(This post is a pre-publication and draft of chapter two of a handbook I and Terry Lehman will publish on complying wwith DFARS Interim rule 252.204-7019,7020 and 7021 while also preparing for a CMMC future. We welcome feedback and corrections.)
Billions of bytes swiped at a time and fights with adversaries and attacks allowed through broken systems. Alliteration aside, the state of our cybersecurity posture remains as weak as that lede. In fact, on June 22, 200 Mark Bradeley, the Director of the National Archives Information Security Oversight Office wrote the President of the United States and noted:
Our Government’s ability to protect and share Classified National Security Information and Controlled Unclassified Information (CUI) continues to present serious challenges to our national security.
Our efforts to protect critical information as it traveled through the DIB supply chain relied on “antiquated information security management practices” and relying on a self report of meeting NIST 800-171 failed.
The immediate adoption of the DFARS interim rules seeks to mitigate the risks Director Bradely highlighted in his report.
The federal government has two options when rulemaking a publicly reviewed rule which takes longer to go into effect or an interim rule that goes into effect once the public comment period is over. The stakeholders involved in protecting our country from cyber attacks felt the protection of CUI was a matter of immediate national security. In fact, the DFARS Interim rule specifically applies to contractors who inherit or create CUI and not those who only handle FCI..
Protecting Information: FCI and CUI
As cyber attacks have increased the United States Government has consistently stressed the need to protect two kinds of information: Federal Contract Information (FCI) and Controlled Unclassified Information.
The DFARS Interim rule only applies to companies who currently inherit, meaning they receive CUI, or create CUI. Therefore federal contractors will find it essential to understand the difference between FCI and CUI.
Federal Contract Information
The FAR defines what it takes to get in business with the Executive Branch. The FAR, and its cousin DFARS (the Defense supplemental) get broken down into parts and labeled by a series of numbers. Federal Contract Information for example is defined in FAR 52.204-21.
The Government defines federal contract information (FCI) as any information included in a contract not meant for public release. The expectations for FCI safeguards get described in “FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems.”
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Often referred to in shorthand as FAR 21the DFARS interim rules do not apply to DIB supply chain companies that only handle FCI. Yet a culture of good cyber hygiene begins with the basic safeguards required of any company handling FCI:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
These five basic safeguards also map to the NIST SP 800-171 methodology as well all fifteen of the CFR Safeguarding requirements:
(add table of 15 cfr with corresponding NIST SP 800-171 Number)
Identifying FCI is straightforward. First it is not intended for public release. Second FCI is generated by or for the government. So you can assume if an artifact is not marked, “intended for public release” it is FCI.
What about your intellectual property? A great new software that will save the government billions when you sell it off for millions? Don’t worry. It is not FCI if it was not generated as part of a contract. It doesn’t mean you are free of legal obligations; some good ideas may have export control restrictions.
So what is the difference between FCI and Controlled Unclassified Information (CUI). Basically FCI is information that is not shared with the public but CUI must be legally safeguarded and is governed by other federal rules and regulations.
Controlled Unclassified Information
After continuous attacks on the DIB global supply chain the President of the United States created Controlled Unclassified Information through Executive Order 13556. The goal of the order, like many intelligence efforts after 9/11 was to standardize and streamline the labeling and protecting of CUI across 100 different federal agencies and over 300,000 DIB organizations.
Prior to the creation of CUI a, “inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing.”
The executive order defines CUI as “information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
In the definition we can see some clear differences with FCI. While all CUI is technically FCI CUI is a particular subset about data that must be A: safeguarded and B: include information the government creates or possesses. FCI refers to information given out byt the government and CUI often refers to information within the government and authorized members of the DIB supply chain that requires additional protections based on current regulations.
The executive order established the Information Security Oversight Office of the National Archives and Records Administration to create and maintain a CUI registry. If an artifact falls into one of the buckets of CUI identified in the registry then it is CUI.
As a contractor you have five responsibilities in protecting CUI based on DoD Instruction 5200.48 Controlled Unclassified Information: 1. Whenever DoD provides information to contractors, it must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance. 2. Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls, including those directed by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, as appropriate. 3. DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative. 4. DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will submit unclassified DoD information for review and approval for release in accordance with the standard DoD Component processes and DoDI 5230.09. 5. All CUI records must follow the approved mandatory disposition authorities whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section 1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance.
As you complete a DFARS Interim rule self assessment you can think about CUI as any data that some law, regulation, or policy says you must protect. So tax information? Yep, there are rules. It is CUI. Plans you recieved to develop a part for an engine? Once again rule exist so it’s CUI.
