placing VoIP and VTC equipment in a separate VLAN from users/workstations and servers, use of encryption for data at rest and in transit. May also require Mobile Code Implementation Policy.
• System and Information Integrity Policy. Required per the SI security control family. Describes process for identifying, reporting, and correcting information system flaws and vulnerabilities in a timely manner. Define and describe security architecture such as DMZ and other intranet zones which separate traffic, firewall rules, VPN rules (e.g. no split-tunneling). Describe protection mechanisms for remote activation of collaborative computing devices (e.g. cameras, microphones). Define mobile code policy and describe mechanism(s) to control and monitor it. This is more concerned with boundary defense and passive scanning than active vulnerability scanning. Identify sources of security alerts to be monitored (e.g. vendor sites, USCYBERCOM IAVM, US CERT, etc.). May also include Continuous Monitoring Strategy.

Tools and Templates

• Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) Cybersecurity Evaluation Toolset (CSET). The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. CSET may be useful in developing and maintain an SSP, similar to what eMASS and Xacta do for DoD and Intelligence Community (IC) entities. The tool provides a template for NIST SP 800-171.
• Defense Industrial Base Cybersecurity (DIB CS) Program. Membership provides access to tools, tips, and reports delivered via encrypted email as well as a collaboration portal. A medium-assurance hardware token (e.g. CAC, ECA) is required.
• Procurement Technical Assistance Program (PTAP). The DoD is leveraging the PTAP to provide information addressing implementation of DFARS Clause 252.204-7012. Administered by the Defense Logistics Agency, the PTAP provides matching funds through cooperative agreements with state and local governments and non-profit organizations for the establishment of Procurement Technical Assistance Centers (PTACs). These centers, many of which are affiliated with Small Business Development Centers and other small business programs, form a nationwide network of  counselors who are experienced in government contracting. The Department has provided the PTACs with information for small businesses who seek their assistance on the implementation of its cybersecurity regulations.
• Thycotic Customizable Cyber Security Incident Response Plan Template
• Thycotic Privileged Account Discovery Tool for Windows
• NIST Manufacturing Extension Partnership (MEP). MEP is a nationwide system with centers located in every state. MEP centers are non-profit organization that partner with the Federal government to offer products and services that meet the specific needs of their local manufacturers.
• DoD Procurement Toolbox. DoD posts all related regulations, policy, frequently asked questions (FAQ), and resources addressing DFARS Subpart 204.73 and PGI Subpart 204.73 and DFARS Subpart 239.76 and PGI Subpart 239.76 under the Cybersecurity tab.
• CUI Registry. The CUI Registry is the online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Among other information, the CUI Registry identifies approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information. 
• I-Assure RMF Templates. The plan and policy templates are developed for NIST SP 800-53 but can be applied towards NIST SP 800-171 requirements.
• NIST SP  800-53 Rev 4. number of controls and enhancements per Low, Moderate, and High baselines. 

Outside Services to Assist with Compliance:

• Conserva:  The Definitive Guide to Compliance with the NIST SP 800-171 Mandate. The requirements for NIST 800-171 can be summarized into four main groups:  Controls – Data management controls and processes, Monitoring & management – Real time monitoring/management of defined IT systems, End user practices – Documented, well defined end user practices and procedures, Security measures – Implementation of defined security measures. The assessment should consist of three phases:  Business process review, Technical assessment of systems and networks, Data analysis. Corserva states that based on experience each phase takes 20-30 days with most engagements (depending on the size of the organization and the technology utilized).
• Tripwire:  Closing the Integrity Gap with NIST's Cybersecurity Framework.
• CyberSaint CyberStrong Platform.

What We Expect from External Auditors:

Focus on the following major security program components:

• Multifactor authentication (MFA)
• Strong password policies
• Identifying and mitigating vulnerabilities
• Documenting and tracking cybersecurity incidents

Risks of Non-Compliance:

• Termination. Failure to provide an SSP and POA&M.
• CDMA Audit.
• False Claims Act violation. If your SSP or POA&M is not accurate and thus misrepresents your cybersecrity status, the DoD may take action based on fraud.

To-Do!

• Update this blog entry based on information gathered at DoDIIS Worldwide August 18 - 21, 2019. 
• Create MS Project schedule to plan PSI's path towards compliance and achieving level 3 or better CMMC certification.

Terms:

DFARS Subpart 204.73 - Safeguarding Covered Defense Information and Cyber Incident Reporting 204.7301 Definitions defines the following terms:

"Adequate security" means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
"Contractor attributional/proprietary information" means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. 

"Controlled Technical Information" means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. 

"Covered contractor information system" means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. 

"Covered defense information (CDI)" means unclassified controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is

• (1)  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract;

• (2)  Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

• DFARS clause 252.204-7012 defines CDI to include four different categories:  (1) covered technical information (CTI) (e.g. military technical specifications), (2) operations security, (3) export controlled information, and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-side policies ('catch all' for privacy or proprietary business information). CDI may either be provided to the contractor by or on behalf of DoD in connection with the performance of the contract or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

"Information system" means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. 

"Media" means physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system. 

"Rapidly report" means within 72 hours of discovery of any cyber incident. 

"Technical information" means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Other definitions:

Federal Information System. NIST SP 800-171 Rev 1 defines a federal information system as a system that is used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. A system that does not meet such criteria is a nonfederal system.

Controlled Unclassified Information (CUI). Title 32 - National Defense, Volume 6, Chapter XX - Information Security Oversight Office, National Archives and Records Administration, Part 2002 - CONTROLLED UNCLASSIFIED INFORMATION (CUI), Subpart 2002.4 defines CUI as:(h) Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-erexecutive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the  information CUI. Established by Executive Order 13556, November 4, 2010, CUI is unclassified information that the U.S. government has deemed necessary to safeguard, since it directly impacts the government's ability to carry out its designated missions and business operations. CUI is sensitive information that often impacts privacy and safety, contains proprietary business interests (e.g. contracts, reports, etc.), or is critical to law enforcement investigations. Executive Order 13556, "Controlled Unclassified Information," November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program. Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or governmentwide policy may be designated as CUI. Per NIST SP 800-171, Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, "Classified National Security Information," December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Further Reading:

• https://www.cybersaint.io/the-definitive-guide-to-dfars-compliance-and-nist-sp-800-171
• https://www.lockheedmartin.com/en-us/suppliers/cybersecurity.html

​​​​​​​References:

• US Government Accountability Office (GAO) Report:  Agencies Need to Fully Establish Risk Management Programs and Address Challenges, GAO-19-384: Published: Jul 25, 2019. Publicly Released: Jul 25, 2019.
• DoD, Acquisition and Sustainment Memorandum:  Addressing Cybersecurity Requirements as Part of a Contractor's Purchasing System Review, January 21, 2019
• Mass Modifications to Implement DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, December 15, 2018
• DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented, November 6, 2018
• GUIDANCE FOR ASSESSING COMPLIANCE OF AND ENHANCING PROTECTIONS FOR A CONTRACTOR’S INTERNAL UNCLASSIFIED INFORMATION SYSTEM, November 6, 2018
• FAR Subpart 52.2 - Text of Provisions and Clauses
• ​DFARS Subpart 204.73 - Safeguarding Covered Defense Information and Cyber Incident Reporting (Revised December 28, 2017)
• DFARS Clause 252.204.7008
• ​DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Revised December 21, 2018)
• Implementation of DFARS Clause 254.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, September 21, 2017
• DFARS Clause 252.204-7021 Cybersecurity Maturity Model Certification Requirement
• Basic Safeguarding Of Contractor Information Systems Requirement
• NIST SP 800-171
• National Institute of Standards and Technology Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018
• National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (as amended).
• https://www.nist.gov/cyberframework
• CUI Registry
• CFR Title 32 Volume 6 Part 2002 Controlled Unclassified Information (CUI)
• Federal Information Security Modernization Act of 2014 (P.L. 113-283), December 2014
• Department of Defense Instruction 5230.24, "Distribution Statements on Technical Documents," August 23, 2012
• Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 2013
• Executive Order 13556, Controlled Unclassified Information, November 2010
• Executive Order 13526, Classified National Security Information, December 2009
• NIST SP 800-30
• NIST SP 800-40
• NIST SP 800-41
• NIST SP 800-160
• NIST SP 800-137
• NIST SP 800-125

Choosing a Password Policy

Old rules which required complex and frequent changing of passwords are being discarded in favor of never-expiring, long passphrases and/or multi-factor authentication (MFA).

​References:

• Intelligence Community Standard Number 500-16, Password Management, 16 March 2011.
• Army Regulation (AR) 25-2, Information Management Information Assurance, Section IV Procedural Security, 4-12. Password Control, 23 March 2009.
• Army Best Business Practice (BBP) Army Password Standards, 04-IA-O-0001, Version 2.5, 1 May 2008.
• ​NIST SP 800-63B
• Thycotic Academy Privileged Password Security Training Certification
• Tech Pro Research Password Management Policy
• '12345' Is Really Bad:  Your Ultimate Guide to Password Security
• What Your Password Policy Should Be (scmagazine.com)