Contractors Must Contend With New Cybersecurity Rule.

• Author: Ebner, Susan Warshaw
• Position: Viewpoint

The April 2017 issue of National Defense reported on key aspects of the Defense Department rule on "Safeguarding Covered Defense Information and Cyber Incident Reporting" and actions that contractors could take to implement the rule.

The aim of the Defense Federal Acquisition Regulation Supplement rule is to protect covered defense information, which includes unclassified controlled technical information or other information as described in the Controlled Unclassified Information Registry administered by the National Archives. This article reports on new guidance and basic actions that contractors can take to achieve compliance.

The basic construct of DFARS 252.204-7012 has not changed. The final October 2016 version requires that contractors must provide "adequate security on all covered contractor information systems" and "rapidly report" any "cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract."

Under the rule, contractors bidding on or entering into contracts must have implemented the 110 security controls set out in National Institute of Standards and Technology Special Publication 800-171 by Dec. 31. Satisfaction of the requirements includes the establishment of a system security plan that describes how the contractor is implementing the security control requirements, any exceptions to the requirements, and a plan of action and milestones to correct deficiencies and reduce vulnerabilities.

Whether a vendor has a contract issued before Oct. 1 or after, the DFARS clause makes it clear that it must either take steps to comply with the NIST requirements, seek an exception to the application of the rule, or disclose and request approval of an alternative, but equally effective, security measure that may be implemented in place of compliance with requirements.

The DFARS rule provides for the inclusion of the clause in all contracts, including those that provide commercial items--except for contracts solely for the sale of commercial off-the-shelf items. Contractors must flow down the clause to "subcontracts, or similar contractual instruments" for "operationally critical support" or where the subcontract performance will "involve covered defense information."

Finally, contractors also must be prepared to identify, assess...