Government contractors need to ramp up efforts to comply with new cybersecurity standards issued by the Department of Defense last fall, which carry a Dec. 31, 2017 compliance deadline.
The DoD’s new standard — Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” — follows on guidance issued by the National Institute of Standards and Technology. See also relatedFAQs issued by the DoD.
According to law firm Baker Hostetler, the DFARS:
“It is imperative for contractors and subcontractors to quickly identify the scope of their requirements,” said W. Barron Avery of Baker Hostetler.
Challenges facing government contractors
As highlighted in the Government Technology article “Federal cybersecurity directive looms over contractors”:
“There is no latitude on the Dec. 31, 2017 deadline” to implement the new DoD’s new DFARS clause pertaining to cybersecurity, said Tom Tollerton, manager, IT advisory at Dixon Hughes Goodman LLP. “Indeed, there is an expectation of compliance by October, and any exceptions must be documented and reported to the DoD contracting officer.”
Tollerton notes that contractors often struggle with understanding how to perform a comprehensive assessment of their environment, and how to remediate any issues that impair compliance. He warns, “These remediation actions often take time to complete and many contractors are concerned that they may struggle to meet the compliance deadline.”
Key areas of focus in the DFARS clause relate to covered defense information and controlled unclassified information. Definitions of key terms can be found in this summary by Covington and Burling, LLP.
“We often see clients struggle to fully understand the definition of controlled unclassified information (CUI) and how such information may traverse or be stored on their network,” says Tollerton. “Without a firm understanding of the nature and scope of CUI data, it can be difficult to ensure that compliance requirements are fully met.”
Tollerton is slated to speak at the MACPA’s Government Contractors’ Conference, taking place on Sept. 18 at the College Park Marriott Hotel and Conference Center in Hyattsville, Md. The conference is also available via simulcast.
“I intend to bring a full understanding of the DoD’s compliance requirement, the associated NIST 800-171 framework of controls for protecting CUI, as well as immediate actions to take to try to achieve compliance by the deadline,” said Tollerton of his planned remarks at the conference.
“With the change in administration, regulatory, compliance and budget priorities are shifting,” said Conference Chair Brian Israel, business development executive for DHG’s Baltimore and Metro DC Region.
“We are also on the cusp of some significant accounting policy changes related to revenue recognition and leases, in addition to the important new cybersecurity requirements. All of these topics will be covered by our industry expert presenters,” he said. “Our conference will be a great opportunity to network with seasoned government contracting professionals.”
Register here to attend the Government Contractors’ conference in-person or via the simulcast.