Magazine article National Defense

Contractors Must Contend with New Cybersecurity Rule

Magazine article National Defense

Contractors Must Contend with New Cybersecurity Rule

Article excerpt

The April 2017 issue of National Defense reported on key aspects of the Defense Department rule on "Safeguarding Covered Defense Information and Cyber Incident Reporting" and actions that contractors could take to implement the rule.

The aim of the Defense Federal Acquisition Regulation Supplement rule is to protect covered defense information, which includes unclassified controlled technical information or other information as described in the Controlled Unclassified Information Registry administered by the National Archives. This article reports on new guidance and basic actions that contractors can take to achieve compliance.

The basic construct of DFARS 252.204-7012 has not changed. The final October 2016 version requires that contractors must provide "adequate security on all covered contractor information systems" and "rapidly report" any "cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract."

Under the rule, contractors bidding on or entering into contracts must have implemented the 110 security controls set out in National Institute of Standards and Technology Special Publication 800-171 by Dec. 31. Satisfaction of the requirements includes the establishment of a system security plan that describes how the contractor is implementing the security control requirements, any exceptions to the requirements, and a plan of action and milestones to correct deficiencies and reduce vulnerabilities.

Whether a vendor has a contract issued before Oct. 1 or after, the DFARS clause makes it clear that it must either take steps to comply with the NIST requirements, seek an exception to the application of the rule, or disclose and request approval of an alternative, but equally effective, security measure that may be implemented in place of compliance with requirements.

The DFARS rule provides for the inclusion of the clause in all contracts, including those that provide commercial items--except for contracts solely for the sale of commercial off-the-shelf items. Contractors must flow down the clause to "subcontracts, or similar contractual instruments" for "operationally critical support" or where the subcontract performance will "involve covered defense information."

Finally, contractors also must be prepared to identify, assess, report, provide and preserve data on a suspected or actual cyber incident to meet the 72-hour rapid reporting requirement of the clause. The government has the right to access covered contractor systems information and equipment relating to a cyber incident.

Now that Dec. 31 has passed, some defense contractors are wondering how the deadline affects them. The answer depends on whether a defense contractor already has an existing defense contract, which requires handling of critical information and contains the DFARS clause, or if the contractor is poised to make an offer on a future similar contract.

For contracts issued before Dec. 31, recent guidance clarifies that the clause does not require that a contractor's covered information systems be fully compliant with the 110 security requirements of the special publication. A Sept. 21 guidance issued by Shay Assad, the director of defense procurement and acquisition policy, advises that contractors will be considered compliant for purposes of meeting the DFARS clause's end-of-year compliance deadline if they have a system security plan and associated plan of action and milestones setting out how they will become compliant.

The guidance states: "To document implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline, companies should have a system security plan in place, in addition to any associated plans of action to describe how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.