As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract clause.
On October 21, 2016, DoD issued a final rule, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS Rule), which is intended to address “enhanced safeguarding for certain sensitive DoD information.” The DFARS final rule requires contractors to safeguard information systems and imposes investigation and reporting requirements in the case of cyber incidents.
Under the DFARS rule, contractors will be required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 — a requirement that goes into effect at the end of this month. The DFARS Rule focuses on protecting “covered defense information” (CDI) — that it defines broadly — and stipulates the basic security requirements a defense contractor must implement and maintain. A defense contractor generally must implement the security requirements in the version of NIST SP 800-1717, which were developed for use on contractors’ internal systems and should enable contractors to comply with the requirements using their existing systems and practices — rather than forcing contractors to build a new system and develop practices from scratch in order to be in compliance.
In addition to their own compliance, contractors are also responsible for ensuring that their subcontractors are aware of these requirements. DoD recommends that a prime contractor should minimize the flowdown of covered defense information to subcontractors unless the information is required for subcontractor performance.
Contractors should take steps to ensure compliance with the new rules, as they could face a variety of consequences if they are not in compliance, including: loss of a contract award, a bid protest, a breach of a contract allegation, liability under the False Claims Act, default termination, negative past performance reviews, and suspension and/or debarment.
With continued changes to the cybersecurity requirements expected, contractors need to continue to monitor and develop adequate safeguards on an ongoing basis.
Read more on the DFARS final rule: New DoD Cybersecurity Requirements Go Into Effect