Government Cracking Down on DFARS & NIST Regulatory Compliance

Government Cracking Down on DFARS & NIST Regulatory Compliance

Businesses face losing new and existing government contracts

With the first quarter of 2019 in the books, the United States government is coming down hard on companies with Department of Defense (DoD) contractors that are non-compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Not only is the government refusing to renew contracts with non-compliant businesses, it’s also denying new contracts to non-compliant organizations as well. This can mean revenue losses in excess of millions of dollars for businesses with DoD contracts in aerospace, engineering, and manufacturing, among others.

Avoiding Regulatory Requirements
While many government contractors with the DoD were aware of the December 31, 2017, deadline for DFARS and NIST SP 800-171 compliance before it hit, many ignored the government’s demand for them to achieve compliance. The reason behind this dismissal was that most contractors with the DoD, even the largest defense contractors, expressed concerns about achieving full compliance and how the regulations would be enforced. Furthermore, many businesses with DoD contracts were also overwhelmed by the technical and financial impact of achieving DFARS and NIST SP 800-171 compliance. This has been especially true of smaller businesses that typically have even fewer resources for achieving such tough compliance standards.

To complicate matters further, the regulations also oblige contractors to “flow down” the regulation compliance requirements to their tier 1 suppliers. This means subcontractors working with DoD contracted organizations such as independent manufacturers and engineers are also required to meet the same rigorous regulation standards for data security.

The Call for Compliance
The reason behind these regulations is to prevent controlled unclassified information (CUI) from falling into the wrong hands. According to the 2018 Data Breach Investigations Report by Verizon, public sector entities such as government organizations accounted for 14 percent of breach victims. In addition, the manufacturing industry, which contracts with the DoD to produce everything from missiles and other weapons to airplanes and computer systems, was also greatly impacted by breaches.

The same Verizon report also determined that 76 percent of breaches are financially motivated, which is the vast majority, while another 13 percent are committed in an effort to gain a strategic advantage through espionage. That means roughly 90 percent of breaches worldwide are committed for the sheer purpose of accessing trade secrets, private data, and other information for financial gain and/or strategic advantage.

“A cybercriminal can steal a year’s worth of your planning, research and development, and other secret information and then use that ill-gotten advantage to bring your idea to market first and more cheaply,” according to the 2018 Verizon report.

The Threat is Real
There are several instances where American companies have already seen this happen. According to “Here are 5 cases where the U.S. says Chinese companies and workers stole American trade secrets” by the Chicago Tribune this week, China has become a common thief when it comes to American commercial and military trade secrets.

“U.S. intelligence officials told Congress last month that China poses the biggest commercial and military threat to the United States,” according to the Chicago Tribune article which reported theft of everything from U.S. semiconductor trade secrets to driverless car technology. “A separate report said Beijing will steal or copy technologies it can’t make itself.”

But it’s not just cybercriminals attacking the private sector for its trade secrets. Other governments are stealing information, too.

“Governments like to know what their counterparts in other countries are up to and this year is no different. When the threat actor is known, state-affiliated adversaries tend to figure somewhat prevalently,” according to the 2018 Verizon report. “Phishing attacks, installations, and subsequent uses of backdoors or C2 channels are front and center in espionage-related breaches. Malware functionalities that are often used to pop credentials, in the form of key loggers and password dumpers, are also found in significant numbers.”

Take for example the state-affiliated People’s Liberation Army in China which has units dedicated to committing cyber attacks and espionage according to the online article “Chinese hackers reportedly stole data related to secret projects from a U.S. Navy Contractor” from The Verge. The article states these units were encouraging “patriotic hackers” to help China achieve equal footing with other superpowers in terms of technology, though China vehemently denies such accusations.

China isn’t the only one allegedly committing cyber espionage. By now, everyone has heard the allegations of Russia’s interference with the 2016 U.S. presidential election. According to the same piece by The Verge, Russian government hackers reportedly accessed the Democratic National Committee’s database in an effort to influence the outcome of the U.S. presidential election. Most recently, it’s been reported by The New York Times that both businesses and government agencies in the United States have been targeted in aggressive attacks by Iranian and Chinese hackers. The list goes on and on.

