Some FAQs Answered About The New Cybersecurity Rule.

• Author: Bourne, Townsend L.
• Position: Viewpoint

The majority of Defense Department contractors no doubt by now have drafted and populated a system security plan in accordance with Defense Federal Acquisition Regulation Supplement cybersecurity provisions, which require implementation of the security controls in National Institute of Standards and Technology Special Publication 800-171.

The Defense Department clarified last year that the requirement to implement the security controls by the Dec. 31 deadline was satisfied by the creation of a system security plan with plans of action for controls not yet met.

While establishing a system security plan means the contractor is initially compliant, understanding the contractor's remaining obligations under the defense cybersecurity provisions will help ensure the contractor avoids potentially unforeseen pitfalls and liability.

The "frequently asked questions" updated on April 2 by the Defense Department regarding the provisions, discussed below, provide helpful insight into contractor obligations as well as best practices.

For example, when does a company need to update its system security plan?

NIST SP 800-171 includes a specific requirement to "periodically" update the system security plan as explained in Requirement 3.12.4. It also includes requirements for periodic risk assessments and vulnerability scans in Requirements 3.11.1 and 3.11.2, as well as periodic security assessments of the controls implemented by the contractor "to determine if the controls are effective in their application"--as stated in Requirement 3.12.1.

The requirements are non-specific as to the timing and frequency of updates and assessments, so the contractor must determine a reasonable approach, which should be documented to identify personnel responsible for executing the assessments and incorporating applicable results into the system security plan. Regular, planned updates will ensure the contractor maintains focus on properly safeguarding sensitive information and can produce an accurate, up-to-date system security plan for government review if required.

The Defense Department recently confirmed that contracting agencies are not to encourage contractors to add security controls to their system security plan or dictate how a contractor must meet a particular control. Agencies "should not intrude into the operations or management of the contractor's internal IT system by specifying the content and format of the system security plan and plans of action...,"...