By Sam Skolnik
Defense contractors have two months to comply with one of the most complicated Pentagon regulations to hit their desks in years.
Contractors are speedily ramping up efforts to comply with new cybersecurity standards for the Defense Federal Acquisition Regulation Supplement (DFARS) to meet a Dec. 31 deadline, attorneys and consultants said.
The rule, issued by the Defense Department last fall, requires companies that do business with DOD to provide “adequate” levels of security for defense information that is processed, stored, or transmitted on contractors’ internal information systems or networks.
They must also implement a convoluted, 80-page National Institute of Standards and Technology (NIST) rulebook that includes five appendices for monitoring the use of “controlled unclassified information,” (CUI) with titles such as “mapping tables” and “tailoring criteria,” according to a Sept. 21 guidance issued by Shay Assad, DOD’s director of defense pricing/defense procurement and acquisition policy.
Yet even Assad recognizes how difficult it may be for contractors without strong compliance departments to meet the new requirements. “There is no single or prescribed manner in which a contractor may choose to implement the requirements of (the NIST document), or to assess their own compliance with those requirements,” he wrote.
This confusion is keeping government contracts lawyers and consultants on their toes.
“This is the number-one hottest topic right now among my clients,” Reggie Jones, chair of the federal government contracts and procurement practice group at Fox Rothschild in Washington, told Bloomberg Government. “I’m getting more calls about this than anything else.”
A related Federal Acquisition Regulation, which applies governmentwide, went into effect in June 2016. That FAR clause lists 15 ways contractors need to adhere to “basic safeguarding” of covered contractor information systems.
The DOD-specific DFARS compliance regime that contractors must have in place in about two months is significantly more complex and detailed, in large part because of its tie-in to the NIST rules.
By the end of the year, contractors will need to adhere to all 110 rules — which require, for example, that contractors limit system access to authorized users, limit unsuccessful login attempts, and provide security awareness training on recognizing indicators of insider threats.
But the mandate that contractors develop cybersecurity plans — the most recent requirement added to the NIST list — is crucial for contractors, Susan Cassidy, a partner with Covington & Burling in Washington, told Bloomberg Government.
Contractors must “develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems,” under that NIST rule.
In addition to developing a plan, at least initially, contractors should concentrate on providing at least “adequate security on all covered contractor information systems,” as noted in the DFARS regulation.
There are “gray areas” regarding some of the NIST requirements, despite the issuance of DOD’s guidance on the topic in September, Cassidy said. For example, some contractors’ older systems might not support encryption, she said.
Jones said contractors have been asking him about several of the requirements, but a few are causing more concern than others.
For one, contractors will need to conduct a review for evidence of any compromise of covered defense information — and “rapidly report” cyber incidents to DOD within 72 hours to do so.
Jones said he understood the need for rapid reporting of cyber incidents, yet “seventy-two hours isn’t a lot of time to figure out what’s happening.”
Contractors also will need to “preserve and protect” affected information systems for 90 days — giving DOD time to determine whether to conduct an on-site forensic analysis and damage assessment, which could be disruptive to contractors, Jones said.
Most larger defense contractors have been addressing compliance issues for the DFARS rule for many months, analysts and lawyers said. But some, especially smaller contractors or those that primarily work with commercial clients, are just now asking what they need to do — and fretting about their brief window to act.
Companies in that situation need to “understand the nature of the data you have,” and whether it meets the definition of CUI, Tom Tollerton, senior manager of cybersecurity advisory services for Dixon Hughes Goodman, told Bloomberg Government.
Next, they need to determine if adequate perimeter defenses such as firewalls are in place to protect that CUI, Tollerton said.
The thought of complying with the DFARS regulations is so foreboding that some smaller contractors have decided to forgo the use of computers.
“I have seen some contractors say, we’re going to go ‘all paper’ here,” Barron Avery, a Washington-based partner with Baker & Hostetler and head of the firm’s government contracts team, told Bloomberg Government. “While that may seem pretty wild, that may make sense from a business perspective.”
Contractor clients would keep research and engineering data, drawings, and other technical information in hard copy and in a lockbox in those cases, Avery said.
Midsize contractors that lack extensive, dedicated compliance teams might have it worst, Avery said. “They’re stuck in between,” he said. “If they don’t have the option of going offline, they have to comply.”
To contact the reporter on this story: Sam Skolnik in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Daniel Ennis at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)