U.S. Department of Defense (DoD) contractors face new cybersecurity compliance requirements, including a significant deadline set for December 31, 2017.
Most DoD contracts now include clauses imposing obligations on contractors’ protection of government information and reporting of cyber incidents. These obligations include a requirement for contractors to comply with the cybersecurity standards set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Contractors must comply with the NIST standards no later than the end of calendar year 2017. Submission of a proposal to DoD now serves as a specific representation that the offeror meets these compliance requirements. Failure to meet the NIST standards potentially opens the door to more stringent government enforcement actions and liability under the False Claims Act.
All DoD contracts, with the exception of contracts for commercially available off-the-shelf (COTS) goods or services, must now include DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), implemented in October 2016, as a contract clause. This contract clause:
- Imposes minimum security requirements for unclassified information collected or stored in performance of a DoD contract,
- Contains specific requirements for cloud computing services,
- Contains specific security requirements for contracts for systems operated on behalf of the government,
- Requires on other contracts, contractors must meet the standards set forth in NIST SP 800-171 no later than December 31, 2017; and
- Imposes specific reporting requirements for cyber incidents.
DFARS 252.204-7008 (Compliance with Safeguarding Covered Defense Information Controls) makes the above-referenced DFARS security requirements, including the December 31, 2017 NIST compliance deadline a specific representation made by the contractor by virtue of its proposal submission.
NIST SP 800-171 provides federal agencies with recommended requirements for protecting (i) controlled unclassified information (CUI) while such CUI resides outside of federal information systems and organizations (such as third party service providers); (ii) the systems where the CUI resides, which may not be used or operated by contractors of federal agencies or other organizations on behalf of such agencies; and (ii) CUI where there are no specific safeguard requirements for CUI protection prescribed by authorized law, regulation or government policy. NIST identifies 14 distinct areas or “families” of security requirements for protecting CUI in nonfederal information systems and organizations:
- Access Control – Limit system access to authorized users, limit access to types of transactions and functions.
- Awareness and Training – Adequately train managers, system administrator and users of security risks.
- Audit and Accountability – Create, protect and retain audit records to enable monitoring, analysis, investigation and reporting, and trace actions and hold accountable each individual users.
- Configuration Management – Establish and maintain baseline configuration and inventories of information systems and enforce security configuration settings.
- Identification and Authentication – Identify and authenticate users, process, and devices prior to allowing access to systems.
- Incident Response – Establish operating procedures for incident handling, track, document and report incidents to appropriate officials internal and external to the organization.
- Maintenance – Perform maintenance and provide effective controls on tools, techniques and personnel used to conduct maintenance.
- Media Protection – Protect information system media, both paper and digital, limit access to the media and sanitize or destroy media before its disposal or reuse.
- Personnel Security – Screen individuals prior to allowing access to systems containing CUI and protect systems during and after personnel actions such as termination or transfers.
- Physical Protection – Limit physical access to systems, equipment and environments to authorized personnel, protect and monitor physical facilities and infrastructure.
- Risk Assessment – Conduct periodic risk assessments of organizational operations, assets, people, and associated processing, storage or transmission of CUI.
- Security Assessment – Periodically access and monitor security controls, develop and implement plans of action to correct or eliminate deficiencies and vulnerabilities.
- System and Communications Protection – Monitor, control and protection communications at external and internal organizational boundaries, employ techniques, designs and principles that promote effective security.
- System and Information Integrity – Timely identify, report and correct system flaws, protect from malicious code and monitor system security alerts and advisories and respond appropriately.