Government contractors are subject to cybersecurity requirements, and some important deadlines are fast approaching. An overview of cybersecurity requirements found in the FAR and the Department of Defense (DoD) FAR Supplement (DFARS) follows:
FAR
The FAR requires government contractors that handle “federal contract information” to comply with 15 requirements for safeguarding that information. These requirements are similar to certain requirements found in NIST SP 800-171. Under the FAR, “federal contract information” is defined as:
information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
This is a broad category of information. Many interpreting the effect of the requirements have advised that it could apply to most federal contracts.
DFARS
However, DoD cybersecurity requirements apply to a more limited set of information but also come with more stringent security requirements, including an added breach notification component. The DFARS clause applies to “covered defense information,” or CDI, which is defined as:
unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry . . . , that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
The first category of CDI is fairly easily to determine since it must be identified by the government.
The second category is tricky and can be somewhat ambiguous. During its June 23, 2017, Industry Information Day, the DoD provided some guidance, clarifying that the phrase “in support of the performance of the contract” in the second section of the CDI definition is not meant to include the contractor’s internal information (e.g., human resources or financial information) that is incidental to contract performance.
Importantly, contractors subject to the DFARS cybersecurity requirements must comply with NIST SP 800-171 by December 31, 2017 — which is soon. Contractors using external cloud service providers are also required to use providers that are FedRAMP Moderate approved.
Interestingly, a contractor can be in compliance with NIST SP 800-171 without actually implementing all of the security requirements by December 31, 2017. A contractor is in compliance with NIST 800-171 as long as it has a “Security System Plan” and a “Plan of Action and Milestones” in place before December 31 that accurately document the way in which it intends to comply with the NIST SP 800-171 requirements, even if the contractor will not achieve full compliance with each of those requirements until after December 31.
However, for all contracts awarded prior to October 1, 2017, the contractor must notify the DoD chief information officer within 30 days of contract award of any security requirements specified by NIST SP 800-171, but not implemented at the time of contract award. Individual contracting officers may also use compliance as an evaluation factor in solicitations.
With the increase of data breaches in the headlines, it is important for government contractors to pay close attention to cybersecurity requirements, and continue to demonstrate on-going compliance.
In addition to negative headlines, failure to comply with FAR and DFARS requirements can lead to government investigations and potential False Claims Act liability.
~from the National Association of Government Contractors