Adjustments Are Needed: How DoD’s New Cyber Interim Rule Applies to Protection of CUI in Defense Factories

Discussion among industry representatives points to uncertainties regarding the application of the new DoD cyber Interim Rule. This paper argues that the new self-assessment and CMMC requirements are intended primarily for information technology (IT) systems and should be applied differently to the factories of defense suppliers, specifically to industrial control systems (ICS) and other types of Operational Technology (OT) which process, store or transmit forms of Controlled Unclassified Information (“CUI”).

The core contract requirement that contractors protect the confidentiality of CUI is DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”). This clause requires contractors to provide “adequate security” on “all covered contractor information systems” and to implement the security requirements of NIST Special Publication (SP) 800-171 (“Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”).
The Interim Rule, 85 Fed. Reg. 61,505, was published on September 29, 2020. After December 1, 2020, many DoD solicitations will include two new clauses, DFARS 252.204-7019 (“Notice of NIST SP 800-171 Assessment Requirements”) and DFARS 252.204-7020 (“NIST SP 800-171 DoD Assessment Requirements”) A smaller number of solicitations will include a different clause, DFARS 252.204-7021 (“Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement”), for acquisitions that will be subject to the Cybersecurity Maturity Model Certification (CMMC) program during its “pathfinder” phase.

Essentially, the new -7019 and -7020 clauses require those companies which are already subject to the cyber security control requirements of NIST SP 800-171 to employ a “DoD Assessment Methodology” for a self-assessment of their satisfaction of the 110 basic and derived controls stated in NIST SP 800-171. Further, companies will generate a “net score” using the Assessment Methodology and post on DoD’s Supplier Performance Risk System (SPRS) a “summary level score” as well as the date that all requirements are expected to be implemented.(1 )The -7019 clause indicates that, in order to be considered for award, an offeror (where subject to NIST SP 800-171) must have a current assessment “for each covered contractor information system that is relevant to the offer, contract, task order, of delivery order.” (Emphasis added.)

Many companies are looking to define what systems are subject to these requirements. It is not straightforward. Nowhere in the regulation is there discussion regarding how to determine what systems are “relevant.” This phrasing, alone, raises the question of whether DoD intends that the new self-assessment regime apply identically to factory systems (with ICS and OT), as distinct from information systems and IT. Informal comments from officials of the Defense Contract Management Agency (DCMA) indicate it is their view that any factory system is “relevant” (and subject to self-assessment and score posting) if it handles CUI and is connected to a “covered contractor information system.”

There is less than perfect clarity of consistency in applicable definitions, contributing to the problem of knowing whether and how to apply the NIST SP 800-171 controls to factories, ICS and OT.

• DFARS 252.204-7012 defines “[I]nformation system” as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”
• NIST SP 800-37 (Rev. 2) (“Risk Management Framework”) defines “operational technology” to mean “[p]rogrammable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms.”
• NIST SP 800-171 Rev. 2 defines “information system” to include “specialized systems, for example: industrial/process control systems, cyber-physical systems, embedded systems, and devices. The term system is used throughout this
  publication to represent all types of computing platforms that can process, store, or transmit CUI.”

These definitions do not establish clear boundaries between IT and factory systems. For present purposes, there are three central questions: (1) does the DFARS -7012 clause apply to factory systems; (2) can the controls of NIST SP 800-171 be satisfied by factory systems; and (3) how should the self-assessment requirements of the Interim Rule be applied to factory systems – if at all.

These questions need to be understood and answered in context. The objective of all the rules, regulations, contract requirements and cyber controls described above is to protect the confidentiality of “Covered Defense Information” (CDI) which, as defined in DFARS 252.204- 7012, includes “unclassified controlled technical information” (i.e., information with military or space application) and other information which is “Controlled Unclassified Information” (CUI). For purposes of this article, CDI and CUI shall be treated as equivalent – as in all cases, such information, which may fall into various categories and subcategories, must be protected by reason of federal law, regulation, or governmentwide policies.

The reason that confidentiality of these information types must be protected is that adversaries, nation state and otherwise, have a long and unfortunately successful history of “exfiltration,” meaning that they have successfully accessed such information on contractor systems and stolen it, injuring our national security as well as the business interests of our industrial base.

