DSS Revises Cybersecurity Requirements for Contractors Handling Classified Information
On May 18, 2016, Department Security Service (DSS) recently approved Change 2 (Change 2) to the National Industrial Security Program Operating Manual (NISPOM). Change 2 significantly revised Chapter 8 of the NISPOM relating to cybersecurity, charging contractors possessing facility clearances to implement information security protection measures to be issued by their Cognizant Security Agency (CSA). This change is paired with the new Insider Threat Program requirement which is discussed in our prior posts. Contractors will need to certify to the CSA that their classified information systems comply with the management, operational, and technical controls in the CSA-provided guidelines. Contractors must also create the new position of Information System Security Manager (ISSM) for their classified systems.
At a minimum, each contractor’s Information Systems Security Program must include information security policies, an Information System Security Plan (SSP), training, continuous monitoring and at least annual testing, a remedial action process, procedures for detecting, reporting, and responding to security incidents, a continuity of operations plan, and a self-inspection program.
Contractors handling classified information should already have in place many of the processes and procedures to be identified by the CSAs. However, the NISPOM changes revamp the prior system accreditation process with the need for an Authorization to Operate (ATO) from the Government before a contractor can begin processing classified information. An ATO is good for three years, after which it must be renewed, unless the Government waives the renewal requirement. The ATO requirement is an obvious administrative issue for both the Government and contractors since there are over 13,000 cleared facilities already in operation. In order to mitigate the impact of this new requirement, DSS can grant Interim Authorizations to Operate (IATO) to contractors for a period of up to 180 days, renewable for an additional 180 days. The NISPOM requires cleared contractors to operate their information systems in accordance with the CSA-issued set of security controls during the IATO time period.
Additionally, the CSA must review all modifications to a contractor’s information systems (including software, firmware, hardware, or interfaces and interconnections to networks) to ensure that they are consistent both with the GSA guidelines and the contractor’s own SSP. Based on the nature and degree of the change, the CSA may require the contractor to undergo a system reauthorization. During the reauthorization process, the CSA may grant an IATO.
While the specific requirements to be imposed on a contractor’s information system will not be definitive until the CSA has issued written guidance, we do know that the guidance must be based on current requirements for federal information systems as defined in the National Institute of Standards and Technology Special Publication (NIST) 800-37. Accordingly, contractors handling classified information can prepare for the CSA guidance and the ATO process by comparing their existing system protections to those identified in the NIST Publication.