Earlier this year, we reported on the Department of Defense’s (DOD) imposition of new and revised cybersecurity requirements on DOD prime and subcontractors. The new requirements reflected in DOD’s interim rule, among other things, expanded the clause governing unclassified controlled technical information to cover all “covered defense information,” replaced old safeguarding requirements, and expanded contractors’ reporting obligations in the event of a cyber incident. Since DOD released these new and revised requirements, which took effect immediately, contractors have been hustling to understand the requirements and to ensure full compliance.
Just last week, likely in an attempt to address some of the confusion surrounding the new and revised requirements in the interim rule, DOD released (1) updated Defense Federal Acquisition Regulation Supplement (DFARS) Procedures, Guidance and Information (PGI), and (2) Frequently Asked Questions (FAQs) covering network penetration reporting, safeguarding covered defense information, and cloud services. These two documents shed light on the manner in which DOD is implementing the cybersecurity requirements. For example, together the FAQs and the PGI:
- Explain why DOD replaced the security protections from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 with the NIST SP 800-171;
- Provide DOD’s interpretation of the security controls outlined in NIST SP 800-171;
- Describe how covered defense information and operationally critical support will be identified;
- Provide examples of operationally critical support;
- Clarify that the DOD Cyber Crime Center is the “operational focal point” for receiving reports of cyber threats and cyber incidents; and
- Dictate the roles and responsibilities of the Contracting Officer and/or the requiring activity in, among other things, identifying and marking unclassified controlled technical information, handling a reported cyber incident, and conducting damage assessment activities.
Contractors struggling with how, precisely, to implement DOD’s cybersecurity requirements should look to this issued guidance to see if it addresses the questions they have and use it in formulating their own compliance plans. Additionally, contractors should consider attending DOD’s recently-announced “Industry Implementation Information Day” on December 14, 2015, wherein the department will present a briefing regarding DOD’s new and revised cybersecurity requirements. Information on the industry day, including registration information, can be found here.