If you have followed any of my past posts, you are probably familiar with the Department of Defense Federal Acquisition Regulations (DFAR). Recently I attended an event at the MARK Center that was titled “Network Penetration Reporting and Contracting for Cloud Services”. If you have never been to this facility, what a great experience. Getting into the Pentagon is easier!
I was pleasantly surprised to see attendees coming from New York to Florida in anticipation of learning more about what the Department of Defense intends to require government contractors to demonstrate as far as cyber hygiene. There has been a significant amount of ambiguity in terms of what is in the DFAR versus what industry believes it is saying and this session would hopefully shed some light on these issues.
The event had several panelists from various disciplines supporting DoD, including the Deputy CIO. After each segment, a Q&A was afforded to the audience (approximately 200 attendees). A number of questions pertained to gaps in the linkage between sections of the FAR and what implications flow down may have. A number of scenarios were highlighted that included the use of cloud and other forms of subcontractors.
What was interesting to me was a lack of ability to see the panel operating off the same sheet of music. Each scenario posed seemed to be met with very ad hoc responses that in some cases appeared to have panel members contradicting one another.
An even more pressing issue was the tone of this session as the DoD stipulated at the onset, that this session was to highlight requirements and answer questions. This was followed by a unilateral “we are not changing this so get over it” type of preamble. You could hear the grumblings amongst the attendees as most were there to highlight gaps that require clarification by DoD and in many ways, justification to amend based on the issued identified.
One question raised was if you use a FedRAMP approved cloud service provider and they have requirements that are well beyond the implementation of NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems”, is the contractor obligated to adhere to the remaining controls prescribed under NIST 800-53. Short answer, “yes”. The entire audience pretty much gasped with rumblings of “then why not impose 800-53 and be done with it?!”
This issue was compounded further when the panel highlighted the following taken from Section 7012:
“The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.
For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at firstname.lastname@example.org, within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”
The panel made reference to each prime using reasonable judgement to determine what subcontractors have an actual need to know/access covered defense information (CDI). What seems to be missing here is a lack of understanding how teaming arrangements work in the government contracting community. If you have ever pursued a solicitation for an Indefinite Delivery Indefinite Quantity (IDIG), you know this is merely a hurdle and in no way promises work. Upon award of an IDIQ, the prime gets to determine who on the team will compete for subsequent task orders. Most utilize a “best athlete” approach. Meaning that whichever subcontractor has the best person or widget for the specific task order, will be submitted for consideration to pursue said task order.
Since nobody can predict the future, how can I prime determine in this scenario, who ultimately may have access to CDI. If all contractors shall implement NIST 800-171 no later than 12/31/2017, if you have an IDIQ out for bid right now and you are not already aligning with NIST 800-171, what does that mean? If the IDIQ is set for submission no later than 6/30/2017, that means that the review period will run through at least October with a likely award date in February 2018. So those who cannot attest that they are aligned with 800-171 as of now, are kind of hosed.
With 110 unique controls that must be met, including clearly defined Plans of Actions and Milestones (POAMs), are you ready to attest in writing that you are good to go as of January 1, 2018? It is right around the corner and many elements remain ambiguous as a result of what was not clarified at Industry Day. Let HEMISPHERE help your organization prepare to meet these unique challenges.