Along with avoiding counterfeit components, the electronics supply chain can now add cybersecurity concerns to its “To Do” list.
Electronics suppliers and distributors already must worry about cyber-threats such as malicious code being inserted or activated in components that are already in the supply chain. Adding to that is the recent DFARS Clause 252.204-7012 requirement that addresses the sharing of technical information used in Department of Defense (DOD) contracts. The ECIA recently released an overview document to assist component manufacturers and their distributors with compliance to the rule.
The purpose of the DFARS is to make sure there is adequate security for controlled unclassified (CUI) information used in DOD contracts. According to the Covington website InsideGovernmentContracts, there are already a number of iterations of this rule and contractors may face conflicting security requirements. According to ECIA the DFARS 252.204-7012 includes:
- standards to protect unclassified controlled technical information in a covered contractor information system.
- security requirements for external cloud services, if used
- reporting of certain cyber incidents
- flowing down these requirements to all levels of subcontracts
According to ECIA, the covered contractor information systems are subject to the security requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. The security requirements are listed in 14 families with a total of 109 requirements. ECIA noted “this is a lengthy document and will take some time with which to comply.”
The ECIA recommends that the following steps be taken immediately:
- Decide if, in the course doing business with DOD contractors, any CUI is in or moving through your systems.
If no, then prepare a statement for customers explaining the exemption from compliance.
- Start reviewing the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This will take some time for compliance.
- Ensure any cloud service providers meet security requirements equivalent to Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
- Be prepared to identify, respond to, and report cyber incidents.
- For cyber incident reporting, obtain a DOD approved medium assurance certificate.
The NIST SP 800-171 Control Families are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
According to InsideGovernmentContracts, the primary difference between the security requirements imposed by earlier versions of DFARS 252.204.7012 and the current version is the addition of multifactor authentication as a minimum-security standard. This requirement necessitates authentication using a combination of (1) something you know (e.g., password); (2) something you have (e.g., a One-Time Password generating device like a fob, smart-card, or a mobile app on a smart-phone); and (3) something you are (e.g., a biometric like a fingerprint or iris).
The site also notes that DFARS 252.204.7012 is not required for solicitations and contracts where the only items being procured are commercial-off-the-shelf (COTS) items. However, the clause is required for all other solicitations and contracts where covered defense information (CDI) is involved, including the acquisition of commercial items involving CDI. What remains unclear is whether the clause needs to be flowed to subcontractors where the prime contract may not be solely for COTS items but where the subcontract is.
InsideGovernmentContracts also identified three potential security standards that may apply when a contractor uses a cloud solution to either process or store CDI.
- First, the DoD Cloud Computing Security Requirements Guide (SRG) applies when (a) a cloud solution is being used to process data on DOD’s behalf, (b) DoD is contracting directly with a cloud service provider (CSP) to host or process data in the cloud, or (c) a cloud solution is being used for processing that DoD normally conducts but has outsourced.
- Second, NIST SP 800-171 standards apply when a contractor uses an internal cloud as part of its internal enterprise network systems to process data when performing under a DoD contract requirement (i.e., designing a new aircraft for DoD and using the cloud solution internally (not a third party CSP) for the engineering design).
- Third, security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline apply when a contractor intends to use an external CSP to store, process or transmit any covered defense information for the contract. Contractors must also confirm that the CSP complies with requirements in DFARS 252.204-7012 for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
The date for companies to be compliant is December 31, 2017.
ECIA provided several links of interest: