Special Topic – Cybersecurity Requirements

December 31st is fast approaching and so is the deadline for the Defense Department’s cybersecurity requirements for all government contractors and subcontractors. 

For those who are not aware, in 2001, the federal government started the process for protecting classified information when stored or shared by electronic means. If contractors maintain a government IT system or simply store information, they must meet the standards set by the Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). In recent years, these requirements have undergone many changes from terminology to technical requirements. Despite simplified revisions, interpreting cyber security requirements can be a bit confusing. 

Who are the players in cybersecurity?

The National Institute of Standards and Technology (NIST) was given the responsibility of establishing standards for government and contractor IT systems.  In June 2015, NIST issued THIS DOCUMENT  highlighting 101 standards. 

  • Contractors will have to comply with the cybersecurity regime set forth by FAR Subpart 4.19 (Basic Safeguarding of Covered Contractor Information Systems).
  • DoD (Department of Defense) contractors will also have to comply with cybersecurity and cloud storage requirements in DFARS Subpart 204.73 and 239.76. If you only use non-FAR agreements in working with DoD, you are not yet compliant. These same requirements apply to all contract and agreements (e.g., grants, other transaction authority agreements, CRADAs, and SBIRs).

What’s the difference between FAR and DFARS?

The two regimes have many similarities, but also many differences to consider. While the FAR applies to all federal agencies, it only requires 17 of the NIST  standards. The DFARS only applies to DoD contractors and requires all 101 NIST standards to be implemented by Dec 31, 2017. To obtain contracts, DoD contractors and subcontractors will need to become certified under all requirements. To understand how the government and prime contractors will assess compliance, you can review guidance material issued by the DoD HERE

What happens if you’re not compliant? 

Like other government requirements, there are potentially negative consequences to accepting a contract and certifying compliance if you do not meet the requirements. As such, a checklist or other similar procedure with a focus on behaviors is also highly recommended.

What’s the difference between FAR and DFARS? See the table below:

FAR 4.19/52.204-21

DFARS 204.73/252.204-7012

Applicability

All Agencies

DoD Only

All contracts except COTS

All contracts except COTS

Federal Contract Information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments. “Information” means any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual (Committee on National Security Systems Instruction (CNSSI) 4009).

Covered Defense Information

a. Excludes classified

b. Provided by DoD or collected, developed, received, transmitted, used or stored in support of performance of the contract

c. Is controlled technical information, critical information, export controlled, or any other information, marked or otherwise identified in the contract that requires safeguarding or dissemination controls

Focused on Systems

Focused on Information

Effective Date

Now (no Safe Harbor)

December 31, 2017

Requirements

15/17 of NIST 800-171

All 110 of NIST 800-171

Marking

No requirement for government to mark

Marked or otherwise indicate if Covered Defense Information

Reporting

No explicit reporting requirement

Mandatory – 72 hours, DoD

Subcontractors report / provide incident number to prime

Certification

No explicit certification Requirements

Required by 252.204-7008

Subcontract

Mandatory if subcontractor “may have Federal contract information residing in or transiting through its information system”

Mandatory for “subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties”

No guidance for how to assess or monitor

Prime is responsible for cyber enforcement

Prime – determine if Subcontractor can comply, Request deviations

Subcontractors must notify Primes if unable to comply

Posted by Karri Palmetier on October 14, 2017

About the author

Karri Palmetier

Founder and owner of Palmetier Law, Karri Palmetier more than two decades of experience in government contracting and aerospace and defense industries. Her extensive background in working for and with the U.S. Government (Department of Defense, U.S. Air Force, the Intelligence Community, and NASA) gives her a unique perspective, helping companies understand the underlying policies and rationale for the government position.

About the author

Karri Palmetier

Founder and owner of Palmetier Law, Karri Palmetier more than two decades of experience in government contracting and aerospace and defense industries. Her extensive background in working for and with the U.S. Government (Department of Defense, U.S. Air Force, the Intelligence Community, and NASA) gives her a unique perspective, helping companies understand the underlying policies and rationale for the government position.

Palmetier Law