Applied here, this “context” requires recognition that CUI may be present in or accessible by manufacturing system in factories, even though their primary purpose may different significantly from the information systems which are the principal focus of DoD’s cyber measures. Some factory systems utilize data which fits a CUI category (such as Controlled Technical Information (CTI)) for purposes such as machine operation, e.g., in the control of CNC machines for the manufacture of defense articles, which host or process CTI. Some factory systems are connected to information systems which themselves store, process or transmit forms of CUI including CTI. In such circumstances, an adversary attack upon the factory systems could exfiltrate or otherwise compromise the CTI, and adversaries might exploit vulnerabilities in factory systems to reach, exfiltrate, or otherwise compromise CUI on connected information systems.

The foundational “Safeguarding” clause, DFARS 252.204-7012, applies to “information systems.” These are defined within -7012 in a way that does not clearly reach factory systems, as an “information system” means a “discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”

The -7012 DFARS clause itself makes no reference to “operational technology,” “industrial control systems” or factories or manufacturing. The -7012 contract clause invokes NIST SP 800-171 which expansively defines, albeit in a footnote, “information system” to include “specialized systems” among which are “industrial/process control systems, cyber-physical systems, embedded systems, and devices” – as are used in factories. (2) While some of these systems contact CUI, they are subject to the now pressing contract requirements not because they are called out explicitly in the clause but because the clause relies upon NIST cyber controls with a very broad definition of “information system.”

Thus, as a matter of drafting, at least, the connection is somewhat tenuous between factory systems and the -7012 DFARS and the self-assessment requirements of the new Interim Rule. Moreover, as explained below, some controls in NIST SP 800-171 poorly fit factory systems. Application of the new self-assessment requirement to factory systems may will not produce scoring results that meet the intended purpose. For these reasons, a different approach to protecting CUI on factory systems is recommended.

While CUI can be used in factories, there are, nonetheless, significant differences. Compared to IT systems, factory and OT systems are different in purpose, design and function. Controls that may be generally applicable to Information Systems may not fit well, or at all, in some cases, when applied to various types of OT systems. Experts have pointed to three areas where there are difficulties in applying NIST SP 800-171 controls in a factory environment: (1) patching the operating system; (2) installation of anti-virus software; and (3) multi-factor authentication (MFA).(3)

Earlier, the definitions of “information system” and “operational technology,” as these appear in DFARS 252.204-7012, and NIST SP 800-37, respectively, were compared. The former describes purposes for an “information system,” such as “collection, processing, maintenance, use, sharing, dissemination, or disposition of information,” which are distinct from the functions which NIST SP 800-37 attributes to OT, such as the control of “devices, processes, and events.” Further uncertainty arises because many OT systems can operate independently of “information systems,” and in some cases they can be separated both logically and physically, i.e., “air gapped.” In other situations, the “data” that may drive factory and OT systems may not constitute any of the forms of CUI that are to be protected pursuant to DFARS 252.204-7012 using NIST SP 800-171.

NIST SP 800-171 is focused upon the protection of information systems, and the information stored on those systems, and its controls are optimized for this purpose and not for OT systems – even in situations where CUI may reside on, be used by, or communicated with factory systems and OT. This is true notwithstanding the expansive definition of “information system” in NIST SP 800-171.

Factories and OT systems vary enormously, so “misfits” of NIST SP 800-171 controls to such systems cannot be surprising. Indeed, recent discussions of options available for companies to satisfy DFARS 252.204-7012 and new self-assessment requirements, applying NIST SP 800-171, are unappealing:

• Replace OT Equipment. This can be prohibitively expensive for many companies who are important participants in the defense industrial base. Many factories operate using “legacy” hardware and software. New factory systems and contemporary OT can be capital-intensive, and disruptive of current operations. This may be too great a demand for companies struggling financially or where DoD is other than the dominant customer.
• Air Gap OT. Some companies have resorted to separating all electronic connections to their factories, on the premise that vulnerability to cyber breach can be defeated through such an “air gap.” This is not an optimal solution in many cases, however. The trend in advanced manufacturing in the commercial industry is to increase connectivity between IT and OT. Air-gapping does not secure systems within the factory from insider threats, or deny the possibility that such systems can be penetrated notwithstanding the air gap. Further, disconnecting factories from the “rest of the world” is contrary to technology trends as it would exclude use of sensor-informed cyber-physical systems, other features of the Internet of Things (IoT), and retard transition to “Industry 4.0.” Such a strategy frustrates innovation and injures competitiveness.
• Avoid Contracts Subject to the Requirements. In theory, Defense Industrial Base (“DIB”) suppliers who cannot afford to replace their factory OT and who will not or cannot air-gap, can decide not to bid on or accept a contract with the new cyber self assessment clauses of the Interim Rule. This outcome is disadvantageous to DoD because it affects the size and composition of the industrial base. Where companies respond to new regulations by deciding not to participate, that does not demonstrate the success of the regulatory scheme.
  ∙ Do Nothing; Self-Assess and Report Scores. If the Interim Rule applies equally to factory systems and OT as to information systems and IT, many companies will self assess and report their score and gap closure plans to SPRS. This would force hundreds, possibly thousands of companies through an exercise of attempting to score their factory systems and OT using the IT-oriented standards of NIST SP 800-171. The result may be that many companies will report scores to SPRS that may be low as well as misleading. (4)

