Cybersecurity guidance and requirements for government contractors continue to evolve and will have a big impact on contractor compliance. Defense contractors and civilian contractors are expected to meet the new requirements of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. It’s important to note that these new requirements apply to all government contractors and suppliers regardless of size. Specifically, it covers Safeguarding Covered Defense Information (CDI), Cyber Incident Reporting and 32 Code of Federal Regulations (CFR).
Contractors and Cloud Computing
There are obligations for contractors who plan to implement could-based computing. Contractor proposals must include cloud-based solutions that meet DOD IT requirements. The requirements imposed include:
- Storing all government cloud-based data in the US
- Providing access to the data during any government investigation, inspection or audit
- Obtaining authorization from the Defense Information Systems Agency
In addition, contractors who provide cloud-based information services must follow reporting requirements for any malicious software, cyber incidents or third-party requests for information, including local state and federal agencies. All information must be provided for a forensic analysis.
The Devil is In the Details
Contractors will have to meet security baselines and determine its own risk profile. Contractors that develop a product or service will have to follow the guidelines in NIST SP 800-171. Government contractors will have to use continuous monitoring software developed by Homeland Security or develop proprietary software meeting agency requirements. For those using their own systems, there must be compliance with the NIST-800-171 guidance. It is also expected that contractors will be subject to a more intense inspection and audit.
Covering Your Bases
Contractors who operate or own information systems that process, store or transmit federal information should conduct a gap assessment to know what changes need to be implemented to meet the new basic requirements. Gaps may need to be filled with present or future contracts.
If you don’t comply with the new regulations, your business is at risk. The DOD can impose penalties on the scofflaw. A work order may be suspended until CDI is secured. It can also lead to contract, civil and criminal penalties. Consequences may include:
- Liquidated damages
- Breach of contract damages
- Termination for Convenience
- False Claims Act damages
- Termination for Default
- Poor past performance
It does not matter if you are a small business or big business. It does not matter if you provide products or services. It does not matter if you are a subcontractor or prime contractor. Your business must comply with DFARS 252.204-7012 as of December 31, 2017.
Today, the government relies on external contractors to process and store sensitive data that may threaten the country’s national security. “The set of minimum cybersecurity standards are described in NIST Special Publication 800-171 and break down into fourteen areas. In each of these areas, there are specific security requirements that DOD contractors must implement. Full compliance is required not later than December 31, 2017. The contractor must notify the DoD CIO within 30 days of contract award, of any security requirements not implemented at the time of contract award. The contractor can propose alternate, equally effective measures to DoD CIO through their contracting officer. The NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Sections 3.3 to 3.6 may provide small businesses a systematic step-by-step approach to implementing, assessing, and monitoring the controls.”
In addition, the DOD’s Office of Small Business Programs has put together a detailed list of cybersecurity resources for small businesses on its website at http://business.dodrif.com/resources.php.