July 10, 2019 How to Handle Covered Defense Information

MEP National Network^TM

If you’re part of the Department of Defense (DoD) supply chain, you may have heard about the requirements for Covered Defense Information (CDI). In short, manufacturers or any other entities with DoD contracts must comply with cybersecurity stipulations that dictate how they handle certain types of content — i.e., CDI.

More specifically, as of December 31, 2017, all contractors working for the DoD, regardless of their size, must make their internal systems comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 and must at minimum implement NIST SP 800-171 security requirements, which encompass 14 categories. Fundamentally, DFARS Clause 252.204-7012 is about providing “adequate security” to CDI.

What Is Covered Defense Information?

Manufacturers understandably want a clear definition of “Covered Defense Information” that they can refer to in order to avoid violating their DoD contracts. CDI is:

• Information given to the contractor by, or on behalf of, the DoD for a reason related to performing the stipulations of the contract, OR
• Information collected, developed, received, transmitted, used or stored by, or on behalf of, the contractor for reasons related to performing the terms of the contract.

Additionally, CDI falls into four categories:

1. Critical information: All information relevant to a contractor’s operations security, including data about that party’s known cybersecurity vulnerabilities
2. Controlled Technical Information: Technical information related to military or space applications that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Some examples include drawings, information sheets, and manuals
3. Export controlled information: Any content that can only be given to U.S. citizens or immigrant aliens unless the receiving parties hold the necessary export licenses
4. Controlled Unclassified Information and other information that needs safeguarding or controlled dissemination: Information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls (any sensitive material related to the government or a contractor’s duties to a government entity)

For manufacturers, information considered CDI might range from process sheets to data sets, among many other types of information. Additionally, complying with the requirements for CDI and NIST SP 800-171 is a team effort. It extends to every department — not just the IT professionals — at an organization.

What Does ‘Adequate Security’ Mean?

After manufacturers learn to answer the question, “What is covered defense information?” the next question on their minds likely involves what the DoD means by “adequate security.” The most straightforward definition is that it means meeting the NIST SP 800-171 security requirements mentioned earlier.

Within the 14 categories of security requirements comprising the NIST SP 800-171, there are 110 basic and derived security requirements. Many of the specifics relate to controlled unclassified information (CUI), of which CDI is a part. Moreover, you’ll notice a substantial overlap in several categories.

Here’s a breakdown of the 14 categories and some of the matters that fall within each one:

1. Access Control: Who can see the information, and what technologies prevent parties from gaining unauthorized access?
2. Awareness and Training: Do employees understand how to handle CUI and what types of content it comprises?
3. Audit and Accountability: Who is accessing or attempting to access CUI and who is able to access that recordkeeping?
4. Configuration Management: How is the network configured, and what procedures should be put in place to control changes to that configuration?
5. Identification and Authentication: What should the process be for identifying and verifying the parties that view CUI?
6. Incident Response: How will an operational incident be identified and handled should one occur?
7. Maintenance: How often does maintenance occur, and who performs it?
8. Media Protection: How should electronic and paper records be stored, how can it be transported, and who can see them?
9. Physical Protection: What locks, cameras, etc. are put in place to protect the physical locations of CUI?
10. Personnel Security: What kind of screening do employees get before they see CUI?
11. Risk Assessment: Do risk assessments happen, and if so, how often?
12. Security Assessment: Are current security procedures effective, and where does room for improvement exist?
13. System and Communications Protection: How is CUI information communicated (internally and externally), and are protections in place to monitor this?
14. System and Information Integrity: How efficient are the current processes for detecting and recognizing possible threats, and how can those weak points be fixed?

Implementing a Cybersecurity Practice

Together, DFARS Clause 252.204-7012 and NIST SP 800-171 requirements may seem overwhelming, especially to smaller manufacturers or those who have not received government awards before. Start by evaluating your current level of cyber risk with the Cybersecurity Self-Assessment Tool and go from there.

Following that assessment, think about establishing a risk management system that can help identify what information your organization currently has, how it is currently being used, and what is being done to protect it. Understanding this helps to uncover not only areas of potential risk but also potential opportunities for business process improvements.

Documenting current efforts and creating and adhering to policies and procedures not only is a requirement to meet many of the NIST SP 800-171 requirements but also helps to provide evidence of an organization’s attempts to provide adequate security and can reduce the effort involved in ongoing protection of information.

If manufacturers want assistance with that part of the process, get in touch with your state’s Manufacturing Extension Partnership Program (MEP) Center. Your local MEP Center is connected to NIST and cybersecurity experts well-versed in NIST SP 800-171 and can help you navigate the specifics of creating a security program that meets the DoD’s requirements.

Elliot Forsyth

Elliot Forsyth is Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center). He joined the organization in July 2014 and is responsible for leading strategy, marketing, and business development, including the formation and implementation of The Center’s cybersecurity practice area. Prior to joining The Center, Elliot had more than 20 years of broad, global business experience with an outstanding record of leading Operations, Strategy, and HR functions.

Subscribe to Industry Today