Businesses that seek to obtain and preserve contracts with the United States government, or to deal in certain enumerated defense articles and services, are subject to strict privacy regulations imposed by the U.S. government. For those under contract (or subcontract) with the U.S. Department of Defense (DoD), the Defense Federal Acquisition Regulation Supplements (DFARS) place stringent minimum security requirements and reporting obligations that must be met, otherwise a business could face financial penalties or termination of its contract. Businesses that export and import defense articles or services and related technical data must comply with the International Traffic in Arms Regulations (ITAR), which comprise approval, registration and records maintenance requirements. If a violation of ITAR is voluntarily reported, the penalties imposed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) can be reduced. Businesses subject to DFARS and ITAR should have a compliance program in place that includes an appropriate response to any security incident.
DFARS Overview Subpart 204.73 of the DFARS is a set of cybersecurity regulations that the DoD imposes on external contractors and suppliers. The DFARS is intended to maintain cybersecurity standards according to requirements laid out by the National Institute of Standards and Technology (NIST), specifically, NIST SP 800-171. These standards were constructed to protect the confidentiality of Controlled Unclassified Information (CUI) that requires safeguarding or dissemination controls and is either (1) identified in the contract and provided to the contractor by or on behalf of the DoD in support of the performance of the contract, or (2) collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract. [DFARS §204.7301.] DoD contractors had until December 31, 2017, to become DFARS compliant; with the deadline now past, all DoD contractors must meet the minimum requirements and show proof to the DoD for all contracts moving forward.
To meet the minimum requirements of DFARS, DoD contractors must:
- Provide adequate security to safeguard covered defense information that resides in or transits through internal unclassified information systems from unauthorized access and disclosure. While there is no prescribed format or specified level of detail for system security plans, organizations should use the NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, NIST HB 162 as a guide to assist in implementing the required information in SP 800-171.
- Rapidly report cyber-incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.
Penalties for Noncompliance:
DoD contractors that are audited by the DoD and are found noncompliant with DFARS will likely receive a stop-work order, meaning work for the DoD will be suspended until suitable security measures are implemented to protect CUI. In addition, the DoD may impose financial penalties, including damages for breach of contract and false claims. In the worst-case scenario, a noncompliant DoD contractor could have its contracts with the DoD terminated and possibly face suspension or debarment from working with the DoD again.
Notification Obligations DFARS requires rapid reporting within 72 hours of discovery of all intrusions and any actual or potential security threats. Reports can be made online by completing the fields in the Incident Collection Form (ICF). Access to this form requires a DoD-approved medium assurance public key infrastructure (PKI) certificate. If a company does not have a PKI certificate, it may contact the DoD Cyber Crime Center (DC3) for additional information. Contractors and subcontractors have an obligation to report; a subcontractor must provide the incident report number to the prime contractor.
If a contractor does not have all information required by section 204.7203 within 72 hours of discovery of a cyber-incident, the contractor/subcontractor should report whatever information is available within 72 hours. When more information becomes available, the contractor/subcontractor should submit a follow-up report with the added information. See DFARS FAQs for additional information.
Section 204.7203 of DFARS provides: (b) Contractors and subcontractors are required to rapidly [within 72 hours of discovery of any cyber-incident] report cyber-incidents directly to the DoD. Subcontractors provide the incident report number automatically assigned by DoD to the prime contractor. Lower-tier subcontractors likewise report the incident report number automatically assigned by DoD to their higher-tier subcontractor, until the prime contractor is reached. (1) If a cyber-incident occurs, contractors and subcontractors submit to DoD: (i) A cyber-incident report; (ii) Malicious software, if detected and isolated; and (iii) Media (or access to covered contractor information systems and equipment) upon request.
ITAR Overview The ITAR, 22 C.F.R. §§ 120-130, control the export and import of defense articles (including technical data) as defined on the United States Munitions List (USML, part 121 of the ITAR) and defense services. The United States government requires that all manufacturers, exporters and brokers of defense articles, defense services or related technical data be ITAR compliant.
