If you think the government is only concerned about protecting classified information, you can think again. Recent hacks and breaches have brought on additional executive legislation regarding Controlled Unclassified Information and Improving Critical Infrastructure Security (Executive Order 13556 and 13636 respectively). In response to these Executive Orders, new guidance has been issued.
- National Institute of Standards and Technology (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
- This publication gives contractors guidance in implementing security controls and protecting Controlled Unclassified Information.
- DFAR 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting. Additional guidance was also issued in DFAR 204 – 2008, 252.204-2009 and 252.204-7010.
- DoD issued new guidance in Safeguarding Covered Defense Information and the reporting of Cyber Incidents. These publications also reference NIST SP 800-171.
- Promised future OMD and additional DFAR issuances regarding Improving Cybersecurity.
You may have noticed the DFAR clauses added to your contracts in recent MODS.
What does this terminology mean?
Below are definitions directly from the publications
Controlled Unclassified Information (CUI): Any information that law, regulation or government wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526.
Covered Defense Information (CDI): Unclassified information that is 1) provided to the contractor by or on behalf of DoD in connection of the performance of the contract or 2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract and falls within the categories listed in the clause.
Covered Contractor Information System: an information system that is owned or operated by or for, a contractor and that processes, stores or transmits covered defense information.
When do these regulations go into effect?
According to DFAR 252.204-7012, “…as soon as practical, but no later than December 31, 2017.” It goes on to specify that “the Contractor shall notify the DoD CIO… within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.”
How could these regulations impact my contracting business?
A breach or cyber incident will require immediate reporting of the breach that occurred. There could also be termination of existing contracts or decline of future contracts due to lack of compliance. To say the least, this would lead to operational and financial difficulties. Contractors are also required to ensure their subcontractors compliance.
There will also be the additional costs of compliance to consider which could be substantial. There are discussions in the government as to whether these costs will be directly billable to the contracts affected. No determination has been made as of the date of this article. Keep in contact with your PRIME as well as your government agency to learn of the final decision.
What should I do?
- Review current contracts and future contract opportunities to determine where CUI and CDI exist and where the MODS adding DFAR 252.204-7012 have been added.
- Evaluate current controls to determine whether compliance is in line with the new regulations.
- Develop a plan to implement needed controls.
- Talk to your PRIMES/Government Agency to see if they have any guidance regarding these regulations.
- Involve Cybersecurity experts to help access controls, compliance requirements and future needs/costs.
To find out more about how JAMIS Cloud Services can help your organization prepare for these challenging federal compliance standards, contact us today at info@jamis.com.
JAMIS is a proud to partner with Hall Albright Garrison & Associates, P.C. (HAGA). For more information about HAGA, visit the firm’s website here.