Due to the massive cybersecurity breaches and threats in the past decade, the United States federal government has expended significant resources to strengthen information security within its supply base. The updates began around 2010, when the government designated the National Archives and Records Administration (“NARA”) as the agency responsible for creating a government program to protect controlled unclassified information. In turn, NARA created a controlled unclassified information registry, classifying 23 categories of information to help federal agencies and contractors with compliance. See Registry of controlled unclassified information, available here. NARA then collaborated with the National Institute of Standards and Technology (“NIST”) to create a set of security guidelines for federal agencies and contractors handling controlled unclassified information.
In June of 2015, NIST released these guidelines in Special Publication 800-171 (“NIST 800-171”). NIST 800-171 did not apply directly to contractors, but rather served as recommended requirements for federal agencies to include in their rules or agreements with contractors. It listed 14 groups of minimum requirements—e.g., “Access Control,” “Awareness and Training,” and “Audit and Accountability.” See NIST Special Publication 800-171 available here. Many federal agencies responded by adopting NIST 800-171 and implementing their own additional rules.
The U.S. Department of Defense (“DoD”) adopted NIST 800-171. Additionally, in August of 2015, the DoD greatly expanded the cybersecurity obligations for defense contractors and subcontractors through an interim rule in the Defense Federal Acquisition Regulation Supplement (“DFARS”), at 252.204-7000 (“the DFARS cyber clause”). The DoD cited “urgent and compelling reasons” to issue an effective rule immediately. See DFARS 252.204-7000. The DFARS cyber clause contains obligations for contractors that handle covered defense information, as defined in DFARS 252.204-7012. Further, the DFARS cyber clause imposes the guidelines from NIST 800-171 and requires contractors and subcontractors to report cyber incidents, both actual and perceived, on any systems that contain covered defense information. See DFARS 252.204-7009(a)(2).
In response to public comment, the DoD updated the DFARS cyber clause in December of 2015. Most significantly, the amended rule gives contractors that handle covered defense information until December 31, 2017 to be in full compliance with the requirements outlined in DFARS 252.204-7012 and NIST 800-171. This expanded compliance deadline was a great relief to many contractors. Nonetheless, to the extent a contractor is not in compliance with any guidelines in the meantime, the rule still requires contractors to notify the DoD and identify the areas of noncompliance. Additionally, the updated DFARS cyber clause gives contractors 72 hours to report any cyber incidents to the DoD CIO, and requires contractors to flow down the DFARS cyber clause to all suppliers and subcontractors that store, process, and/or generate covered defense information covered defense information in contract performance.
Accordingly, defense contractors should audit their systems to determine if they handle covered defense information and fall under the scope of the DFARS cyber clause. Next, they should determine if their systems comply with the DFARS cyber clause, including the requirements of NIST 800-171, and audit all subcontractor and supplier agreements for the DFARS cyber clause. Finally, to the extent their systems do not comply, contractors should create a plan to contact the DoD CIO.
Our firm is able to assist with compliance and any of these steps.