Could you please provide some guidance on what the CORS responsibilities will be with regards to contractors and their cybersecurity controls and any references that clearly spell out their roles and responsibilities in regard to contractor cybersecurity
There is no overarching requirement or directive that identifies or mandates a COR is required to monitor contractor performance to ensure the contractor is compliant with NIST SP 800-171 (or NIST SP 800-53 for that matter).
Open full Question Details
This needs to be evaluated and determined on a case-by-case basis. The contracting officer and agency cybersecurity experts need to determine who in their agency has the skills and expertise necessary to accomplish that task. If the COR has that skill because of their duty position, training and experience; then maybe that COR is the right person and this should be added to their Letter of Designation. If the COR is not skilled, trained, or experienced in being able to do that task; it is probably not a good or wise idea to assign that task to the COR.
Also, there is no requirement for that type of surveillance to be accomplished by a COR. It could be done (as alluded to above) by the individual(s) who are the subject matter experts. They just need to know what their limitations are in dealing with and providing direction to the contractor. Or the KO can assign that person to be a COR, in which case they will need to accomplish all the minimum COR training requirements.
If you decide that you will make this a requirement for your CORs, you will have to make sure that CORs have the skills, knowledge and abilities to do it. Current DoD COR training does not cover this. Be aware of unintended consequences... if you make a blanket determination to assign this to the current COR... it may become harder and harder to attract more people to volunteer to be CORs.
Please go to DoDI 5000.72; and then look through Enclosure 6, Table 1 (starting on page 23). This is a list of potential responsibilities that could be delegated to a COR. Anyone selected should be identified in the COR’s Letter of Designation. If you need a cyber security expert for this task and want to make them a COR, refer to Table 4 on page 29. It may behoove you to identify the requirement as a “Type C”.