This has lead to the CUI registry published by NARA to have 24 categories and 83 subcategories. The directory is also a living document and agencies or contractors can use a provisional label if they feel a new subcategory or category is needed. These labels can then be further broken down into Basic CUI and Specific CUI
According to the CUI Marking Guide version 1.1
CUI Basic is, as the name implies, the standard “flavor” of CUI. All of the rules of CUI apply to CUI Basic Categories and Subcategories, making the handling and marking of CUI Basic the simplest.
CUI Specified is not a higher level it is just different. Remember our first rule: CUI is any information covered by laws, regulation and policies. Some of these laws, such as export control laws, apply to CUI in the Defense Industrial Base.
According to the CUI Marking Guide version 1.1: >CUI Specified is different, since the requirements for how users must treat each type of information vary with each Category or Subcategory. This is because some Authorities have VERY specific requirements for how to handle the type of information they pertain to – requirements that simply would not make sense for the rest of CUI.
How do you know if you have CUI Specified? If the contracting agency, law or regulation that governs your project has a place in the CUI Registry as a specified authority you hold CUI specified.
We have included a revised version of the CUI marking guide in the appendix of this book.
Controlled Technical Information
The DoD also finds Controlled Technical Information (CTI), a special type of CUI, as mission critical when it comes to protecting against cybersecurity threats The DoD defines Controlled as
Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure or dissemination
When considering the presence of CTI this may require CMMC maturation levels above three and have additional protections.
Do I need to protect CUI?
Of course, silly. Protecting CUI is the entire goal of the CMMC efforts. Unprotected CUI costs billions if not trillions a year. Stolen CUI puts may even put our soldiers into the crosshairs of our enemy. The efforts to protect controlled unclassified information lead to DOD launching DFARS 252.204-7012 which required contractors to apply the NIST 800-171 standards.
When overwhelming evidence showed the self reporting mechanisms including SSPs and PO&AM did not get the job done the DoD created the Cybersecurity Maturation Model Certification and will now require third party assessors.
CMMC does not fully kick off until 2025. This doesn’t mean DIB contractors can rest easy. The DoD updated DFARS with three new clauses: DFARS 252.204-7012: 7019, 7020, and 7021.
These rule changes will have an immediate effect on the DIB and if companies do not want to lose contracts or have the Department of Justice haul them in front of a judge under the Fair Clause act they need to get ready.
Department of Defense. (2020) DOD INSTRUCTION 5200.48CONTROLLED UNCLASSIFIED INFORMATION (CUI). Retrieved October 19, 2020
Devin Casey. (2020) FCI and CUI, what is the difference? – CUI Program Blog. Retrieved October 19, 2020, from isoo.blogs.archives.gov/2020/06/1…
NARAL. (2016) Marking Controlled Unclassified Information - CUI Handbook. V1-1-20190524. Washington, D.C.
This is an example page from the Workbook Terry Lehman and I are working on a handbook for the DFARS Interim rules.
Like always this work has a Creative Commons BY-SA license. Feel free to use in any as long as you share the love.
In many ways good cyber hygeine begins and ends with Access Control. A company must create a culture of cybersecurity and continuous improvement and this begins by developing the practices and processes to limit and protect FCI and CUI. According to the CMMC Access control activities:
ensure that access granted to organizational systems and information is commensurate with defined access requirements. Access requirements are developed based on the organization’s needs balanced with the security requirements needed to protect the organization’s assets.
Overall focusing on access control provides the greatest Return on Investment for organizations looking to harden cybersecurity. Thus the Department of Defense (DOD) requires Observable Evidence (OE) of Access Control policies for companies who interact with Federal Contract Information.
Therefore the rules of the road get defined by “Basic Safeguarding of Contractor Information Systems’ (48 CFR 52.204-21 (often referred to as simply “21”). If a company has access to either inherited or created CUI Access Control is not enough but it is essential to all cybersecurity efforts.
The DFARS Interim assessment guide includes 22 controls pulled from 48 CFR 52.204-21 and NIST 800-171 for Access Control
Connection to the CMMC
Access control practices get introduced in Maturation Level 1 build up four capabilities as processes get institutionalized:
- Establish system access requirement
- Control internal system access
- Control remote system access
- Limit data access to authorized users and processes
3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
This control, like all those requirements fundamentals to the l NIST SP 800-171 ‘Basic Security Requirements’ remain so critical to cybersecurity that you must subtract five points from the score of a 110 . Basically if a company does not limit access to secure systems and data almost all other cyber security get rendered moot.
Connection to the CMMC
NIST 800-171 -AC 3.1.1 gets reflected in the CMMC as a maturation level one practice AC 1.001 and builds to the capability of establishing system access requirements.
NIST 800 171- A.c 31.1.1 is also first of the 15 CFR Safeguarding Requirements . Access control should lead to a culture where users and employees get limited access to only information systems they need to complete their job.
