The U.S. Department of Defense (DoD) has made it clear -- if it wasn’t already -- to product and services suppliers that it’s serious about strong cybersecurity practices in the supply chain. The DoD has released a matrix detailing and prioritizing 110 security requirements that contract suppliers must meet or risk seeing their deals cancelled.
The guidance applies specifically for procurements requiring implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 on protecting controlled unclassified information (CUI) in the supply chain. It provides a ‘DoD Value’ for each of the security requirements, addresses the method(s) to implement the security requirements, and with some items clarifies security requirements that could be misunderstood.
It’s not a test. The ‘DoD Value’ itself is meant to determine the risk that a unimplemented security requirement has on an information system, assess the risk of a security requirement with an identified deficiency, and to prioritize when an unimplemented requirement should be put in place. The guidance, on the other hand, isn’t intended to assess already implemented security requirements or to compare one supplier’s approach to another.
Basically, the DoD is talking about what needs to be done by suppliers, not what’s already done. Here’s an example of three requirements on Access Controls:
- Suppliers must limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- Control the flow of CUI in accordance with approved authorizations.
A priority code of P1, P2, or P3 is assigned to each of the security controls. A P1 security control has a higher priority for implementation than a P2 control, and a P2 control has a higher priority than a P3 control. The idea is to guide organizations to ensure that security controls upon which other controls depend are implemented first.
DoD Values range from 5, which has the highest impact on the information system or highest priority to implement, to 1, the lowest impact on the information system, or lowest priority to implement. Basically, high risk security controls that have not been implemented present the greatest danger to the government.
All of the three of the access controls above carry P1 NIST priorities and a DoD value of 5, meaning suppliers should implement them first and they have the highest impact on IT. In total, there are 22 access control requirements. Other controls categories include awareness and training (3), audit accountability (9), configuration management (9), identification and authentication (14), maintenance (6), media protection (9), personnel security (2), physical protection (6), risk assessment (3), security assessment (4), system and communications protection (16), system and information integrity (7).
Additionally, in a supplemental document the government said contractors must provide “adequate security” for “covered defense information” that is processed, stored, or transmitted on the contractor's internal information system or network. At minimum, the contractor must implement controls detailed in SP 800-171 and then must also describe in a security plan how the specific requirements will be met along with a plan of action on how any unimplemented security requirements will be met and how any planned mitigations will be implemented.