Getting and Staying in Compliance:
The ITAR requires a company engaged in the manufacturing, exporting, temporary importing or brokering of defense articles (including technical data) to (1) register with the Directorate of Defense Trade Controls (DDTC), (2) maintain records as required by 22 CFR §122.5, and (3) obtain licenses or other approvals prior to making exports or temporary imports, or engaging in brokering agreements.
Establish and Maintain a Compliance Program:
The DDTC strongly advises parties engaged in defense trade to establish and maintain an ITAR/export compliance program. Possessing defense articles or technical data increases the risk of an inadvertent violation. Many companies that don’t engage in manufacturing, exporting or brokering still maintain compliance programs to reduce the risk of such violations. A good program is generally clearly documented in writing, tailored to the business, regularly reviewed/updated and fully supported by management.
Reporting Requirements (22 C.F.R. § 127.12 Voluntary Disclosures) The ITAR “strongly encourages” the prompt disclosure of any violation, or suspected violation, to the DDTC. The proper disclosure of a violation, or potential violation, can be a significant mitigating factor in DDTC’s analysis of such violations. Failure to report a violation is considered by the DDTC when assessing penalties.
Examples of common violations include:
- Export without authorizations
- Unauthorized accesses to technical data
- Failure to comply with license provisos
- Failure to maintain required records
- Failure to register or maintain registrations
- Misuse of ITAR exemptions.
How to Voluntarily Disclose:
Any person wanting to disclose information that constitutes a voluntary disclosure should follow these steps:
- Initially notify DDTC immediately after a violation is discovered.
- Conduct a thorough review of all defense trade transactions where a violation is suspected.
- If the initial notification does not contain all the required information, a full disclosure must be submitted within 60 calendar days of the notification, or the DDTC will not consider the notification a voluntary disclosure. If you are unable to provide full disclosure within the 60-day deadline, an Empowered Official or a senior officer may request an extension in writing. The request must specify what information could not be provided immediately and the reasons why.
What to Include in a Voluntary Disclosure:
Notification of a violation must be in writing and should include the following information:
- A precise description of the nature and extent of the violation
- The exact circumstances surrounding the violation (a thorough explanation of why, when, where and how the violation occurred)
- The complete identities and addresses of all persons known or suspected to be involved in the activities giving rise to the violation (including mailing, shipping and email addresses; telephone and fax/facsimile numbers; and any other known identifying information)
- U.S. Department of State license numbers, exemption citation or description of any other authorization, if applicable
- U.S. Munitions List category and subcategory, product description, quantity, and characteristics or technological capability of the hardware, technical data or defense service involved
- A description of corrective actions already undertaken that clearly identifies the new compliance initiatives implemented to address the causes of the violations set forth in the voluntary disclosure and any internal disciplinary action taken; and how these corrective actions are designed to deter those particular violations from occurring again
- The name and address of the person making the disclosure and a point of contact, if different, should further information be needed.
How to Submit a Voluntary Disclosure:
ITAR §127.12(g) requires hard copies of voluntary disclosures be sent to the DDTC. Disclosures may be submitted via mail or overnight delivery to the following addresses:
|DDTC Postal Mail||DDTC Express Mail & Courier Delivery|
|PM/DDTC, SA-1, 12th Floor
Office of Defense Trade Controls ComplianceDirectorate of Defense Trade ControlsBureau of Political Military AffairsU.S. Department of StateWashington, D.C. 20522-0112
|U.S. Department of State
PM/DDTC, SA-1, 12th Floor2401 E Street, NWWashington, D.C. 20226
Government contractors need to be aware of the requirements and restrictions of the DFARS and ITAR. Those not in compliance should take prompt action to review and revise their privacy and security policies to meet the minimum requirements outlined above. Moreover, contractors should have a plan in place in the event of a security incident, as compliance with the notification and disclosure provisions of these regulations can go a long way toward eliminating or reducing any penalties.