Goals of Self-Assessment
As you complete your DFARS Interim rule self assessment you want to ensure you determine how you identify users. You also need to note how you determine what processes are being run by users. Your Security plan a needs to detail how access by devices and users are limited to only those with authorization.
Where to Look
☑ Access Control Policy
☑ Account Management Procedures
☑ System Security Plan
☑ System Monitoring Records
Your Observable Evidence
Who to Talk To
☑ Personnel with account management responsibiltiies
☑ System administrators
☑ Network Administrators
☑ Personnel with security responsibiltiies
Your Observable Evidence
What to Test
☑ Account management mechanisms
☑ System account managing processes
Your Observable Evidence
DFARS NIST 800-171 Score _______
Information, if needed, for the PO&AM
This post is co-written by Terry Lehman
Nation Under Attack
As American combat pilots scream across the sky flying an F-35, the finest fighter jet in the world, they may have to engage a Chinese cousin, the J-20. The NSA reported sophisticated cyber security attacks allowed the adversaries in China to steal critical information bit by bit.
The F-35 plans did not fall into Chinese hands by hacking a single computer or company. No, instead thousands of cyber attacks were launched against the networks of small government contractors who moved plans and files, such as key radar information, back and forth between emails and servers.
A lot of data. Government estimates, based on plea deal of a convicted Chinese spy suggest that since 2008 China has stolen terabytes of data and schematics from the F-35 and F-22 stealth fighter jet programs.
Chinese cyber criminals, working for the Chinese army, raided the computer systems of Boeing and many subcontractors to steal key national intelligence one bit of data at a time. Adversaries t then reassembled information from many sources. These efforts did not stop with the F-35. In fact according to a Government Accountability Office:
“The Department of Defense (DOD) faces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”
Defense Industrial Base
Our soldiers do not stand on the front line of cybercrime. More often the target for these attacks focuses on the 300,000 contractors who make up the Defense Industrial Base (DIB). According to the Cybersecurity & Infrastructure Security Agency DIB is the” industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.”
Basically if more companies in the DIB took steps to protect data, even just adding two factor or multi factor authentication many of the F-35 secrets would not have reached Chinese adversaries.
Dangers of Cyber Crime
According to the Federal Bureau of Investigation cyber crime involves cyber activity that threatens and compromises U.S. networks, steal financial and intellectual property, and put critical infrastructure at risk. These attacks put every sector of the economy under threat.
In fact according to the 2016 Global State of Information Security Survey cyber crime has increased 38% since 2014. The impacts of these attacks strain our economy. Victims of successful attacks have reported downtime (46%), loss of revenue (28%), reputational damage (26%), and loss of customers (22%). The threat of cyber crime costs private companies $400 billion every year and Juniper Research estimates this cost reached two trillion dollars last year.
The attacks on the defense industrial database have escalated to the point of daily warfare fought on network systems across the globe. According to Ellen Lord, the undersecretary of defense for acquisition and sustainment, “It’s no secret that the U.S. is at cyber war every day.”
The Honorable Ellen Lord continued, “Cybersecurity risks threaten the industrial base, national security, as well as partners and allies.” In fact the Department of Defense estimated stolen data cost the DIB over 700 billion dollars in 2015. In fact the Government Accountability Office reported DoDfaces tens of millions of attempted malicious cyber intrusions per year as adversaries seek to take advantage of the department’s reliance upon computer networks.”
A private and public partnership must harden the networks across the DIB to ensure adversaries to not weaken our nation through cyber warfare. BI Director Christopher Wray, in Senate testimony noted “An important part of fighting back against our foreign adversaries in the cyber realm is offense as well as defense.”
In recognition that prior efforts to protect the DIB from cyberwarfare have failed the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) has developed the Cybersecurity Maturity Model Certification (CMMC) framework. This new effort represents the largest cybersecurity public/private partnership in US History. Development of the CMMC involved i DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDCs), and the DIB sector.
What is CMMC?
In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self reporting of cyber hygiene that used to govern the DIB. The CMMC puts an end to self-assessment and requires a third party assessor to verify the cybersecurity maturation level.
All DoD contractors must comply with the Federal Acquisition Regulation (FAR) and the Defense Acquisition Regulation Supplemental (DFARS). These regulations require companies to meet specific security standards from the National Institutes Standard of Technology. If a company connects to the Government network they must meet the NIST 800-53 standards. Companies not connected to a network were required to self certify that they met the 110 controls, actions to increase cyber hygiene as laid out in NIST 800-171.
The CMMC builds off of NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third party assessors. The CMMC defines 17 domains of cyber hygiene that are comprised of 43 capabilities. These capabilities get institutionalized through 171 practices across five levels of maturation.
