You, Your Sub-Contractor, NIST and DFARS

Companies don’t stand alone, just as the combination of employees and hardware make up an internal structure, an external framework is built on relationships with sub-contractors.  Those relationships become the supply chain that enables day to day operations.  Lately, there has been a lot of discussion regarding the compliance of DoD contractors and the processing of government data on their networks.  The NIST 800-53 which applies to government systems lists about 350 controls.  The NIST 800-171 applies some of those controls to industry systems.

Less known is the DFARS clause that many find tacked onto their DoD contracts (DD254).  Part of that clause indicates that companies are responsible for ensuring that any sub-contractors that handle contract information need to be compliant as well.  In some cases, businesses could be legally obligated to ensure those controls are in place. ISO 27001 mandates protection of an organization’s assets accessible by sub-contractors. In a nutshell, companies with DoD contracts need to identify and manage information security risks relevant to sub-contractors. As of now there is no right or wrong answer, clause language states that it will be done but doesn’t get into the specifics of how.  This article presents a possible avenue to explore or at least get the wheels of industry churning as we determine a way forward for all of us.

Determine How Critical and Sensitive the Data is to your Company.

Look at the prime 254, what guidance is given as far as protection mandates.  Will the sub-contractor be dealing with your company information as well?  Set up a team within your company to review the data and make that determination.  At the most basic level, information can be defined as Public, Private, and Confidential.  After discussing the needed protections your team might have something like this:

How Sensitive if Disclosed

  • Public  – no impact (Widely Available, News)
  • Private – minor impact (Contracts, Policies, Procedures)
  • Confidential – serious impact (Customer/Employee Information, Strategic Plans)

Identify the services currently managed or provided by the sub-contractor, then determine how critical.  If your company is using sub-contractors to provide e-commerce, payroll, and email, it might look like this:

How Critical  if Interrupted

  • Low – more than one day, minor impact (Payroll)
  • Medium – more than two hours, major impact (Email/Conference Calling)
  • High – more than ½ hour, critical impact (Ecommerce/Website)

Determine Your Security Controls

Security controls should be a combination of physical and administrative.  These are the controls that your company intends to not only meet but push to your sub-contractors.  Physical controls could be card readers and cameras.  Administrative controls could be policies and procedures. Multiple security standards such as ISO 27002, Cobit 5, and the NIST Cybersecurity Framework are available resources to help develop those controls.  Link those controls back to your sensitive and critical definitions.  If its Public information, maybe backup is all that is needed. At the other end if its Confidential maybe the sub-contractor should have data at rest encryption.

Determine Effectiveness

If you require a sub-contractor to implement encryption, do they have the capability to ensure its working?  This kind of question evaluates the effectiveness of the control.  Maybe generic criteria will work for all controls; or specific criteria may be required for each control.  An example might be a contract that specifies a minimum control set like NIST 800-171. Create a rating system and keep it simple, if the control doesn’t exist you might classify an effectiveness of 0.  If the control exists but is not formally required or implemented rate it a 1.  If the control exists, is formally implemented, and can be measured call it a 2.  Add your ratings together for a final score.

Document Your Controls & Supplier Status

Create a record of basic sub-contractor information as well as required controls.  For instance:

  • Sub-contractor Company Name:
  • Sub-contractor Contact Name, Email, Phone
  • Sub-contractor Location:
    • If overseas are there any specific legal requirements about storing or exporting information.
  • Service or Data Description: What does the sub-contractor provide?
  • How Critical and Sensitive:
  • Security Controls: List the controls pushed to the sub-contractor.
  • Expected Control Effectiveness Level: Criteria established by your company team.
  • Current Control Effectiveness Level: The outcome of the last assessment.
  • Last Assessment Date: Include an action plan to fix any issues.
  • Next Assessment Date:
  • Contract Manager: The person responsible for the assessment and making sure it goes forward. This person will also be responsible for making sure any issues requiring follow up action are recorded.

This is uncharted territory, but compliance is the watchword.  Maybe it will be as simple as listing the controls a sub-contractor will be required to meet, then asking for a letter signed by their president that they are compliant.  If not, what is their way forward?  Maybe it will be more involved, with full teams of auditors and tools, either way if it prevents an attack on your company via a sub-contractor or other weak link in the supply chain then its time well spent.

Gene Erbacher, CISSP

Wright State Research Institute
4035 Col Glenn Hwy
Beavercreek, OH 45431

(937) 705-1059