To better protect controlled unclassified information (CUI) that flows throughout its supply chains, the Department of Defense (DoD) instituted Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. 7012 requires DoD contractors to provide adequate security to safeguard CUI, in part by implementing the 110 security controls identified in Special Publication (SP) 800-171 developed by the National Institute of Standards and Technology (NIST). 7012 also makes prime contractors responsible for flowing the NIST 800-171 implementation requirement down to all of their subcontractors and suppliers with access to CUI – at all levels of their supply chains – and for monitoring their compliance.
The method prescribed for primes to monitor their subcontractors’ and suppliers’ compliance is self-attestation – asking each company to self-assess and self-report its state of compliance with respect to SP 800-171’s 110 security controls. Each is responsible for having a System Security Plan (SSP) and a Plan of Actions & Milestones (POA&M) that describes how and when non-compliance items will be corrected. The DoD amended the DFARS with these changes in 2016 and gave contractors until December 31, 2017 to fully implement NIST SP 800-171.
This summer, the DoD assessed 10 contractors with DoD contracts worth at least $1 million to evaluate the security controls they had implemented to protect DoD CUI. The audits found that security controls for networks and systems containing CUI were not consistently implemented. The most common security shortcomings were:
- Weak passwords;
- Lack of multifactor authentication;
- Failure to mitigate vulnerabilities identified on networks and systems; and
- Placement of CUI on unprotected removable media
One would expect all 10 of these companies to have passed an audit. Nine of them failed, however, and each was found deficient in as many as 8 of the 10 basic security controls. If large DoD contractors, all presumably having dedicated security and IT resources, fared so poorly with respect to basic security hygiene, how will smaller companies with fewer resources fare when evaluated against controls that require implementing and managing advanced security technology?
These alarming results are likely attributable to factors such as:
- Contractors failing to fully implement their SSP or execute their POA&M;
- Inconsistent performance of self-assessments;
- Insufficient understanding of individual controls by the assessor, the implementer, or both; and/or
- Changes to cyber maturity or cyber posture over time. Self-attestation cannot be a one-time event. Regular assessment and security monitoring are imperative.
Regardless of the “why,” the conclusions are clear:
- Despite best intentions, companies are more likely to overrate than underrate their performance against the NIST SP 800-171 security controls when they self-assess and attest to the results.
- SP 800-171 is necessary, but not sufficient. Continuous processes must augment the practices reflected in the controls.
- External audits of processes and practices produce more thorough, consistent, and accurate results, which in turn drives stronger security and improved safeguarding of CUI throughout the DOD contractor supply chain.
The forthcoming Cybersecurity Maturity Model Certification (CMMC) initiative accounts for each of these conclusions. Our next blog post will provide an overview of CMMC and how it addresses the shortcomings of the current version of DFARS clause 252.204-7012 (Hint: self-attestation is out, external certification is in!).