Key Notes:

  • DoD has amended its regulations and policies for safeguarding defense controlled unclassified information.
  • DoD’s requirements and standards forewarn government-wide regulatory and policy changes.
  • Contractors need to proactively assess and prepare their information security and reporting capabilities.

The federal government recently instituted a policy amendment that provides additional insight and guidance for contractors handling controlled unclassified information (CUI). The Department of Defense (DoD) has amended its Procedures, Guidance and Information (PGI) publication to guide DoD contracting officers implementing DoD’s August 26, 2015 interim rule on cybersecurity safeguards and reporting. The interim rule revises the Defense Federal Acquisition Regulation Supplement to implement Section 941 of the 2014 National Defense Authorization Act, imposes new standards for cybersecurity safeguards on DoD contractors possessing CUI in both conventional and cloud networks, and introduces a streamlined reporting mechanism designed to promote rapid reporting of cyber incidents.

The recent PGI updates are technically geared toward contracting officers tasked with enforcing the new rule; however, they contain useful information and insight for DoD contractors who must comply with the rule. For example, the PGI update added a frequently asked questions (FAQ) page addressing a broad range of questions and clarifying some key questions that many contractors believed were not answered in the rule itself, such as:

  • Who is responsible for identifying/marking unclassified covered defense information?
  • What should contractors do when they do not have all the information required by the clause within 72 hours of discovery of any cyber incident?
  • What if a contractor thinks a required security control is not applicable, or that an alternative control or protective measure will achieve equivalent protection?

The FAQ page also addresses a number of detailed questions about specific controls contained in NIST 800-171, the most applicable source of security standards under the interim rule.

The number and complexity of these FAQs confirms what many contractors have feared: Complying with the interim rule and similar agency rules that adopt NIST 800-171 may prove to be a vague, moving target for some contractors. As such, we generally recommend that federal contractors – even those not involved with DoD – consider taking steps now to ensure that their information security plan is compliant with NIST 800-171 and the applicable clauses in their government contracts. More specifically, among other things, contractors can:

  • Assess their own information security capabilities. Examine existing contracts, evaluate known threats, consider the risk of unknown threats, take stock of lessons learned from any previous incidents and evaluate whether present security capabilities comply with current government agency requirements.
  • Monitor their information security capabilities and needs. Be on the lookout for vulnerabilities – even compliant information security systems may be susceptible to certain types and levels of threats. Consider whether there are best practices or industry standards that would improve security capabilities in a way that is consistent with goals and budget. Perform a capabilities and protections audit if not already doing so.
  • Ensure the right policies and procedures are in place. Take steps to ensure employees know how to detect, report and respond to a cyber incident. Having a chain of command in place ensures that a chief information security officer or equivalent person knows about any incidents as promptly as possible. Not only is this a best practice, it will ensure that the organization complies with its reporting obligations under applicable clauses.