If you are a Department of Defense (DoD) contractor, and you have Controlled Unclassified Information (CUI) or other Covered Defense Information (CDI), you must comply with the Defense Federal Acquisition Regulations (DFARS) to receive or keep DoD contracts.
To become adequately secure, most contractors must comply with the requirements identified in the National Institute of Standards and Technology Special Publication (NIST SP) 800-171. The purpose of NIST SP 800-171 is to protect CUI – a very broad set of information which the government wants you to protect from theft. Furthermore, if a contractor uses an external cloud service provider, the contractor must also ensure that the cloud service provider meets all security requirements in the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.
If a cyber incident occurs, it must be reported within 72 hours on the Defense Industrial Base Network (DIBNet) portal. Additionally, the incident must be reported to the prime contractor, if applicable. To gain access to DIBNet, contractors must obtain a DoD-approved medium assurance Public Key Infrastructure (PKI) certificate. Additionally, contractors must abide by the regulations for isolating, preserving and submitting required details of the breach to the DoD Cyber Crime Center (DC3).
Remember, the deadline for compliance with DFARS 252.204-7012 is December 31, 2017. Failure to fulfill these requirements may lead to:
Termination for default or convenience
Liability under the False Claims Acts
Suspension/ elimination by the Government
For all contracts (and subcontracts) awarded prior to October 1, 2017, contractors and subcontractors must notify the DoD Chief Information Officer within 30 days of contract award of any NIST SP 800-171 security requirements that were not implemented at the time of contract award.
Many subcontractors on DoD contracts have found that their prime contractors are insisting they be compliant sooner than the above date because they (the prime) does not want to be liable for non-compliant subcontractors.
For more detailed information, check out:
Regulatory clauses with which all DoD contractors must comply are the cybersecurity clauses in DFARS 252.204-7012, which includes a rapidly approaching compliance deadline of December 31, 2017. The DFARS 252.204-7012 is titled, “Safeguarding Covered Defense Information and Cyber Incident Reporting” which states that all DoD contractors and subcontractors are required to (1) provide adequate security for all covered contract information and (2) report any cyber incident that may affect covered defense information to the DoD.