The Government Response
With the threat of cyber attacks, espionage, and financial loss looming large, the U.S. Government is starting to crack down on non-compliant contractors. In January 2019, the Under Secretary of Defense, Ellen M. Lord, issued a letter to leaders of the U.S. Cyber Command, U.S. Special Operations Command, U.S. Transportation Command, and the various branches of the U.S. military addressing cybersecurity oversight as part of a contractor’s purchasing system review. The letter outlined not only the requirement for DoD contractors to adhere to DFARS and NIST SP 800-171 regulations but also reaffirmed that the same standards apply to subcontractors as well.

The letter states, “Controlled unclassified information (CUI) that is processed, stored, or transmitted on the contractor’s internal unclassified information system or network” falls under the requirements of DFARS and NIST SP 800-171. The letter goes on to state, “Contractors are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI. In an effort to effectively implement the cybersecurity requirements addressed in DFARS and NIST SP 800-171, I have asked the Defense Contract Management Agency (DCMA) to validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS.”

Lord outlined in her letter that the “DCMA will leverage in its review of a contractor’s purchasing system in accordance with DFARS… procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their tier 1 level suppliers.” In addition, contractor procedures to assess compliance of their tier 1 level suppliers with DFARS and NIST SP 800-171 will also be reviewed.

Additionally, 2018 saw the U.S. Government issue two final guidance documents for DFARS and NIST SP 800-171. The first is “Guidance for Assessing Compliance of and Enhancing Protections for a Contract’s Internal Unclassified Information System.” This document gives direction for what should be included in evaluating DoD contractors for NIST SP 800-171 compliance.

The other document is the “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented.” The purpose of this document is to give direction on how the DoD should assess the impact and risk of NIST SP 800-171 security controls that a contractor has not yet put into place. Both documents are excellent resources for businesses and organizations with DoD contracts to help them achieve DFARS and NIST SP 800-171 compliance.

The Risks of Non-Compliance
There are many reasons for businesses that contract with the DoD to achieve DFARS and NIST SP 800-171 compliance as soon as possible. To begin, if the DoD audits a business and finds them to be non-compliant with the terms of DFARS and NIST SP 800-171, there are numerous penalties they can face.

The DoD could issue a stop-work order where work is suspended until compliance is achieved. The company could also face administrative, contract, civil, and even criminal penalties as well including false claims damages, breach of contract damages, and liquidated damages. There could also be a termination of contract for default or convenience. Finally, there could be a suspension or disbarment of those involved with the failure to comply with DFARS and NIST SP 800-171.

In addition to revenue loss and other penalties, businesses certainly face risks to their data as a result of non-compliance. According to the Identity Theft Resource Center 2018 End-of-Year Data Breach Report, more than 6 million government records were exposed last year which is greatly overshadowed by the 181 million business records exposed. Cybercriminals and state-actors are after everything from business plans and financial information to technical details and trade secrets. Don’t become a victim by ignoring these government-imposed regulations, which boil down to normal security best practices that all businesses should be following.

Get Help
While achieving DFARS and NIST SP 800-171 compliance can seem overwhelming, you are not alone. Help is available. For example, many states are offering grants to businesses ranging between $5,000 and $20,000 to aid DoD contractors in achieving compliance. The issue is that these funds are limited so are often issued on a first-come, first served basis which means there’s no time to delay.

Whether your business is small and has no IT department or is a larger company with dedicated IT staff, there is assistance available for achieving compliance. Third-party vendors such as Dox that are experienced with DFARS and NIST SP 800-171 requirements and audits can assist your business in achieving efficient, fast, and affordable compliance. There’s no time like now to secure your data and successfully achieve compliance to keep your organization in good standing with the DoD.

If you would like more information about DFARS and/or NIST SP 800-171 regulatory requirements, help in seeking financial support, or assistance in auditing and achieving compliance, call Dox today at (585) 473-7766 or visit us online now. You can also learn more on our DFARS page and on our Dox Exostar page.