Government contractors need to ramp up efforts to comply with new cybersecurity standards issued by the Department of Defense last fall, which carry a Dec. 31, 2017 compliance deadline.
The DoD’s new standard — Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting” — follows on guidance issued by the National Institute of Standards and Technology. See also relatedFAQs issued by the DoD.
According to law firm Baker Hostetler, the DFARS:
- Is required to be included in all Department of Defense contracts (other than contracts for commercially available, off-the-shelf items), but the obligations it imposes on individual contractors can vary considerably.
- Affects contractors and subcontractors whose IT systems are used to store or transmit covered defense information.
- Will be satisfied, for most contractors, by implementing the standards prescribed by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
- Prescribes procedures for approving alternative security measures that may be implemented in lieu of NIST SP 800-171.
- Prescribes additional requirements for contractors using external, cloud-based information systems or services and requires contractors to ensure such external services comply with security requirements equivalent to those established by the government for the Federal Risk and Authorization Management Program moderate baseline.
“It is imperative for contractors and subcontractors to quickly identify the scope of their requirements,” said W. Barron Avery of Baker Hostetler.
Challenges facing government contractors
As highlighted in the Government Technology article “Federal cybersecurity directive looms over contractors”:
- “We are finding that a lot of companies are not aware of this requirement and face losing their government contracts,” said Tamara Wamsley, a strategist with Fastlane. “This issue could impact the success of many local companies, could result in lost jobs. This is a big deal.”
- “It’s not just for R&D firms,” said Rob Gillen, program manager and senior electrical engineer for Fastlane. “It’s for janitors, it’s for accountants.”
- Today, the rule affects only Department of Defense contractors. But Gillen said it will “almost certainly” expand to impact every federal contractor and sub-contractors.
- The rule is essentially a list of 110 requirements with which contractors must comply.
“There is no latitude on the Dec. 31, 2017 deadline” to implement the new DoD’s new DFARS clause pertaining to cybersecurity, said Tom Tollerton, manager, IT advisory at Dixon Hughes Goodman LLP. “Indeed, there is an expectation of compliance by October, and any exceptions must be documented and reported to the DoD contracting officer.”
Tollerton notes that contractors often struggle with understanding how to perform a comprehensive assessment of their environment, and how to remediate any issues that impair compliance. He warns, “These remediation actions often take time to complete and many contractors are concerned that they may struggle to meet the compliance deadline.”
Key areas of focus in the DFARS clause relate to covered defense information and controlled unclassified information. Definitions of key terms can be found in this summary by Covington and Burling, LLP.
“We often see clients struggle to fully understand the definition of controlled unclassified information (CUI) and how such information may traverse or be stored on their network,” says Tollerton. “Without a firm understanding of the nature and scope of CUI data, it can be difficult to ensure that compliance requirements are fully met.”
Tollerton is slated to speak at the MACPA’s Government Contractors’ Conference, taking place on Sept. 18 at the College Park Marriott Hotel and Conference Center in Hyattsville, Md. The conference is also available via simulcast.
“I intend to bring a full understanding of the DoD’s compliance requirement, the associated NIST 800-171 framework of controls for protecting CUI, as well as immediate actions to take to try to achieve compliance by the deadline,” said Tollerton of his planned remarks at the conference.
“With the change in administration, regulatory, compliance and budget priorities are shifting,” said Conference Chair Brian Israel, business development executive for DHG’s Baltimore and Metro DC Region.
“We are also on the cusp of some significant accounting policy changes related to revenue recognition and leases, in addition to the important new cybersecurity requirements. All of these topics will be covered by our industry expert presenters,” he said. “Our conference will be a great opportunity to network with seasoned government contracting professionals.”
Register here to attend the Government Contractors’ conference in-person or via the simulcast.