In October 2016, the Department of Defense (DoD) issued a final rule to clarify the Defense Federal Acquisition Regulation Supplement (DFARS) that requires contractors to implement information security guidelines as soon as practical and no later than December 31, 2017.
These requirements ensure the protection of controlled unclassified information (CUI), affecting any managed service provider with a federal contract.
Who’s in Scope?
That means businesses contracting with the Department of Defense (DoD) and federal civilian executive branch agencies must implement the National Institute of Science and Technology (NIST) SP 800-171 security requirements. That includes:
Service providers that process, store and transmit federal data on their systems, such as cloud service providers (CSPs)
Credit card & other financial services providers; web and email service providers
Background check companies for security clearances
Cloud and data hosting providers
Contractors that develop communications, satellite and weapons systems
And many others not listed here.
Security Standards for Federal Contractors
The specific standard, 252.204-7012 - Safeguarding covered defense information and cyber incident reporting requires contractors to meet security standards listed in NIST SP 800-171 (unless the DoD CIO has determined that one or more security requirements is non-applicable, or has an alternative, equally effective security measure that may be implemented in its place).
Contractors can outsource these requirements and/or use subcontractors, but they’re held responsible for ensuring their IT vendors also meet adequate cybersecurity standards, according to the Office of Small Business Programs of the DoD.
Here are a few notable security controls outlined in the NIST SP 800-171:
Access Control
3.1.5 - Employ the principle of least privilege, including for specific security functions and privileged accounts.
The concept of least privilege means allowing employees access only to what they need in order to do their job - this can reduce your attack vector and the scope of risk. If one set of user credentials is compromised, the attacker cannot access your entire network or critical applications, only a few applications.
3.1.14 - Route remote access via managed access control points.
For users connecting to your applications and network remotely, give them controlled, managed access. Gain application-level access control and segmentation by using Duo’s secure single sign-on (SSO).
By logging into a web portal, your users can securely access only certain on-premises and cloud applications, without connecting to a virtual private network (VPN) or installing remote access software on their device.
Identification and Authentication
3.3.1 Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.
Track user activity and get fraud alerts with Duo’s detailed security logs. Authentication logs give you usernames, location, time, type of authentication factor and more, allowing you to normalize user patterns so you can identify abnormal activity. Administrator logs let you track administrator activity, so you can identify major admin changes and any suspicious activity, giving you data you can use to investigate.
Duo’s administrative APIs also allow you to easily export this data into security information and event management (SIEM) tools like Splunk for better tracking and monitoring.
With Duo’s Device Insight, you can collect detailed information about your devices without using an agent, which means you get insight into every device logging into your applications, not just the ones you’re tracking with an agent. This gives you more complete audit records of both company-issued and personal devices on your network.
3.5.3 Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
NIST defines multi-factor authentication (MFA) as using two or more different factors to achieve authentication - something you know (password, PIN); something you have (smartphone app or hard token); and/or something you are (biometric like a fingerprint or retina scan).
Note - this requirement shouldn’t be interpreted as requiring Personal Identity Verification (PIV) cards or Department of Defense Common Access Card (CAC) solutions. Duo provides a multi-factor solution (MFA) delivered via an authentication mobile app on your smartphone, and in a variety of other methods.
The requirement 3.7.5 also calls for requiring multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. Duo’s MFA has native integrations with VPN and remote access gateways such as CA SiteMinder, Oracle Access Manager, Juniper, Cisco, Palo Alto Networks, F5, Citrix and more.
Department of Defense (DoD) Issues Cybersecurity Directive
In addition, the DoD issued a Directive-Type Memorandum (DTM) 17-001 on Cybersecurity in the Defense Acquisition System.
Their policy was to “ensure cybersecurity is fully considered and implemented across acquisition programs across the life cycle,” outlining requirements for program managers that are held responsible for the security of their systems and information.
The DoD outlined several risk areas to address:
Government Program Organization - Poor cybersecurity practices, untrained personnel, malicious insiders, inadequate network security, and incorrect classification of information can be leveraged by attackers to gain information system knowledge.
Software and Hardware - Weaknesses or flaws in systems and software can be used to compromise systems.
System Interfaces - Poorly configured or unprotected network and system interfaces can be used to gain system access or deliver malware.
Update and Manage Software - Plan for and implement software configuration updates to include software patch management to mitigate newly discovered vulnerabilities. Duo’s Device Insight can help identify out-of-date devices when they access your applications, while Endpoint Remediation and Self-Remediation features allow you to block risky devices and notify your users to update.
These are just a few of the key activities they require program managers to do in order to mitigate cybersecurity risks:
Identify all unclassified covered defense information (CDI), and assess the impact of the exposure of unclassified information on unclassified networks.
Promote a strong culture of cybersecurity awareness and behavior in program offices and among contractors. One way to increase awareness is by launching internal phishing campaign simulations to identify risky users and behavior.
Encourage contractor and industry participation in public-private information sharing activities.
See Covington and Burlington’s resource, *Department of Defense Issues Final Rule - Network Penetration Reporting and Contracting for Cloud Services (PDF) for more information.