Starting this June, Elbit Systems of America (ESA) will begin our campaign in conjunction with Exostar to address Cybersecurity Compliance in our supply base. During this time you will receive communications from both ESA and Exostar instructing on the next steps to be taken for this.

We are requiring all suppliers with systems that collect, develop, receive, transmit or store covered defense information (CDI) to complete the NIST SP 800-171 self-assessment in Exostar.

We are using EXOSTAR’s Partner Information Manager to collect information about our suppliers. You are our primary contact within your organization. As a result, your contact details were provided to EXOSTAR to receive an invitation to complete the form(s) we have requested. If you are not the right person to complete the NIST form, please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK) for assistance with adding the right contact.

If your company has received a request to complete the NIST Questionnaire, the right person to fill out a NIST form is your Cyber Security Administrator or a member of your Information Security team.

If you are a contractor who receives Covered Defense Information from Elbit Systems of America in support of DoD project, NIST SP 800-171 does impact you.

Complying with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, requires that DoD contractors implement NIST SP 800-171 as soon as practicable, but no later than December 31, 2017 for information technology systems that collect, develop, receive, transmit or store covered defense information.

As defined by DFARS Clause 252.204-7012:

“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—

(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

For the most current definition, please visit:
https://www.acq.osd.mil/dpap/dars/DFARS/html/current/252204.htm#252.204-7012

The person to complete the NIST SP 800-171 is typically the person responsible for reporting on your company’s Cybersecurity controls. That person is usually responsible for cybersecurity and/or information security related matters.

Following our email, you should receive an invitation to PIM from Exostar if you do not already have an account. Emails will follow with instructions from Exostar on how to set up your account. It is important to note that you will need to:

1. Complete your first time login for help go to:
http://myexostar.com/Managed-Access-Gateway/User-Training/

2. Accept the Exostar service agreement

For help with:

1. Purchasing or activating your one-time password (OTP) token, visit: http://www.myexostar.com/uploadedFiles/Pages/10_Find_Information_by_APPLICATION/A10_One_Time_Password_(OTP)/_Content/OTP%20User%20Guide(2).pdf

2. Issues related to setting up your Exostar account, please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).

You only need to purchase a token if your company has not already (i.e. if you have not already done this for another customer). We have elected to require the authentication credential because it mitigates security risks by providing a stronger assurance level and better identity protections than conventional username/password technologies vulnerable to theft. Otherwise you can use an existing token.

In order to access the Exostar application, Partner Information Manager (PIM), where the NIST SP 800-171 questionnaire is hosted, you will be required to access it with at least a phone-based “OTP token” for security purposes. The price on this is $20.00 USD for domestic suppliers and $47.00 for international. We do not require any higher level of proofing for this.

For more info please visit: http://www.myexostar.com/iam-resources/

The Exostar administrator at your company can easily share the already completed NIST SP 800-171 form by hitting the “Share” button in Exostar following our request. If your company never received a share request from Elbit Systems of America, then please email Suppliers@elbitsystems-us.com, identifying the Exostar ID that completed the NIST questionnaire.

For more details on sharing and navigating Exostar, visit Page 14 of the PIM instructions at:
http://www.myexostar.com/WorkArea/DownloadAsset.aspx?id=6517

As this is a self-assessment of your company’s security controls, ESA can provide no assistance in how you answer or interpret the controls. However, there are numerous resources at your disposal to better understand NIST SP 800-171. Some resources available are:

https://EXOSTAR.atlassian.net/wiki/spaces/EN8/pages/73597166/NIST+800-171+Controls+Information

https://ics-cert.us-cert.gov/Assessments (Scroll to CSET tool)

EXOSTAR does offer professional services outside this to assist suppliers with their cyber programs. See here: https://www.EXOSTAR.com/file/2017/06/Cybersecurity_Gap_Analysis_Assessment_17July2017.pdf

An EXOSTAR NIST SP 800-171 Questionnaire must be completed, regardless of 3rd party certification that your information systems are NIST SP 800-171 compliant, prior to the release of CDI.

No. ISO 27001 certification is NOT a sufficient substitute for demonstrating NIST SP 800-171 compliance. NIST SP 800-171 has additional technical security controls not required by ISO 27001.

DFARS Clause 252.204-7012 also included additional requirements beyond the scope of NIST SP 800-171 such as mandatory cyber incident reporting, malicious software and media preservation and subcontractor/supplier flow-downs in all contractors/purchase orders that require the protection of CDI.

