A leading legal voice on federal contracting is questioning the adequacy of defense acquisition rules to address emerging and evolving cybersecurity threats, suggesting that contract language should be used to set tougher requirements for protecting data and systems.
The guidelines set by the National Institute of Standards and Technology are at the center of a defense acquisition rule “clause” that covers all Pentagon contractors and their suppliers. The questions being raised about the adequacy of the NIST guidelines, specifically Special Publication 800-171, come as NIST is considering updating the document to address advanced and systemic risks, and while the Defense Department eyes acquisition reforms in response to cyber supply-chain risks, as laid out in a recent report by the MITRE Corp.
“The DFARS is intended to protect government CUI, controlled unclassified information,” noted Robert Metzger of the law firm Rogers Joseph O'Donnell in an interview with Inside Cybersecurity. “The harm that it seeks to prevent is the exfiltration of protected information, where it would become known to or exposed to adversaries without the consent of the U.S. government or the persons who own the information or intellectual property.”
The limited focus of NIST 800-171 – to protect data confidentiality – raises doubts about whether the government and industry, as a supplier of services and products, are doing enough to address the latest threats which pose risks to system operations that could result in physical harm, according to Metzger, who is a co-author of the MITRE report.
“Current events tell us that threats actually are broader than those that are focused upon networks or the protection of information on information systems,” Metzger said. “While adversaries continue to steal or compromise information, we're seeing other attack vectors through the supply chain, against operational systems, cyber OT, and using human factors.”
He said such “blended operations” of attacks are “intended to achieve a number of adverse consequences that may include the exfiltration of protected information, but also could go well beyond that to compromise critical infrastructure, logistics systems, sensors, weapon systems and platforms.”
NIST 800-171 “is a set of safeguards intended to protect the confidentiality of CUI on contractor information systems using an approach that emphasizes perimeter security of networks. That's good. But the question is whether it's enough,” said Metzger.
The NIST guidelines, as reflected in DFARS clause 252.204-7012, were a good starting point but may no longer be enough, Metzger asserted.
“Considered on a whole-of-enterprise basis, we should think of security in terms of the mission functions of the weapon systems, or business systems, of the Department of Defense,” Metzger said, adding: “It is time to ask whether what we now have in the DFARS and its companion NIST safeguards truly are enough to protect against the actual range of threats.”
“It is my contention that the DFARS cyber clause and the NIST -171 safeguards protect against only some of the real world exposure,” he argued. “They don't protect against enough threat vectors and are not now tailored for high risk, high impact situations.”
NIST's expanded role
Initially, the focus of the NIST guidelines was to protect federal systems and government information. “It's only in relatively recent years that NIST has achieved more importance in making recommendations for security that are directed towards non-federal entities, such as commercial companies that constitute the defense industrial base,” Metzger said.
“If NIST had taken a prescriptive approach it would have increased the workload on businesses,” Metzger claimed. “It would have forced companies to migrate from what they are doing and to the federal [government's] specific methods. Instead, NIST chose a different approach. They said we're going to tell you what the objectives are, and leave it to you to figure out whether what you already have is satisfactory, to find any gaps, and then to come up with a plan to close those gaps.”
Metzger stressed the absence of rules to address systemic threats puts pressure on the contracting process to try to mitigate these residual risks.
“It is through contract requirements that companies are held to standards of performance,” Metzger said. “The acquisition process is how the Department of Defense or other federal agencies translate their requirements and expectations into the conduct suppliers are paid to deliver. The contract is how suppliers are told what the government wants, how the government is going to evaluate the contractor, and what the government expects to deem a supplier trustworthy and responsible.”
Yet the extent to which these contractual obligations are enforced is determined by the government.
“Contract terms establish what specific security measures the government expects or requires a contractor to take, how the government will assess the adequacy of those measures, and whether the government can enforce or otherwise sanction a contractor for failure to perform those measures,” Metzger said.
“Only now is NIST turning to a different type of information system risk – the advanced persistent threat or APT,” Metzger noted. “Sophisticated attacks by skillful adversaries may be lodged into an information system for months, or potentially years, before the time that they are activated and cause any injury. The injury could be the exfiltration of information, or it could be the corruption of information, or even the denial of system availability. There's been concern within the Department of Defense, and among security analysts, that we had focused too much on perimeter protection, but not enough to detect or respond to and mitigate the consequence of advanced persistent threats.”
At a public meeting earlier this month, NIST unveiled plans to revise 800-171 to address APT for DOD's most sensitive systems. The announcement was made at the meeting as part of an update for contractors and government officials on implementation of DFARS for CUI issued in 2016.
“NIST just announced it will add an Appendix to SP 800-171 to deal with advanced persistent threats, I expect it to include measures to monitor outbound traffic from contractor networks because, if an APT is effectuated, one would expect some communication from the network to the attacker, such as transmission of information, or other confirmation that a command was received and acted upon,” Metzger said. “We also see monitoring to identify communications through the network perimeter intended to actuate the embedded APT. There can be different types of monitoring, of both inbound and outbound traffic, so that owners are aware of when unexpected or unauthorized actions are taking place within its network.”
In addition to the upcoming NIST revisions for 800-171, the Pentagon is reviewing for possible implementation acquisition reforms laid out in the MITRE report co-authored by Metzger. The report, “Deliver Uncompromised,” calls for cybersecurity to be elevated as a “fourth pillar” in acquisition, along with cost, schedule and performance.
The report, which offers a series of “courses of action” for DOD in securing its cyber supply-chain, echoes some of what Metzger asserted in the interview.
“Through the acquisition process, DOD can influence and shape the conduct of its suppliers,” according to the report issued in August. “It can define requirements to incorporate new security measures, reward superior security measures in the source selection process, include contract terms that impose security obligations, and use contractual oversight to monitor contractor accomplishments.” – Rick Weber (firstname.lastname@example.org)