Last month, my column “Implied Trust, Presumed Secure and Other Dangers of Supply Chain” covered supply chain security in the context of the network breach of a contractor for the Naval Undersea Warfare Center (NUWC) by Chinese hackers. Much to the US Navy’s chagrin, while the pilfered 614 gigabytes of US Navy data was unclassified, when aggregated it could be (or was, depending on the press release) classified. A massive haul, it included signal, sensor and cryptographic systems data, submarine radio room information, the Navy’s submarine development unit’s electronic warfare library and information on Sea Dragon, a “disruptive offensive capability” project.

That article underscored the importance of comprehensive hardening – understanding the operational environment, dissection of technological and process layers, reverse engineering of forensic outputs from defined assets, mapping data state changes and attack vectors to continuous improvement. But I was remiss in digging into the weaknesses of imposed regulations and some interesting conversation occurred with one common question, if government contractors are required by DFARS 252.204-7012 to comply with NIST 800-171, how could this happen? Well, there are a few ways, keeping in mind these are hypothetical to the NUWC hack – we don’t have enough procedural or operational information to perform a forensic hypothesis.

Many government data breaches in recent years ranged from benign unclassified to classified data and were often rooted in escalated privileges, misapplied access provisions or breakdowns of controls between state changes and regulatory obscurities. Despite efforts to improve legislation, regulations, standards, procedures, controls and vulnerabilities reporting, there is still little control over contractors and suppliers handling of “controlled” government data.

For a little background, the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, supplemented to the Federal Acquisition Regulation (FAR), was brought into force December 31, 2017. In simple terms, it requires that contractors with contracts under a Department of Defence (DoD), General Services Administration (GSA) or National Aeronautics and Space Administration (NASA) must comply with NIST 800–171, developed by the National Institute of Standards and Technology (NIST).

NIST 800-171 provides protection for controlled unclassified information (CUI) in non-federal systems and organizations, defining CUI as any potentially sensitive, unclassified data requiring controls for its safeguarding or dissemination. It’s the potentially part that can be problematic for compliance if it is not clearly and properly defined. To assist in the compliance process, NIST (the organization) has published the NIST MEP Cybersecurity Self-Assessment Handbook and provides outreach and support for the application and implementation of these cybersecurity standards, privacy requirements and evaluation of vendor security posture. Externally, there is no shortage of NIST 800-171 compliance consultants and tools.

Still, not every contractor would have met the deadline or can meet the regulations for a number of reasons and many others may claim to be compliant but aren’t, either knowingly or unknowingly. Considering the above, the two possible scenarios will be dissected – the failure to comply and inadequate compliance – to see where the wheels could have fallen off with the NUWC contractor and whether it could happen again.

Zero Compliance: Failure to Comply by Contractors and their Sub-Contractors

If a contractor, or their sub-contractors, fails to comply and has a DoD contract in play within their facilities, assets may be exposed. In a post-attack scenario, whatever the damage, the consequences and sanctions of non-compliance, considered to be contract default, run a long gamut. Negligence may result in loss of contract award, negative performance review and/or future bid protest. Should it be found that compliance certification was falsified, the contractor may be subject to default termination, suspension, debarment and/or liability under the False Claims Act or other false statement statutes. Regardless, if the failure to comply was discovered post-breach, the horse would already have left the barn – the asset was compromised.

Close Doesn’t Count: Inadequate Compliance by Contractors or Sub-Contractors

Within the context interpreting and implementing NIST 800-171, many things could wrong: improperly assessing compliance, failing to identify eligible systems or data (ambiguity), failing to adequately close gaps or failing to properly execute remedial approaches or workarounds, such as segregation of assets. Ultimately, compliance goes back to several requirement-bound activities; if the requirement is not fully understood, analysed and adequately met, everything thereafter is flawed.

The more likely scenario is ‘inadequate’ compliance due to interpretive, procedural or administrative errors, such as failure to properly interpret and implement NIST 800-171 or failure to clearly identify assets and their parameters in the procurement process. Again, the fundamental basis of NIST 800-171 is to provide only guidance in hardening systems or protect assets that belong to or were developed for the DoD by the contractor or its sub-contractors – but it has the be the right system and the right asset.

Knowing the states an asset moves through and where a system begins and ends, its management controls, mission objectives and operating environment, are only half the battle. As NIST 800-171 is intended to be high level to remain flexible, it will not address complexities, such as an operationalized network architecture. That requires knowledge, expertise and very concise documentation for internal use and for compliance.

Looks Right To Me!: Failure to Properly Assess Compliance

The market for NIST 800-171 compliance assessment is burgeoning for a reason – it’s an arduous task that requires both impartiality and expertise. Contractors who pursue assessment on their own may risk improper assessment of compliance, even if they understand the guidelines and contractual requirements and the information that is in scope.

The foundation of compliance begins with fully understanding, analysing and accurately and completely meeting the requirements. Failing to do so, renders the standard and its levels of security ineffective, making the systems and contractor non-compliant. NIST 800-171 was also designed to be technology-agnostic – a blessing and a curse – to permit a tailoring to contractor size, capacity and architectures. Considering this, expect some ambiguity.

Cherry-Picking or Taking the Whole Tree: Failure to Identify Eligible Systems, Data and Ambiguity

One of the primary questions since DFARS 252.204-7012 was brought in to effect has been how to determine the eligibility of systems. Since not all systems that access, store or process covered defense information (CDI)’ will be in scope of DFARS252.204-7012 and may not be clearly identified in the contract documentation, understanding the definition of CUI and CDI (provided by the National Archives and Records Administration registry) is important in defining scope. In the least, since the risks to a contractor’s business and legal liability if contractual duties are breached are high, documenting the ‘good faith’ steps taken is time well spent.

Mind the Gap: Failure to Adequately Close Gaps

Once the gaps required controls are properly identified, they must be closed in short order, and if not, there must be a planned approach with specific details, outcomes and implementation dates. The DoD is aware that not all contractors can meet all NIST 800-171 required security controls immediately. For that reason, the accepted and preferred method in identifying and coordinating gaps is in a System Security Plan (SSP) and Plan(s) of Action and Milestones (POAMs) that reflect the challenges of implementing these controls with priority and in a workable path.

Workarounds: Failure to Properly Execute Remedial Approaches

Lastly, to meet the NIST 800-171 contractors may implement remedial approaches or workarounds, altering internal processes or procedures rather than adopting certain required controls. This may include separation of duties, segregation of assets, modifications to network zones or other approaches and, while acceptable, it is crucial that they are properly executed to address compliance.

From just the few scenarios presented above, it’s easy to see where becoming and staying compliant is not a straightforward exercise. Although compliance with NIST 800-171 was a step in the right direction, the numerous challenges for contractor compliance is compounded by the lack of certified and assured compliance at the policy level by DoD. In fact, this may dictate the next big legislative change for supply chain security.

As far as the NUWC hack, unless more information is released we won’t know what happened – whether the contractor was NIST 800-171 compliant, non-compliant or inadequately compliant. Obviously, government will continue to rely on contractors but for as much as they try to mitigate risk there is some that will have to be accepted.