As this is a self-assessment of your company’s security controls, ESA can provide no assistance in how you answer or interpret the controls. However, there are numerous resources at your disposal to better understand NIST SP 800-171. Some resources available are:

https://EXOSTAR.atlassian.net/wiki/spaces/EN8/pages/73597166/NIST+800-171+Controls+Information

https://ics-cert.us-cert.gov/Assessments (Scroll to CSET tool)

EXOSTAR does offer professional services outside this to assist suppliers with their cyber programs. See here: https://www.EXOSTAR.com/file/2017/06/Cybersecurity_Gap_Analysis_Assessment_17July2017.pdf

Based on the primary contact we have listed for your company, that person was identified at your company as the person who should complete the NIST SP 800-171 form. If this is incorrect, then forward our request to the correct person(s). Typically the person to complete this for is someone responsible for Cybersecurity or related matters.

Although your company is still responsible for completing the requested form, the Administrator can delete the user(s) via the Administration tab in your Managed Access Gateway. This help document can provide further assistance for user management activities: http://www.myEXOSTAR.com/WorkArea/DownloadAsset.aspx?id=334

The ESA contact form is where you identify the person at you company who is responsible for reporting on your company’s compliance with the new Department of Defense (DoD) cybersecurity standards.

It is hosted by Exostar and can be accessed by the link in your email from EXOSTAR or you can access here:

https://forms.na2.netsuite.com/app/site/crm/externalcustrecordpage.nl/compid.861427/.fformid=84&h=AACffht_hlzXdHMCffpMeHA2EEUNvD0B3Zw&entity=ElbitCustomer&formid=84&h=AACffht_hlzXdHMCffpMeHA2EEUNvD0B3Zw&entity=Elbit Customer

The deadline to complete the ESA Contact Form to identify the person that will complete the Cybersecurity (NIST SP 800-171) questionnaire was July 13, 2018.

The deadline to have your company share and complete the NIST SP 800-171 questionnaire in Exostar is October 1, 2018.

NIST Compliance Questionnaire: The information you provide will be used to help us understand your company’s NIST compliance. It is only shared with customers that you choose to share your answers with.

No. EXOSTAR and ESA’s support to the suppliers does NOT include assistance in the understanding or advice in answering the questions to the forms. EXOSTAR’s support is limited to the use of the form not the content of the questions. However, EXOSTAR does offer professional services to assist suppliers with their cyber programs. See here: https://www.EXOSTAR.com/file/2017/06/Cybersecurity_Gap_Analysis_Assessment_17July2017.pdf

This is a separate service from EXOSTAR’s Partner Information Manager but can be tied to your form responses.

Please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).

For more information, please visit:

https://www.acq.osd.mil/dpap/dars/DFARS/html/current/252204.htm

An EXOSTAR NIST SP 800-171 Questionnaire must be completed, regardless of 3rd party certification that your information systems are NIST SP 800-171 compliant, prior to the release of CDI.

No. ISO 27001 certification is NOT a sufficient substitute for demonstrating NIST SP 800-171 compliance. NIST SP 800-171 has additional technical security controls not required by ISO 27001.

DFARS Clause 252.204-7012 also included additional requirements beyond the scope of NIST SP 800-171 such as mandatory cyber incident reporting, malicious software and media preservation and subcontractor/supplier flow-downs in all contractors/purchase orders that require the protection of CDI.

3rd party assessments or certifications are not required, authorized, or recognized by DoD. By signing the contract, the contractor agrees to comply with the terms of the contract.

In order to safeguard covered defense information, companies with limited cybersecurity expertise may choose to seek outside assistance in determining how best to meet and implement the NIST SP 800-171 requirements in their company. But, once the company has implemented the requirements, there is no need to have a separate entity assess or certify that the company is compliant with NIST SP 800-171.

If you have not received instructions from EXOSTAR, please wait until you receive that communication before taking any action. If you have already received a notice from EXOSTAR and still require assistance, please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).

1. NIST 800-53 has controls, but the mechanisms vary by the risk level that you have associated with the info system that needs to be protected.

2. NIST 800-171 is derived from 800-53 and specifies the risk level as Moderate (the three risk levels are: High, Moderate and Low)

3. If a supplier believes they are compliant with NIST 800-53 Moderate or above, they most probably can show compliance, but it is not guaranteed

a. 800-171 is derived, but they have identified specific requirements, such as 2FA for network access for normal users (I do not believe 800-53 goes to that level of prescription)

Our advice to the supplier is they should complete the NIST 800-1717 Compliance Questionnaire. If they are compliant with NIST 800-53, then it should be easy to show compliance with NIST 800-171. Also compliance with 800-171 means the following:

1. You answer ‘Yes’ to every security control in the 800-171 questionnaire OR If you answer ‘No’ to some controls, you also have a SSP (System Security Plan) and a POAM (Plan of Action and Milestones) in place for those controls, where you answered ‘No’.

Please complete the requested forms within 30 days of receiving your invitation/instructions from EXOSTAR.

Please contact EXOSTAR’s Support Team at 703-793-7800 (US) or 0203 3007093 (UK).