C3 has merged with Ingalls Read Press Release >>

SSP and POAM Audits Are Coming

At this point, the requirements and underlying need for improved contractor security has been clearly established. High profile data breeches like Sea Dragon and those covered in recent Wall Street Journal articles have laid bare the threat to our national security.

The threat has been answered with new requirements such as DFARS 252.204-7012 as well as NIST 800-53/NIST 800-171. However, the adoption (and required investment) of the contractor community has been slower and uneven.

This changed in September 2018 when the Assistant Secretary of the Navy for Research, Development, and Acquisition issued a memo regarding the implementation of security controls for the Defense Industrial Base. This memo reaffirms the urgency for improved cybersecurity, as well as lays the groundwork for government audits of System Security Plans (SSP) and Plans of Action and Milestones (POAM).

Clarifying the Priorities

The memo clearly states not just the requirements, but also specifies the priorities within the regulations. It directs Navy Program Managers to include Contract Data Requirement Lists (CDRL) “requiring the delivery and approval of a System Security Plan that implements [DFARS 252.204-7012].” In addition, it also lays out minimum requirements for approval of the SSP including:

  • Auditable deployment of multi-factor authorization
  • FIPS 140-2 encryption
  • Least privilege principles
  • Annual auditable reviews of user privileges
  • Monitoring and controlling access sessions
  • Full implementation of NIST 800-171
  • Any unimplemented requirements are adjudicated by DoD CIO
  • Encryption of data at rest

These changes appear to prioritize technological requirements over other controls such as physical security and training, however overall compliance with the regulations is still required.

Audit Language

Noteworthy in the memo is that the CDRL include a requirement that “permits the Government to validate the information in a contractor’s submission every three years …or upon rotation of the Government Program Manager.” This has been interpreted to allow the Government to audit compliance and crack down on contractors that may not be fully compliant.

Increased Cost

For many contractors, cybersecurity compliance requires a significant investment relative to their current IT spend. While there is a fair argument that companies should have been investing to secure their networks all along, this still represents an increased overhead cost that probably wasn’t accounted for when contracts were bid. Cost to fully secure informational workers can approach $200 per month while first line workers and on-site employees can approach $75 per month.

Recovering the Cost

Contractors need to be aware of which cybersecurity clauses are added to contracts and when.  “If a requirement such as NIST 800-171 or DFARS 252.204-7012 are added as a modification to a contract, the contractor should collect the costs for compliance and may request a price change to cover the cost of the new requirement, says Jody Reed, a government contracts lawyer at McMahon, Welch, and Learned, PLLC.  “This can help offset the expense of securing the network and preserve margins”

Getting Compliant

C3 Integrated Solutions offers a full range of compliant services to support compliance with NIST, DFARS, and ITAR including Office 365 GCC/GCC High as well as a full range of monitoring, management, and support solutions. Contact us at {email} for more information on how we can you meet your compliance obligations.