Some SP 800-171 controls cannot be applied to factory systems and OT, and others fit poorly and can be satisfied only at great expense. Risks to industry include displacement of existing assets, jeopardy to manufacturing continuity and even hazard to plant and personnel safety (where a control, such as MFA, would prevent immediate action on an operating factory system). The -7019 and -7020 clauses of the Interim Rule require self-assessment against the 110 NIST SP 800-171 controls, using the DoD Assessment Guidance, and posting of a “net” resulting score on SPRS. For this ostensible purpose, applying NIST SP 800-171 and the required assessment methodology will often produce low scores not because factory security is poor, but because some -171 controls, including some with high point value criteria, such as multifactor authentication, cannot be met or cannot be assessed.

Because of the increasing convergence of IT and OT, and the fact that factories and OT systems process, store or transmit CUI, the purposes of DFARS 252.204-7012, measures should be taken to protect the confidentiality of CUI used in factories and OT – but not in the same way as to information systems and IT. This needs to be recognized by many stakeholders – companies performing self-assessments, government authorities (such as the DoD Program Management Office (PMO) for CMMC, and DCMA), CMMC Accreditation Board (AB), and CMMC approved Third-Party Assessment Organizations (C3PAOs), among others.

Recommended principles to tailor CUI security for factory systems and OT follow:

1. For factories and OT, DoD should clarify that NIST SP 800-171 is guidance that should be considered as companies prepare System Security Plans (SSPs) (and Plans of Action) for factories and OT systems.(5) Companies also should consider NIST SP 800-82 (Rev. 2) (“Guide to Industrial Control Systems (ICS) Security”), which provides substantial information on the subject of OT security, using a control system built upon an “overlay” of applicable controls from NIST SP 800-53 (Rev. 4).
2. Working with industry stakeholders, NIST, and other experts, DoD can generate instructions, FAQs and other guidance that inform companies on how to make risk informed judgments on cyber risk abatement for factory systems, without attempting to “force” satisfaction of each and every one of the 110 controls in NIST SP 800-171. For the time being, NIST SP 800-171 controls should be applied where practical and, where not, companies should document the exception in their SSP (See item 6 below).
3. DCMA should revise the DoD Assessment Guide to provide distinct guidance on how companies should self-assess and score, and report future plans, with respect to factory systems and OT. To avoid a scoring penalty, some controls of NIST SP 800-171 might be removed, for a period of time, from this assessment, such that the maximum score for “relevant” factory systems would be reduced from the otherwise applicable max of 110.
4. DoD should revise the SPRS “User Guide” and “Awardee User Guide” to discuss how companies are to enter and contracting officers are to use scoring information for factory systems and OT, as distinct from the “base case” of information systems and IT.
5. The Interim Rule should be changed and clarified. If DoD is determined to retain self assessment and scoring for factory systems, there should separate submissions for factories and OT and for information systems.(6) Contracting officers should be informed and trained to recognize the distinction between scores for IT versus factory systems.
6. DoD should clarify that there is no scoring penalty, as concern the self-assessment for SPRS posting, or DCMA “Medium” or “High” Assessments, for factory and OT systems where the SSP documents assessments and plans utilize and describe the “enduring exception” feature already present in NIST SP 800-171.

Regarding this sixth recommendation, greater attention is certainly warranted to this content. The following can be found in NIST SP 800-171 under the heading of Chapter Three (“The Requirements”):

The recommended security requirements in this publication apply only to the components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. Some systems, including specialized systems (e.g., industrial/process control systems, medical devices, Computer Numerical Control machines), may have limitations on the application of certain security requirements. ‘

To accommodate such issues, the system security plan, as reflected in
Requirement 3.12.4, is used to describe any enduring exceptions to the security requirements. Individual, isolated, or temporary deficiencies are managed though plans of action, as reflected in Requirement 3.12.2.

