New cyber rules to safeguard supply chain.
| Author | Sanchez, Rolando R. |
| Position | Viewpoint |
The Defense Department supply chain is part of the nation's critical infrastructure providing the DoD and its contractors with key materiel and services.
Ensuring the integrity and safety of that supply chain is an imperative that every government contractor must address. They must comply with their specific contract's requirements, as well as applicable laws and regulations.
Increasingly, laws, regulations and contracts are incorporating requirements to comply with industry best practices and emerging standards to ensure supply chain integrity. For many years, the task of ensuring cybersecurity was deemed an individual effort by defense government contractors and there was little direction from the government, or even a baseline requirement, as to how defense contractors and their supply chains should ensure cybersecurity.
Times have changed and contractors now must take steps to ensure the cybersecurity of their systems.
In an October 2016 newly revised final rule, "Safeguarding Covered Defense Information and Cyber Incident Reporting," Defense Federal Acquistion Regulations Supplement 252.204-7012, the government directs defense government prime contractors and subcontractors that handle "covered defense information" generated, stored or transmitted on or through their systems to be fully compliant with 110 security requirements specified in National Institute of Technology Special Publication 800-171, or to affirmatively seek and obtain DoD chief information officer approval of their system if it does not precisely meet these requirements, but is determined to provide comparable system security.
The implementation of the safeguards is only part of the requirements detailed in the newly revised provision. The rule also requires contractors to flow down and flow up reporting requirements in its subcontracts, or "similar contractual instruments," that provide "operationally critical support," or that provide "subcontract performance [that] will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties."
Further, the final rule requires contractors to rapidly report to the Defense Department within 72 hours of a "cyber incident" and to preserve and provide related information and documentation.
Prime contractors and subcontractors bear the responsibility for: determining whether they have any contract or subcontract covered by the rule; identifying the systems and information that must be protected; and determining whether and to what extent their systems comply or need to be worked on to ensure they comply with the 110 security requirements.
They must rapidly report on and preserve appropriate data...
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.
