2017 Topic of the Year: Cybersecurity

Defense Federal Acquisition Supplement: DFARS 252.204-7012, as revised on Dec. 30, 2015, is the cybersecurity rule issued by the Department of Defense (DoD) titled, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”

The DFARS clause requires all DoD contractors and subcontractors, regardless of size, to comply with two key information security requirements: (1) Adequate Security and (2) Incident Reporting. This impacts every DoD contractor and subcontractor, in high-tech to low-tech environments, regardless of the nature of work so long as “covered defense information” (CDI) is involved.

For most contractors, “adequate security” is satisfied by showing compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. There are exceptions and a variance process.

“Incident Reporting” requires contractors to report any cyber incidents that may have affected CDI within 72 hours of discovery. Reporting is to be done (1) to the DoD through the Department’s DIBNet portal, on an Incident Collection Form and (2) to the prime contractor. In addition, the contractor must adhere to regulations regarding investigating, preserving and submitting information about the breach to the DoD.

* FAR 52.294021, Basic Safeguarding of Covered Contractor Information Systems, sets as a minimum baseline for controls fifteen (15) security requirements that must be implemented by all federal contractors to safeguard any information system that processes, stores or transmits federal contract information.

* DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, goes beyond the minimum to require adequate security to safeguard all covered defense information residing on or transiting through the contractor’s internal information system/network and report cyber incidents within 48 hours. Beginning December 31, 2017, this clause is to be included in all new DoD solicitations and contracts except for Commercial Off-the-Shelf (COTS) products.

* NIST SP 800-171, Revision 1 was developed by the National Institute of Standards and Technology (NIST) to define the uniform set of performance-based security requirements to be implemented by DoD contractors under DFARS 252.204-7012. NIST does not regulate cybersecurity – rather it provides neutral technical expertise, guidance, and reference materials to be used by other agencies and organizations in formulating their requirements.

The Alaska PTAC will be hosting a cybersecurity training with guest speaker from NIST in late February or early March. Stay tuned for details.