Blog | Charles IT

Understanding Subcontractor Responsibilities

Written by Foster Charles | Jun 23, 2021 12:00:00 PM

The Defense Industrial Base (DIB) is one of the largest supply chains in the world, employing over a million people in 200,000 organizations. Protecting that supply chain from threats such as state-sponsored attackers and cybercriminals is no easy task, which is why there are strict rules in place governing the collection and usage of data pertaining to the DoD.

DFARS clause 252.204-7012 requires that all contractors and subcontractors making up the DIB adhere to the NIST SP 800-171 standards. This internationally recognized framework for data governance and security lists 110 controls across 14 control families. Precisely how you implement these controls is up to you, but they must be implemented, nonetheless.

Achieving compliance across your own systems and processes is one thing, but you also need to ensure your subcontractors are compliant. Supply chain attacks are on the rise, as attackers look for vulnerabilities outside the conventional perimeter, working their way in via an insecure system operated by a supplier.

Having satisfied your own obligations as a defense contractor, you now need to turn to your own contractors to determine whether they are compliant too. DFARS clause 252.204-7012 states that all contractors and subcontractors that store, collect, or process Covered Defense Information (CDI) are compliant with the NIST 800-171 controls. CDI includes any controlled unclassified information (CUI), identified as such in the contract. All CDI and CUI should be encrypted, both in storage and in transit.

Related article: DFARS & NIST 800-171 - A Compliance Overview

If a subcontractor you work with will not have access to CDI as part of their role working with your business, they will not need to be compliant. However, you may still need to take steps to ensure that such a subcontractor will not have access to this data and the systems housing it, intentional or otherwise. Alternatively, in cases where a subcontractor would otherwise have access to the data, another way to uphold compliance is to insist they work solely with your fully compliant systems, instead of using their own. If you are taking this approach, you must make sure to restrict the transfer of data so that it does not end up being transmitted across non-compliant systems. For example, if a subcontractor downloads CDI on an external drive and removes it from your premises, this would be a breach of compliance.

Related article: DFARS Clause 252.204-7012: Is Your Personnel Security Up to Par?

 

Such measures should generally only be taken as a temporary solution. If your organization works with the DoD in any capacity, then it is a good idea to ensure your own supply chain is fully compliant with the NIST 800-171 standards. The framework is, after all, one of the most widely adopted, and it is the basis for many other regulations, including those governing other industries. It is also crucial to remember that, as a primary contractor of the DoD, you will be liable for the actions of your subcontractors. For example, if you store CDI on a non-compliant public cloud, then your organization, and not the cloud vendor, will be held responsible.

All too often are supply chains the weakest link in an organization’s security posture. Whether you work with the DoD or are simply hoping to score lucrative contracts with them later on, it makes sense to focus on securing your supply chain and ensuring compliance across the board. For example, any vendor that handles sensitive information on your behalf, whether it pertains to the DoD or any other regulated industry sector, it only makes sense to ensure they adhere to the latest standards of security. The NIST 800-171 framework is the global industry standard, and while it might not be easy or cheap to implement all of its controls, it sets a high baseline that will give you the flexibility to grow your business without adding risk.

Related article: Are the physical safeguards protecting your IT systems enough?

Finally, it is vital that you clearly communicate the specific requirements of the DFARS clause to any contractor that may handle CDI. These include the need to report incidents to the DoD within 72 hours of their discovery, the ability to provide evidence of its systems security plan and adherence to NIST 800-171. Whether or not these measures are appropriate depends on the specifics of the subcontractor’s working relationship with your business.

Charles IT can help you secure your supply chain and evaluate your compliance efforts with a thorough audit of your infrastructure. Get in touch today to schedule your first assessment!