December 31, 2017 is the deadline for government contractors to be in compliance with the DFARS Supplement regarding data safeguarding requirements. As we get closer to the deadline, cybersecurity expertise to support these efforts will be harder to hire and will likely demand higher rates. Don’t be in a position where either the federal government or your prime cut you off because you can’t certify that you’re compliant with NIST 800-171.
Back on December 30, 2015, effective upon publication, the U.S. Department of Defense (DoD) published a three-page interim rule revising its earlier August 2015 interim rule on Safeguarding Covered Defense Information. 80 Fed. Reg. 81,472 (Dec. 30, 2015), available here. The new interim rule gives contractors considerably more time to implement the requirements of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. DoD issued this new interim rule without the prior opportunity for public comment “to provide immediate relief from the requirement to have NIST 800-171 security requirements implemented at the time of contract award.” Unfortunately, too many contractors took this relief to be more than just a delay. Half of the extra time has now passed, and some companies are well on their way to compliance. And some haven’t even started.
Highlights of the new interim rule
Specifically, the interim rule amends the data safeguarding requirements of the Defense Federal Acquisition Regulation Supplement (DFARS) as follows:
- Contractors are directed to implement 800-171 standards “as soon as practical, but not later than December 31, 2017.” Also, the interim rule has revised DFARS 252.204-7008(c)(1)) to include a statement that an offeror “represents that it will implement” the 800-171 security requirements not later than December 31, 2017.
- Contractors must notify the DoD Chief Information Officer (CIO), within 30 days of award, of any 800-171 security requirement that has not been implemented at the time of contract award. Absent that notice, it appears that DoD will presume contractors are meeting all the 800-171 security requirements.
- Contractors are no longer required to have a written approval from the DoD CIO prior to contract award authorizing any “alternative but equally effective” security measures. The interim rule states that an “authorized representative of the DoD CIO” will “adjudicate” offeror requests to vary from the 800-171 requirements, prior to contract award, and any accepted variance “shall be incorporated into the resulting contract.” Revised DFARS 252.204-7008(c)(2)(ii).
- The new interim rule amends the DFARS flow down requirements as follows:
- Previously, covered DoD contractors were required to flow down the substance of the safeguarding clause (DFARS 252.204-7012) to all of their subcontractors. Now, the exact phrasing of the clause must be flowed down “without alteration,” except as needed to identify the contracting parties subject to the clause. However, the flow down of DFARS 252.204-7012 is now limited only to subcontracts, “or similar contractual instruments,” for 1) operationally critical support or 2) that involve a covered contractor information system
- Similarly, DFARS 252.204-7009 is amended so that the exact clause must be flowed down without modification, except as needed to identify the contracting parties subject to the clause.
- DoD subcontractors should expect that DoD prime contractors will likely flow down the relevant clauses out of an abundance of caution if there is any uncertainty as to whether a subcontractor will come across a covered information system or “covered defense information” during subcontract performance.
- The new interim rule reiterates that, when the safeguarding clause is flowed down (DFARS 252.204-7012), the prime contractor must also require subcontractors to “rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil and the prime Contractor. This includes providing the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable.” Revised DFARS 252.204-7012 (m)(2).
Are you well on your way to compliance? If not, we can help. If you don’t get help from us… get help somewhere.