Cost, schedule, and performance, the three pillars of defense procurement, may soon be accompanied by a fourth pillar: cybersecurity. As the nature of warfare evolves away from pure kinetic capabilities to the asymmetric, cyber realm, the Department of Defense (“DoD”) has had to grapple with the reality that its defense contractors are prime targets for infiltration. Indeed, in the February 2018 Worldwide Threat Assessment, Director of National Intelligence Daniel Coats specifically identifies defense contractors and IT communications firms as the primary focal points of China—one of the United States’ primary cyber adversaries. As a result of this new reality, DoD has begun the process of revamping the defense procurement system to place greater emphasis on cybersecurity. In response to these moves by DoD, contractors should take a fresh look at their current operations to identify their own cyber vulnerabilities as well as the vulnerabilities of their subcontractors, suppliers, and other partners. Without adequate preparation, contractors risk finding themselves at a significant disadvantage during future contract bids. Continue reading “Cybersecurity Could Make or Break Defense Contractors’ Chances of Future Awards”
It’s almost here. After years of rulemaking, covered defense contractors will soon be fully subject to heightened cybersecurity standards for covered defense information (“CDI”) on IT systems under DFARS 252.204-7012, and contractors submitting new proposals will be representing that their systems are compliant with these security requirements pursuant to DFARS 252.204-7008. We discuss in this post seven compliance tips beyond the basics that are worth revisiting during this final compliance push. Continue reading “DFARS Cybersecurity Compliance Countdown: Are You Ready?”
The Department of Homeland Security (“DHS”) recently issued three new proposed cybersecurity regulations for DHS contractors which warrant careful attention. Although a freeze on new regulations by the Trump administration will likely delay any final agency action, and extensive comments and meaningful changes to any final rules are expected, these new regulations could radically impact the compliance landscape for DHS contractors. As with recent cybersecurity amendments to the Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) (which we’ve covered here and here), these proposed rules seek to impose more safeguarding, handling, reporting, and training requirements on covered contractors. We continue to see cybersecurity as a major business risk in the industry today, and recommend contractors pay close attention to their operational, technology, and risk management practices relating to cybersecurity. We highlight the key elements of the proposed rules below. Continue reading “DHS Contractor? Pricey New Cybersecurity Requirements (and Hidden Risks) May Await You”
There is no question cybersecurity is a critical compliance and risk area for federal contractors. A seemingly endless stream of cyberattacks—on corporate databases, government servers, even baby monitors—shows the breadth of these problems and the need for action. Government contractors have the added challenge of specialized regulatory obligations, with compliance (or non-compliance) having a direct impact on the value of their business. Continue reading “Does Your Cybersecurity Program Satisfy Recent DFARS Amendments?”
Justin A. Chiarodo and Philip Beshara
The government recently issued long-awaited amendments to the National Industrial Security Program Operating Manual (“NISPOM”). The amendments, known as Conforming Change 2, are targeted at combating insider threats and impose several new requirements warranting immediate action by contractors holding facility clearances.
There are four key elements to Change 2: (1) a mandated Insider Threat Program (“ITP”); (2) new cyber incident reporting requirements; (3) newly defined NISPOM components; and, (4) an updated standard for foreign-owned or controlled companies seeking access to proscribed information. We summarized these changes and provide implementation suggestions below.
I. Insider Threat – Mandated Insider Threat Program
Change 2 requires cleared contractors to have a written Insider Threat Program plan no later than November 30, 2016. The ITP must detect, deter, and mitigate insider threats consistent with the ITP requirements currently imposed on executive branch agencies (as set forth in Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs). Continue reading “NISPOM Conforming Change 2: What You Need to Know”
Justin A. Chiarodo, Philip E. Beshara, and Heather L. Petrovich
The government recently finalized a sweeping amendment to the Federal Acquisition Regulation (“FAR”) that will impose basic information system safeguarding requirements on many federal acquisitions, marking the latest in the continuing government effort to regulate and enhance cybersecurity protections in the industry. The Final Rule, effective June 15, 2016, imposes fifteen basic safeguarding requirements for contractors with information systems containing information provided by, or generated for, the government under a federal contract.
Though many contractors likely maintain information security standards that meet or exceed the new rule, they should confirm their compliance status by assessing these requirements against their current cybersecurity compliance program (to help mitigate the risk of a breach of contract claim or more serious enforcement action). This should include confirming that the requirement is flowed down to subcontractors where appropriate. Continue reading “Coming to a Government Contract Near You: Mandatory Information Safeguarding Requirements”