It is not practical for every company subject to the self-assessment requirement to seek approval from DoD for any variation, misfit, or disconnect between NIST SP 800-171 and their factory and OT systems. What is practical, and useful, is for every company to self-assess following “best practices” and the above-described principles and for every company to document in their SSPs the reasons why they did not or could not apply NIST SP 800-171 controls and what measures they are taking or intend to take to mitigate identified risks to CUI exposed through factory systems and OT.(7) As suggested for factory systems and OT, controls 3.1.2.and 3.1.4 of NIST SP 800-171 should cause companies to follow through on plans of action to close gaps, correct deficiencies and reduce or eliminate vulnerabilities, periodically update their security measures for factory and OT systems, and update SSPs accordingly. Over time, “enduring exceptions” to security requirements may recede and protection of CUI should improve.

DoD solicitations soon – December 1, 2020 – will issue with the new self-assessment requirements, meaning it is urgent that DoD act to address the problems described here. Companies already are working on self-assessments so guidance and clarification are needed now. DCMA may perform on-site assessments or even “spot checks” of self-assessments. DCMA personnel, such as those assigned to the DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), need instructions so that they fairly evaluate company treatment of cyber measures for factory and OT systems. Even more important is that the CMMC Program Office act on these problems, adjusting as needed the CMMC Model and forthcoming CMMC Assessment Guide, and informing the CMMC AB. Beyond initial “pathfinder” projects, there will be thousands of manufacturers who require certification as CMMC proceeds. CMMC allows no “plans of action,” so the CMMC construct must recognize where CMMC practices and processes, and assessment methods, do not fit factory and OT systems. Companies should not denied required certifications for such issues that are best addressed differently than as dictated by NIST SP 800-171 and the present CMMC Maturity Levels.

Notes:

1- NIST SP 800-171, under the “Security Assessment” family at control 3.12.2, requires organizations to develop and implement “plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.” In this sense, the security approach of SP 800-171 effectively “accepts” deficiencies if they are identified in the “plan of action” – described in 3.12.2 as a “key document in the information security program.” The CMMC program, in contrast, does not accommodate “plans of action” or other gaps, departures or deviations from its stated requirements. All (100%) of the stated requirements for a given Maturity Level must be met, or else the organization under assessment will not receive the certification it seeks.

2- The definition of “information system” appears as footnote 1 on p.1 of the “Introduction.” Several terms in the referenced definition – “industrial/process control systems, cyber-physical systems, embedded system” – appear nowhere else in NIST SP 800-171. This alone suggests that the emphasis of the 110 controls of NIST SP 800-171 is elsewhere.

3- While these three may be encountered most frequently, there are other controls that may not fit particular factory or OT systems, including individual controls in these NIST SP 800-171 families: Access Control, Configuration Management, Identification and Authentication, Risk Assessment, Security Assessment, Systems and Communications Protection, System and Information Integrity

4- The purpose of posting the scores to SPRS is to provide information that a Contracting Officer may consider as part of the supplier risk assessment which precedes a determination that a company is “responsible” so that it may receive a contract award. There is little value to Contracting Officers, and potential injury to contractors, if companies are forced to submit scores for their factory systems which are low because of what cannot be accomplished – or should not be accomplished – among the NIST SP 800-171 controls.

5- Further, there are reasons to examine whether a control-based regime such as that presented by NIST SP 800-171 is the best choice considering the diversity of factory systems and contributing OT. There are present and emerging technical measures available, which can be employed on a risk-informed, tailored basis. The control set of NIST SP 800-171, which was not focused principally on OT, should not come to discourage their development or deny their adoption.

6- The present scheme for score posting on SPRS requires companies to advise DoD of the “[d]ate that all requirements are expected to be implemented (i.e., score of 110 is expected to be achieved). This may be unrealistic, even impossible for factories and OT. In the same vein, DoD must develop means to accommodate factories and OT systems as it works towards CMMC implementation. Many of the problems described here will be even more acute under the present CMMC operating principle that there must be “100%” compliance with every CMMC practice and process for a given Maturity Level.

7- Such documentation of “enduring exceptions” can evolve beyond the objective of confidentiality to include measures to mitigate and recovery from threats to factory and OT system availability and integrity.