U.S. Department of Defense (DoD) contractors face new cybersecurity compliance requirements, including a significant deadline set for December 31, 2017.

Most DoD contracts now include clauses imposing obligations on contractors’ protection of government information and reporting of cyber incidents. These obligations include a requirement for contractors to comply with the cybersecurity standards set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Contractors must comply with the NIST standards no later than the end of calendar year 2017. Submission of a proposal to DoD now serves as a specific representation that the offeror meets these compliance requirements. Failure to meet the NIST standards potentially opens the door to more stringent government enforcement actions and liability under the False Claims Act.

All DoD contracts, with the exception of contracts for commercially available off-the-shelf (COTS) goods or services, must now include DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), implemented in October 2016, as a contract clause. This contract clause:

  • Imposes minimum security requirements for unclassified information collected or stored in performance of a DoD contract,
  • Contains specific requirements for cloud computing services,
  • Contains specific security requirements for contracts for systems operated on behalf of the government,
  • Requires on other contracts, contractors must meet the standards set forth in NIST SP 800-171 no later than December 31, 2017; and
  • Imposes specific reporting requirements for cyber incidents.

DFARS 252.204-7008 (Compliance with Safeguarding Covered Defense Information Controls) makes the above-referenced DFARS security requirements, including the December 31, 2017 NIST compliance deadline a specific representation made by the contractor by virtue of its proposal submission.

NIST SP 800-171 provides federal agencies with recommended requirements for protecting (i) controlled unclassified information (CUI) while such CUI resides outside of federal information systems and organizations (such as third party service providers); (ii) the systems where the CUI resides, which may not be used or operated by contractors of federal agencies or other organizations on behalf of such agencies; and (ii) CUI where there are no specific safeguard requirements for CUI protection prescribed by authorized law, regulation or government policy.  NIST identifies 14 distinct areas or “families” of security requirements for protecting CUI in nonfederal information systems and organizations:

  1. Access Control  – Limit system access to authorized users, limit access to types of transactions and functions.
  2. Awareness and Training – Adequately train managers, system administrator and users of security risks.
  3. Audit and Accountability – Create, protect and retain audit records to enable monitoring, analysis, investigation and reporting, and trace actions and hold accountable each individual users.
  4. Configuration Management – Establish and maintain baseline configuration and inventories of information systems and enforce security configuration settings.
  5. Identification and Authentication – Identify and authenticate users, process, and devices prior to allowing access to systems.
  6. Incident Response – Establish operating procedures for incident handling, track, document and report incidents to appropriate officials internal and external to the organization.
  7. Maintenance – Perform maintenance and provide effective controls on tools, techniques and personnel used to conduct maintenance.
  8. Media Protection – Protect information system media, both paper and digital, limit access to the media and sanitize or destroy media before  its disposal or reuse.
  9. Personnel Security – Screen individuals prior to allowing access to systems containing CUI and protect systems during and after personnel actions such as termination or transfers.
  10. Physical Protection – Limit physical access to systems, equipment and environments to authorized personnel, protect and monitor physical facilities and infrastructure.
  11. Risk Assessment  – Conduct periodic risk assessments of organizational operations, assets, people, and associated processing, storage or transmission of CUI.
  12. Security Assessment – Periodically access and monitor security controls, develop and implement plans of action to correct or eliminate deficiencies and vulnerabilities.
  13. System and Communications Protection – Monitor, control and protection communications at external and internal organizational boundaries, employ techniques, designs and principles that promote effective security.
  14. System and Information Integrity – Timely identify, report and correct system flaws, protect from malicious code and monitor system security alerts and advisories and respond appropriately.

For more information related to government contractors’ cybersecurity obligations, contact the authors of this article.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Andrew Konia Andrew Konia

Andrew’s practice is singularly focused on protecting clients’ businesses and data, anticipating disputes, and strengthening their competitive position in the marketplace.

Photo of Lorna J. Tang Lorna J. Tang

Lorna’s practice focuses on a variety of corporate transactions, including mergers and acquisitions via asset sale or stock sale, technology, outsourcing and general services transactions. She regularly reviews, drafts, analyzes and/or negotiates various contracts, including technology licensing agreements, asset purchase agreements, stock purchase…

Lorna’s practice focuses on a variety of corporate transactions, including mergers and acquisitions via asset sale or stock sale, technology, outsourcing and general services transactions. She regularly reviews, drafts, analyzes and/or negotiates various contracts, including technology licensing agreements, asset purchase agreements, stock purchase agreements and ancillary acquisition documents, assignment agreements, intellectual property security agreements, hosting and software agreements, government contracts and subcontracts, and supply and other technology agreements.

Photo of Todd R. Steggerda Todd R. Steggerda

Todd Steggerda serves as McGuireWoods’ Deputy Managing Partner for Litigation, overseeing and managing the firm’s nine litigation departments and roughly 500 litigators in the U.S. and the UK. He is the former chair of the firm’s Government Investigations and White Collar Litigation Department…

Todd Steggerda serves as McGuireWoods’ Deputy Managing Partner for Litigation, overseeing and managing the firm’s nine litigation departments and roughly 500 litigators in the U.S. and the UK. He is the former chair of the firm’s Government Investigations and White Collar Litigation Department, which Law360 recently selected for its prestigious “Practice Group of the Year” award for its notable work in 2019. In a dynamic practice spanning 20 years in Washington, Todd has resolved a diverse range of high-stakes government investigations, regulatory enforcement, and litigation matters, including dozens of matters investigated by the civil and criminal divisions of the Department of Justice, the Department of Defense, and numerous other federal and state agencies and investigative bodies.