The Office of the Under Secretary of Defense for Acquisition and Sustainment defines maturation as, “set of characteristics, attributes, indicators, or patterns that represent capability and progression in a particular discipline.” The CMMC contains five levels of maturation.
Maturity Level Processes Practices 1 Performed Basic Cyber Hygiene 2 Documented Intermediate Cyber Hygiene 3 Managed Good Cyber Hygiene 4 Reviewed Proactive 5 Optimizing Advanced /Progressive
Third party assessors, who must complete coursework and obtain a certification will then measure what maturity level a contractor has met. An organization must demonstrate the institutionalization of the process and the utilization of the practices. Furthermore the maturation model is cumulative, meaning a contractor must demonstrate they have met the practices and processes of lower levels as well.
Development of the Cybersecurity maturation model has reached its final stages before going live. Groups of provisional assessors have completed course work. Licensed companies have entered an approved marketplace and as of November 2020 the licensed training partners awaited finalization of certification exams.
By the year 2025 all DoD solicitations will require companies to hold CMMC certification. This means that over 300,00 companies and universities who touch sensitive data must rely on third party assessors to determine their maturation level. The more sensitive and mission ready the sata the higher the level required.
DFARS Interim Rule
Since December 13, 2017 companies could lose DoD contracts due to lax cybersecurity. Yet until recently DFARS requires organizations to self assess. Companies had to to provide documentation on meeting the 110 controls of NISt 800-171 by collecting artifacts into a Body of Evidence.
A Body of Evidence contained three major items. The first a Systems Security Plan describes a company’s infrastructure such as the hardware and software utilized. The Plan of Action and Milestones (POAM) documented any shortcomings and described a remediation plan. A company would also submit their procedures and policies as part of the Body of Evidence.
DFARS required a contractors POAM to get shared with the DoD. A major change in the CMMC is the removal of POAM and having third party rather than self assessments.
Yet with total compliance of the CMMC not required until 2025 how do we protect the trillions of dollars of data currently vulnerable across the DIB? In October of 2020 the Office of the Under Secretary of Defense for Acquisition and Sustainment published an interim rule as an update to Defense Acquisition Regulation Supplemental.
This interim rule, currently under public review will go into effect immediately. DIB contractors need to take immediate action to learn about the interim rule and the difference between the CMMC assessments.
(This post is a pre-publication and draft of chapter one of a handbook I and Terry Lehman will publish on completing the Basic level self-assessments that comply with the DFARS Interim rule 252.204-7019 and the medium and high levels of 252.204-7020 and 7021 while also preparing for a CMMC future. We welcome feedback and corrections.) .
Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory (2020). CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC). Version 1.02. Department of Defense under Contract No. FA8702-15-D-0002.
DOD Focuses on Minimizing Cyber Threats to Department, Contractors. (2016, September). Retrieved October 11, 2020, from www.defense.gov/Explore/N… Federal Bureau of Investigation. (2020) Cyber Crime — FBI. Retrieved October 18, 2020, from www.fbi.gov/investiga… FBI Strategy Addresses Evolving Cyber Threat. (2020, September 16). Retrieved October 11, 2020, from www.fbi.gov/news/stor…
Global, P. (2014). The Global State of Information Security® Survey 2016. On-line] Available: https://www. pwc. com/gx/en/issues/cyber-security/ informationsecurity-survey. html [Jul. 4, 2017].
Gonzales, D., Harting, S., Adgie, M. K., Brackup, J., Polley, L., & Stanley, K. D. (2020). Unclassified and Secure: A Defense Industrial Base Cyber Protection Program for Unclassified Defense Networks. RAND ARROYO CENTER SANTA MONICA CA SANTA MONICA United States.
Gordon Lubold and Dustin Volz, “Chinese Hackers Breach U.S. Navy Contractors,” Wall Street Journal, December 14, 2018.
Government Accountability Office. (2020) GAO-17-512, Defense Cybersecurity: DOD’s Monitoring of Progress in Implementing Cyber Strategies Can Be Strengthened - 686347.pdf. Retrieved October 18, 2020, from file:///Users/jgmac1106/Downloads/686347.pdf
Michael Brown and Pavneet Singh, China’s Technology Transfer Strategy: How Chinese Invest-ments in Emerging Technology Enable A Strategic Competitor to Access the Crown Jewels of U.S. Innovation, U.S. Department of Defense, Defense Innovation Unit Experimental (DIUx), January 2018
Plea Agreement, United States v. Su Bin, No. SA CR 14-131 (C.D. Cal. Mar. 22, 2016), www.justice.gov/opa/file/… download.
subscribe via RSS