Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance
Risk & Compliance

DoD issues information collection requirements for assessing contractor compliance with cybersecurity standards

May 29, 2024
DoD issues information collection requirements for assessing contractor compliance with cybersecurity standards

The U.S. Department of Defense’s Defense Acquisition Regulations System has forwarded a proposal to the Office of Management and Budget (OMB) for clearance under the Paperwork Reduction Act. This initiative aims to assess contractors’ adherence to cybersecurity requirements, aligning with the mandate of section 1648 of the National Defense Authorization Act for Fiscal Year 2020. The directive tasks the Secretary of Defense with establishing a risk-based cybersecurity framework for the defense industrial base (DIB) sector to serve as the foundation for a mandatory DoD standard.

“The collection of information is necessary for DoD to assess where vulnerabilities exist in its supply chain and take steps to correct such deficiencies,” according to a Federal Register notice published Tuesday. “In addition, the collection of information is necessary to ensure defense industrial base contractors that have not fully implemented the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security requirements pursuant to the clause at DFARS 252.204-7012 begin correcting these deficiencies immediately.”

Furthermore, the requirement is implemented in the Defense Federal Acquisition Regulation Supplement (DFARS) through the solicitation provision of NIST SP 800-171 DoD Assessment Requirement, and the contract clause within the NIST SP 800-171 DoD Assessment Requirements. 

The notice added that consideration will be given to all comments received by Jun. 27.

The move seeks an extension of a currently approved collection, affecting businesses or other for-profit and not-for-profit institutions. Respondents are required to obtain or retain benefits, at least annually. The number of respondents is 11,686, while the approximate response per respondent stands at 1.02. The number of annual responses is 11,977; with the average burden per response expected at 4.92 hours, taking the annual burden hours to 58,885.

The clearance is prescribed for use in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items. Per the provision, if an offeror is required to have implemented NIST SP 800-171 per DFARS clause 252.204-7012, then the offeror shall have a current assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order in order to be considered for award.

The notice also identified that it is prescribed for use in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts solely for the acquisition of COTS items. 

“The clause requires the contractor to provide the Government access to its facilities, systems, and personnel in order to conduct a Medium Assessment or High Assessment, if necessary,” according to the notice. “Medium Assessments are assumed to be conducted by DoD Components, primarily by program management office cybersecurity personnel, in coordination with the Defense Contract Management Agency’s DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), as part of a separately scheduled visit (e.g., for a critical design review). High Assessments will be conducted by, or in conjunction with, DCMA’s DIBCAC.” 

Additionally, the DoD may choose to conduct a Medium Assessment or High Assessment when warranted based on the criticality of the program(s)/technology(ies) associated with the contracted effort(s). For example, a Medium Assessment may be initiated by a program office that has determined that the risk associated with their program warrants going beyond the Basic self-assessment. The results of that Medium Assessment may satisfy the program office or may indicate the need for a High Assessment.

Earlier this month, the NIST released the final versions of Special Publication (SP) 800-171r3 (Revision 3) and SP 800-171Ar3 covering updated security requirements and assessment procedures for protecting controlled unclassified information (CUI). SP 800-171r3 aims to provide clearer guidance, reduce ambiguity, and enhance implementation support. These security requirements and assessment procedures are now available through the Cybersecurity and Privacy Reference Tool (CPRT), offering users various access methods like browsing, downloading as a spreadsheet, and JSON format.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix