Defense Contractors Busy Preparing to Meet Cybersecurity Deadline

By Sam Skolnik

Defense contractors have two months to comply with one of the most complicated Pentagon regulations to hit their desks in years.

Contractors are speedily ramping up efforts to comply with new cybersecurity standards for the Defense Federal Acquisition Regulation Supplement (DFARS) to meet a Dec. 31 deadline, attorneys and consultants said.

The rule, issued by the Defense Department last fall, requires companies that do business with DOD to provide “adequate” levels of security for defense information that is processed, stored, or transmitted on contractors’ internal information systems or networks.

They must also implement a convoluted, 80-page National Institute of Standards and Technology (NIST) rulebook that includes five appendices for monitoring the use of “controlled unclassified information,” (CUI) with titles such as “mapping tables” and “tailoring criteria,” according to a Sept. 21 guidance issued by Shay Assad, DOD’s director of defense pricing/defense procurement and acquisition policy.

Yet even Assad recognizes how difficult it may be for contractors without strong compliance departments to meet the new requirements. “There is no single or prescribed manner in which a contractor may choose to implement the requirements of (the NIST document), or to assess their own compliance with those requirements,” he wrote.

This confusion is keeping government contracts lawyers and consultants on their toes.

“This is the number-one hottest topic right now among my clients,” Reggie Jones, chair of the federal government contracts and procurement practice group at Fox Rothschild in Washington, told Bloomberg Government. “I’m getting more calls about this than anything else.”

‘Gray Areas’

A related Federal Acquisition Regulation, which applies governmentwide, went into effect in June 2016. That FAR clause lists 15 ways contractors need to adhere to “basic safeguarding” of covered contractor information systems.

The DOD-specific DFARS compliance regime that contractors must have in place in about two months is significantly more complex and detailed, in large part because of its tie-in to the NIST rules.

By the end of the year, contractors will need to adhere to all 110 rules — which require, for example, that contractors limit system access to authorized users, limit unsuccessful login attempts, and provide security awareness training on recognizing indicators of insider threats.

But the mandate that contractors develop cybersecurity plans — the most recent requirement added to the NIST list — is crucial for contractors, Susan Cassidy, a partner with Covington & Burling in Washington, told Bloomberg Government.

Contractors must “develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems,” under that NIST rule.

In addition to developing a plan, at least initially, contractors should concentrate on providing at least “adequate security on all covered contractor information systems,” as noted in the DFARS regulation.

There are “gray areas” regarding some of the NIST requirements, despite the issuance of DOD’s guidance on the topic in September, Cassidy said. For example, some contractors’ older systems might not support encryption, she said.

Three-Day Deadline

Jones said contractors have been asking him about several of the requirements, but a few are causing more concern than others.

For one, contractors will need to conduct a review for evidence of any compromise of covered defense information — and “rapidly report” cyber incidents to DOD within 72 hours to do so.

Jones said he understood the need for rapid reporting of cyber incidents, yet “seventy-two hours isn’t a lot of time to figure out what’s happening.”

Contractors also will need to “preserve and protect” affected information systems for 90 days — giving DOD time to determine whether to conduct an on-site forensic analysis and damage assessment, which could be disruptive to contractors, Jones said.

A Brief Window

Most larger defense contractors have been addressing compliance issues for the DFARS rule for many months, analysts and lawyers said. But some, especially smaller contractors or those that primarily work with commercial clients, are just now asking what they need to do — and fretting about their brief window to act.

Companies in that situation need to “understand the nature of the data you have,” and whether it meets the definition of CUI, Tom Tollerton, senior manager of cybersecurity advisory services for Dixon Hughes Goodman, told Bloomberg Government.

Next, they need to determine if adequate perimeter defenses such as firewalls are in place to protect that CUI, Tollerton said.

‘All Paper’

The thought of complying with the DFARS regulations is so foreboding that some smaller contractors have decided to forgo the use of computers.

“I have seen some contractors say, we’re going to go ‘all paper’ here,” Barron Avery, a Washington-based partner with Baker & Hostetler and head of the firm’s government contracts team, told Bloomberg Government. “While that may seem pretty wild, that may make sense from a business perspective.”

Contractor clients would keep research and engineering data, drawings, and other technical information in hard copy and in a lockbox in those cases, Avery said.

Midsize contractors that lack extensive, dedicated compliance teams might have it worst, Avery said. “They’re stuck in between,” he said. “If they don’t have the option of going offline, they have to comply.”

To contact the reporter on this story: Sam Skolnik in Washington at sskolnik@bna.com

To contact the editor responsible for this story: Daniel Ennis at dennis@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.