The Navy has recently issued a policy memorandum entitled “Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks” that calls for heightened cybersecurity requirements and oversight for “critical” government contractors handling their sensitive government data, broadly referred to as controlled unclassified information (“CUI”) or “covered defense information” (CDI) within the defense sector. The memo reflects a continued focus within the Department of Defense on evaluating contractors’ compliance with the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012 Safeguarding Clause, which defines the baseline protections that all defense contractors need to implement to protect CDI. Under the Clause, contractors must demonstrate their IT security compliance with 110 security controls found within the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 through documentation in a System Security Plan (“SSP”), even if that documentation discusses how certain controls are not yet implemented. The Navy memo takes those requirements several steps further. For example, the Navy will require select contractors to submit fully implemented SSPs for evaluation – something the DoD has generally discussed but not yet done on this programmatic scale. The Navy’s evaluation will also ensure that historically challenging NIST requirements such as multifactor authentication and data encryption are satisfactorily met. Additionally, the Navy will require wholly new requirements not found in the Clause. Among them is the requirement to allow the Naval Criminal Investigative Services (“NCIS”) to install “network sensors” on contractors’ information systems when NCIS intelligence detects a potential vulnerability.
These Naval additions highlight the potentially divergent approaches that different arms of the DoD are beginning to take in response to their unique risk calculations. The memo serves as a reminder that the extensive cybersecurity requirements of the DFARS are only the floor and remain subject to each government customer identifying its own ceiling.