Cybersecurity requirements clarified.

AuthorCassidy, Susan
PositionGovernment Contracting Insights

On Jan. 27, the Defense Department issued an updated frequently asked questions regarding the application and requirements of Defense Federal Acquisition Regulation Supplement 252.204.7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting."

Though questions remain regarding various nuances of the rule, the update is a helpful document for those contractors still working on its implementation. Divided into three sections --General Application, Security Requirements and Cloud Computing--the update provides answers to 59 commonly asked questions and provides greater clarity on a number of important points.

As the department has now issued multiple versions of this rule over the last several years, some imposing different security standards, vendors may have contracts that require different and conflicting security requirements on the same internal networks. The FAQ acknowledges this reality and informs contractors that the department has instructed its contracting officers to work through these issues with contractors, with the goal of working toward consistent implementation of the most recent version of the DFARS clause. Contractors with older versions of the rule in their contracts are therefore well advised to engage their contracting officers and work toward a modification of outdated security requirements.

What is the application to commercial item contracts? The update clarifies that DFARS 252.204.7012 is not required for solicitations and contracts where the only items being procured are commercial-off-the-shelf items. However, the clause is required for all other solicitations and contracts where covered defense information is involved, including the acquisition of commercial items that include it. The FAQ does not address directly whether the clause must be flowed to subcontractors where the prime contract may not be solely for COTS items but where the subcontract is.

In September, the National Archives and Record Administration issued a final rule regarding the protection of controlled unclassified information. The NARA Rule is consistent with the update, as it is unclassified information that requires safeguarding or dissemination controls pursuant to laws and regulations. Furthermore, both items establish National Institute of Standards and Technology Special Publication 800-171 as the minimum security standard for protecting them. Thus, the two rules are not in conflict.

The protections required to protect...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT