Cybersecurity Requirements Under Government Contracts
Cybersecurity—A Growing Challenge
The rise of cyber attacks and security compromises dramatically illustrate the vulnerability of unclassified, but sensitive, data. As holders of some of the government’s most sensitive data, contractors face increasing obligations for protecting against cyber attacks.
Regulatory overview. The most comprehensive cyber protections currently apply to DoD contracts, under the DFARS. The FAR, which applies to all government procurements, contains a subset of those protections, but a revision is expected soon that will likely make the FAR rule similar to the DFARS rule. The basic policy is all covered systems must have adequate security, and breaches must be investigated and reported.
Defense Federal Acquisition Regulation System Requirements
Coverage. DFARS Clause 252.204-7012, Safeguarding CDI and Cyber Incident Reporting, applies to all DoD contracts/subcontracts (except procurements solely for COTS) that contain Covered Defense Information (CDI). The clause requires enhanced safeguarding of unclassified information systems. The clause is a mandatory flow down clause in all subcontracts at all tiers for operationally critical support or for which performance will involve a covered system with CDI. If the clause is in a contract, it is effective now.
Covered Defense Information. CDI is defined as unclassified controlled technical information or other information that requires safeguarding or dissemination controls and is: (1) marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of
DoD in the performance of the contract; or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. Properly identifying data that falls under prong (2) can be a challenge for contractors and may require professional assistance.
Required protections. Contractors must provide adequate security for covered internal systems with CDI, and at a minimum shall (1) “implement NIST SP 800-171 as soon as practical but not later than December 31, 2017;” or, (2) submit a plan for written “alternative but equally effective” controls through the CO to the DoD CIO for approval. The DoD CIO is tasked to provide alternative control assessments within 5 days.
NIST 800-171 Requirements. Implementation of NIST 800-171 means having a System Security Plan (“SSP”) and Plan of Action and Milestones (“POA&M”) that accurately reflect the status of compliance with 800-171 security controls and a plan to incorporate all requirements. NIST 800-171 includes 110 required
security controls, in 14 security “families.” DCMA will audit contractor security programs for compliance.
Reporting Requirements. In addition to security controls, contractors and subcontractors must report cyber incidents on covered contractor information systems within 72 hours, and must conduct a review for evidence of compromise, as well as other steps to mitigate the compromise and cooperate with the DoD. Contractors must have a DoD-approved medium assurance certificate to report cyber incidents.
Federal Acquisition Regulation System Requirements
Coverage. FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, applies to all federal contracts and subcontracts at any tier (except for COTS products) that contain “Federal Contract Information” (which is similar to CDI), and requires basic safeguarding of contractor systems.
Requirements. FAR 52.204-21 imposes 15 security control requirements that correlate to 17 NIST 800-171 security controls (limited subset). The FAR rule does not include an incident reporting requirement. A report on revising the FAR rule to make it similar to the DFARS rule is scheduled for release July 26, 2017.
Contract cybersecurity requirements are complex and contractors should be diligent in confirming that they understand their obligations. This is especially true given that the FAR rule, which will apply across the entire federal government, is expected to be similar to the current highly proscriptive DFARS clause.
Additional Information
If you have questions regarding cybersecurity requirements or other federal government contract issues, contact the professionals at Williamson Law Group at (301) 788-8198 for confidential and candid assistance and counsel, or e-mail Scott Williamson, managing attorney, at srw@williamsonlawgroup.com.
This Contract Compliance Update is intended to keep readers current on developments in federal government contract matters and is not intended to be legal advice. If you have any questions, please contact Williamson Law Group for legal advice regarding your particular case.