By Rebecca Barbour, SBTDC/PTAC Counselor at North Carolina State University
Cybersecurity is a topic that continues to receive a lot of attention and discussion, particularly for federal contractors. The newest version of the DFARS clause, 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” has many small business concerned as we approach the December 2017 deadline for compliance. If you are a small business engaged in defense contracts, or are considering entering that market, it is important to understand what this clause and its requirements may mean for your business.
It is important to understand that cybersecurity requirements for contractors are not new. The 2013 version of DFARS 252.204-7012 required contractors to provide security for covered information and referenced NIST SP 800-53, which detailed cybersecurity requirements for federal information systems. As this publication was written for federal agencies and internal information systems, contractors faced challenges in interpreting and implementing these standards for their own systems. In 2015, NIST published a new set of standards, SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, which was written specifically for federal contractors. In follow up to this publication, DFARS clause 252.204-7012 was updated and expanded. Under the final DFARS regulation, contractors are required to provide “adequate security” for all covered contractor information systems that handle covered defense information. As a minimum, adequate security must meet the cybersecurity standards published in NIST SP 800-171. In addition to providing adequate security, contractors must also “rapidly report” cyber incidents to DOD through the Defense Industrial Base Cyber Security (DIB CS) program system.
DFARS 252.204-7012 is a mandatory clause for all contracts for non-COTS items. In other words, the clause will not be included on contracts that are only for commercial off the shelf products and services. Contractors that only deal in COTS acquisitions will not be affected by the DFARS clause. For those contractors that are dealing with non-COTS items, these clauses are mandatory for all contracts, and must be “flowed-down” to subcontractors. Covered defense information includes any controlled unclassified technical information (CTI) and other information as listed in the Controlled Unclassified Information (CUI) Registry. Examples of covered defense information include technical engineering drawings and data, or export controlled items. Covered defense information will be identified in the contract and can include information developed in the performance of the contract. It does not include the contractor’s internal, incidental information, such as human resources or financial information. It’s important to note that there are not “new” categories of covered information. Previous versions of the DFARS clause required that this information be protected, and contractors dealing with this information should have already had some safeguards in place.
What to Do?
With the December 2017 deadline for compliance looming, contractors need to be cognizant of their status and individual requirements. If you are concerned that your contract may include covered defense information, you should immediately contact your contracting officer for clarification. If you are dealing with covered information, or intend to pursue contracts that include covered information, then you must become compliant with the NIST SP 800-171 standards. While this may seem onerous or intimidating for a small business, there are resources currently available, and under development, that provide insight on the requirements and compliance process. Updates, FAQ’s, and tools are available online through the DOD Procurement Toolbox at www.dodprocurementtoolbox.com, with more information and guidance to come. Information and training is also available through the NIST Manufacturing Extension Partnership (MEP) program at https://www.nist.gov/mep/cybersecurity-resources-manufacturers.
DFARS 252.204-7012 http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm
CUI Registry https://www.archives.gov/cui
Defense Industrial Base Cybersecurity Program https://dod.dibnet.mil
DoD Procurement Toolbox www.dodprocurementtoolbox.com
NIST MEP Cybersecurity Resources https://www.nist.gov/mep/cybersecurity-resources-manufacturers