Government Contracts Impacted By Cyber Security Requirements
April 24, 2017 4:05 pm
posted by Tamara Wamsley
posted within General
Government Contracts Impacted By Cyber Security Requirement
If you work with Department of Defense (DoD) contracts, or would like to in the future, you will want to pay close attention to what I am about to tell you. There is another clause (not Santa) that could impact your business this December. It is actually already here and its name is Defense Acquisition Regulations System (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
Not as catchy, I know. Why should you care?
Here are 3 good reasons:
1) If you hope to do business with DoD you must attest to compliance with this regulation by December 31, 2017.
2) The process to become compliant can take up to a year.
3) Noncompliance may mean forfeiting your chance for award of a DoD contract.
So what is this clause?
At a high level, it is compliance and reporting. The clause states, “The contractor shall provide adequate security on all covered contractor information systems.” To help understand if this means you, the clause further defines the terms:
“Covered contractor information system” means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
Without force feeding you with even more lines of regulation, technical information as defined by the clause covers just about any type of data you might process in the performance of a contract.
What is “adequate security”?
Adequate security according to the clause requires that at a minimum the contractor shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, or for systems operated in the cloud Federal Risk and Authorization Management Program (FEDRAMP) Moderate. NIST SP 800-171 includes 110 controls that require procedural, technical, and/or policy solutions. The regulation is designed to empower the Contractor to identify the solution that meets each control. This can be both helpful and challenging depending on your understanding of what the control is specifying.
Reporting is also a requirement in the clause. When a cyber incident is discovered it must be reported at dibnet.dod.mil within 72 hours. Access to the site will require a medium assurance certificate. There are a number of elements that will be required at the time of reporting and are listed on dibnet. Some of them include 90 days of monitoring/network data and forensic capture of computer images involved in the incident. When an incident happens is the wrong time to ask, “Do we have audit logs?”
The 5 steps to take now to keep government contracts:
Learn the Requirements
Familiarize yourself with the DFARS Clause 252.204-7012 and NIST SP 800-171. Learning exactly what the requirement is, how it applies to you, and what affect it will have on your operations and resources is key.
Do a Risk Assessment
Perform a risk assessment of your organization based on the requirements. Homeland Security provides a handy tool to help with this effort called the Cyber Security Evaluation Tool (CSET). Once downloaded, you will select NIS SP 800-171 and it will build the checklist for you.
Make a Plan of Action
Develop your Plan of Action and Milestones (POAM). The solutions may take up to a year to implement but your POAM can be done much sooner. By providing a POAM you are demonstrating a pathway toward compliance.
Close Any Gaps
Bring in an outside vendor to perform the risk assessment and provide recommendation for compliance. This can be an effective follow up to your own assessment as well as validation of measures you may already have in place. They may also be able to provide recommendation regarding alternative yet effective solutions you hadn’t considered.
Get your medium-assurance certificate and review the requirements for reporting outlined on dibnet. Information on obtaining DoD-approved certificates can be found here.
Bring on Clause!
Being proactive is critical. If you have been around government regulations in the past you might be hoping this changes or just goes away. Nothing is guaranteed but in my opinion this is happening. On top of that, the consequences for the proverbial head in the sand approach could be significant. By educating yourself and giving this the consideration it deserves, this Clause could mean more contract awards and less coal in your stocking come this December!
Guest Blog Post by:
Secure Cyber Defense
Chief Technical Officer
To request more information, please complete the form below: