December 31st is fast approaching and so is the deadline for the Defense Department’s cybersecurity requirements for all government contractors and subcontractors.
For those who are not aware, in 2001, the federal government started the process for protecting classified information when stored or shared by electronic means. If contractors maintain a government IT system or simply store information, they must meet the standards set by the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). In recent years, these requirements have undergone many changes from terminology to technical requirements. Despite simplified revisions, interpreting cyber security requirements can be a bit confusing.
Who are the players in cybersecurity?
The National Institute of Standards and Technology (NIST) was given the responsibility of establishing standards for government and contractor IT systems. In June 2015, NIST issued THIS DOCUMENT highlighting 101 standards.
- Contractors will have to comply with the cybersecurity regime set forth by FAR Subpart 4.19 (Basic Safeguarding of Covered Contractor Information Systems).
- DoD (Department of Defense) contractors will also have to comply with cybersecurity and cloud storage requirements in DFARS Subpart 204.73 and 239.76. If you only use non-FAR agreements in working with DoD, you are not yet compliant. These same requirements apply to all contract and agreements (e.g., grants, other transaction authority agreements, CRADAs, and SBIRs).
What’s the difference between FAR and DFARS?
The two regimes have many similarities, but also many differences to consider. While the FAR applies to all federal agencies, it only requires 17 of the NIST standards. The DFARS only applies to DoD contractors and requires all 101 NIST standards to be implemented by Dec 31, 2017. To obtain contracts, DoD contractors and subcontractors will need to become certified under all requirements. To understand how the government and prime contractors will assess compliance, you can review guidance material issued by the DoD HERE.
What happens if you’re not compliant?
Like other government requirements, there are potentially negative consequences to accepting a contract and certifying compliance if you do not meet the requirements. As such, a checklist or other similar procedure with a focus on behaviors is also highly recommended.
What’s the difference between FAR and DFARS? See the table below:
|
|
FAR 4.19/52.204-21 |
DFARS 204.73/252.204-7012 |
|
Applicability |
All Agencies |
DoD Only |
|
All contracts except COTS |
All contracts except COTS |
|
|
Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments. “Information” means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009). |
Covered Defense Information a. Excludes classified b. Provided by DoD or collected, developed, received, transmitted, used or stored in support of performance of the contract c. Is controlled technical information, critical information, export controlled, or any other information, marked or otherwise identified in the contract that requires safeguarding or dissemination controls
|
|
|
Focused on Systems |
Focused on Information |
|
|
Effective Date |
Now (no Safe Harbor) |
December 31, 2017 |
|
Requirements |
15/17 of NIST 800-171 |
All 110 of NIST 800-171 |
|
Marking |
No requirement for government to mark |
Marked or otherwise indicate if Covered Defense Information |
|
Reporting |
No explicit reporting requirement |
Mandatory – 72 hours, DoD |
|
|
|
Subcontractors report / provide incident number to prime |
|
Certification |
No explicit certification Requirements |
Required by 252.204-7008 |
|
Subcontract |
Mandatory if subcontractor “may have Federal contract information residing in or transiting through its information system” |
Mandatory for “subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties” |
|
No guidance for how to assess or monitor |
Prime is responsible for cyber enforcement |
|
|
|
Prime – determine if Subcontractor can comply, Request deviations |
|
|
|
Subcontractors must notify Primes if unable to comply |
