For vendors, DoD’s CUI requirements more than an exercise

As of Dec. 31, defense contractors that maintain controlled unclassified information (CUI) must meet Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity standards or risk losing their contracts. To comply with the new cybersecurity standards, contractors and suppliers had to meet key requirements, most notably implementing controls from the National Institute of Standards and Technology.

Bill Brennan, senior director of cyber business enablement at Leidos

For leading large government contractors, such as Leidos, DFARS compliance teams were created. Implementation required changes to policies, procedures, services and, in some cases, IT and security infrastructures. Some compliance involved updating documentation while others required new cyber defense tools.

The level of effort to become DFARS compliant depended on each organization’s initial state. Some organizations manage their information systems centrally with a shared services model, while others give individual divisions and operating units autonomous computing environments. Organizations with central management completed the projects as one large enterprise, while organization who delegate IT management had to make each system compliant, potentially duplicating efforts.

While compliance with the new standards were compulsory for contractors the verification of conformity and penalty for non-compliance is a bit murkier. Adding to the complexity of verified compliance is the fact that each business is different in their IT structure, in how the controls were implemented and how compliance is self-assessed. This consistent inconsistency makes that task that much harder to judge.

Scott Schlimmer, co-founder of Cybersaint Security

Many large contractors benefited from experience implementing “moderate” security controls for federal information systems. Security teams used prior standards to derive many of the new standards to the nonfederal organizations. Additionally, NIST provided a mapping document that outlined intersections with their relatively new Cyber Security Framework.

For Leidos, the experience was fascinating. While undertaking the efforts to demonstrate NIST compliance, Leidos also had to manage the merger of two independent companies to create the largest U.S. federal IT contractor. This meant the legacy systems of both companies were combined into a new target architecture. Changes to policy, procedures and infrastructure were also undertaken. The process involved a dedicated team of experts and project managers overseeing a portfolio of projects undertaken to achieve Leidos’s full compliance. While the effort was non-trivial, the results have enhanced Leidos’s security and improved its overall defensive posture.

Small contractors make do with limited resources

Small and mid-sized contractors found the task more daunting. Many had teams of 1 or 2 security or IT officers working on DFARS compliance in addition to their other daily tasks, while some didn’t have anyone to dedicate to the task. At these companies, the CEO or a similar non-technical person was responsible for implementing the requirements.

With a flurry of new DFARS interest in their cybersecurity platform in late December 2017, the Cybersaint team saw firsthand that many small defense contractors were late to address new requirements. Smaller security teams and limited budgets made the requirements difficult and costly to implement. Cybersaint’s larger defense contractor customers planned more in advance.

Advertisement
At one end of the spectrum, companies who realized that not complying could threaten their DoD revenues dove in and implemented the requirements.

“The biggest benefit is that we can demonstrate compliance to our customers and know with confidence that our business is good to go,” said Larry Muzerall, head of operations management at Novotech Inc.

Now that Novotech can easily demonstrate compliance, they have cut their risk of losing business from DoD or their primes. They also reduced their legal liability and might receive a boost when bidding for contracts against similar companies that lack the cyber controls.

Similar to the large defense contractors, the effort to become compliant is significant, but we have seen that companies after implementation have much stronger cyber resiliency. Smaller contractors appear to gain even more benefit than larger contractors because many of them had fewer security controls in place to begin with.

At the other end of the spectrum, however, a prospective CyberSaint client located in Florida stated that his company was considering not implementing any of the DFARS cybersecurity requirements and is content to just “see what happens.”

A murky 2018 awaits

The Florida company’s decision raises the question, what will happen? What should we expect in 2018, now that the deadline has passed?

In short, it’s unclear.

There has been little clarification from the Defense Contract Management Agency, who did not respond to email requests for comment. This leaves a range of possibilities for noncompliant companies, from lenience, to fines, to loss of defense contract revenues. Cybersecurity practitioners at small defense contractors are navigating murky waters.

Noncompliance will continually be an important issue. Large contractors must confirm compliance to submit DoD-compliant bids. For subcontractors processing controlled unclassified information on their own systems, this requirement will flow down to them, too. As smaller companies work through their sometimes slower processes to certify compliance, program delivery models may need to change during the certification process. This could include risk mitigation such as subcontractors having to do their program work within the prime’s IT environment.

For the Florida company, if asked to certify compliance they will be left with few options. They can confirm non-compliance and ask to use someone else’s complaint systems, which makes them at best a nuisance and at worst an unattractive partner. If they certify they are compliant but cannot prove it, they risk penalties including False Claims Act violations. This set of unattractive alternatives makes going through the compliance process more attractive.

The Florida company could also be dropped by the prime contractors, says Lori Crooks, a cyber audits and compliance consultant. Large contractors will need to enforce the cybersecurity requirements on their subcontractors and suppliers, she said.

“So far, it’s been the primes enforcing the DFARS requirements on their subcontractors,” Crooks said. “If a subcontractor is non-compliant, then that subcontractor can lose their contract with their prime.”

For 2018, she added, “I foresee more primes checking in on their subcontractors to enforce compliance. Expect many spot checks, on-site visits, and phone calls.”

Crooks is already seeing signs of her prediction coming true.

“One of my clients had continual meetings with Lockheed, Boeing and Raytheon to ensure that we were implementing the DFARS cybersecurity requirements correctly,” she said.

Still, it is unclear precisely what will happen. Defense contractors, subcontractors and suppliers are eager to hear from DoD on what to expect in 2018 to continue doing defense-related business. Since compliance is not a competitive advantage for any one organization, organizations with novel implementation of the controls should share their ideas across the community for everyone’s benefit.

Scott Schlimmer is an independent consultant and co-founder of Cybersaint Security and Bill Brennan is a senior director for cyber business enablement at Leidos.