This month marks an important waypoint for defense contractors subject to the new cybersecurity requirements imposed by the Department of Defense. For contractors subject to the requirements of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (the clause), the deadline for compliance with the clause’s cybersecurity requirements is Dec. 31, 2017, giving covered defense contractors just six months to ensure compliance with the standards prescribed by the clause.
As covered contractors push to meet this deadline, they should keep in mind a few important features of the clause. The clause is required to be included in all Department of Defense contracts ‒ other than contracts for commercially available, off-the-shelf items ‒ but the obligations it imposes on individual contractors can vary considerably.
The clause affects contractors and subcontractors whose IT systems are used to store or transmit covered defense information (CDI). Though CDI is broadly defined to include any unclassified information required in accordance with law, regulation or other government policies, contractors are well-advised to identify the precise types of CDI that may transit through or be stored on their information systems in order to best determine the scope of the contractors’ security obligations. For most contractors, these obligations will be satisfied by implementing the standards prescribed by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, titled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. However, the clause prescribes procedures for approving alternative security measures that may be implemented in lieu of NIST SP 800-171. By identifying the types of CDI transiting through or stored on a contractor’s information system, that contractor can better determine whether to consider seeking approval of any alternative system.
Finally, the clause prescribes additional requirements for contractors using external, cloud-based information systems or services and requires contractors to ensure such external services comply with security requirements equivalent to those established by the government for the Federal Risk and Authorization Management Program (FedRAMP) moderate baseline.
With only six months remaining until covered contractors and subcontractors must finish implementing their security measures, it is imperative for contractors and subcontractors to quickly identify the scope of their requirements.
As reported in a previous alert by BakerHostetler’s Government Contracts team, the past year has seen significant increases in federal contractors’ obligations in connection with cybersecurity compliance. These increased obligations, however, can be addressed efficiently through advanced planning and assessments of contractors’ requirements.