There is no question cybersecurity is a critical compliance and risk area for federal contractors. A seemingly endless stream of cyberattacks—on corporate databases, government servers, even baby monitors—shows the breadth of these problems and the need for action. Government contractors have the added challenge of specialized regulatory obligations, with compliance (or non-compliance) having a direct impact on the value of their business.
In the most recent regulatory development, the Defense Department recently issued a final rule modifying its principal cybersecurity clause—DFARS 252.204-7012 (SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING). The final rule contains several updates to the interim rule published a year ago. I’ve listed the key differences between the interim and final rules below; and we’ve already taken a detailed look at the key provisions, many of which haven’t changed in the final version. You can read the final rule here.
- Covered Defense Information Definition. “CDI” has been redefined to align with the definition of “Controlled Unclassified Information” published by the National Archives and Record Administration in September 2016.
- COTS Exclusion. Acquisitions solely for commercially available off-the-shelf items (“COTS”) should be excluded from the rule; commercial item procurements are still subject.
- Security Requirements. “Adequate security” must be implemented on all covered contractor information systems (not just those involved in performing the contract). NIST SP 800-171 remains the baseline standard for covered systems not operated on behalf of the government (though a contractor may petition for the use of alternative means that are “equally effective.”)
- Investigation and Reporting. Post-incident investigation and reporting requirements remain largely intact, with tweaks to the handling requirements for malicious software and scope of DoD access to potentially compromised systems.
- Flowdowns. Flowdown requirements to subcontractors have been modified, in part by limiting flowdowns to subcontractors providing operationally critical support or where CDI is necessary for subcontract performance. Subs do not need to report cyber incidents to the prime under the final rule.
- Cloud Computing. The Final Rule provides that cloud computing service providers (“CSPs”) that store, process, or transmit CDI must meet applicable security requirements (i.e., applicable FedRAMP standards, which vary based on whether the services are being operated on behalf of the Government or not).
Despite a phase-in period through October 2017, defense contractors should be actively working to ensure their compliance with final rule requirements. Indeed, covered contractors must conduct a gap analysis and notify DoD of any NIST SP 800-171 standards they do not meet at the time of contract award (which can impact contract negotiations).
Given the rapid change in this area, the final rule presents an important checkpoint for contractors to review, among other things: 1) their incident response plans (including identification of key stakeholders, responsibility delegations, and involvement of counsel and forensic specialists in the event of a cyber incident); 2) contracts management (addressing cybersecurity flowdown requirements and risk allocations in prime and subcontracts); 3) insurance coverage for cyber incidents; and, of course, 4) technology. It is only a question of when—not if—your business will be impacted by a cyber incident. The final rule should reinforce that contractors treat cybersecurity compliance as an integral part of broader enterprise risk management, involving the right people, processes, and procedures.