The Defense Federal Acquisition Regulation Supplement (DFARS) has been a central focus for contractors working with Covered Defense Information (CDI) on behalf of the United States Department of Defense. This new regulation, which took effect December 31st, 2017, takes the form of a contract clause (DFAR 252.204-7012) and requires that DoD contractors implement the 110 security controls found in the National Institute for Standards and Technology (NIST) Special Publication 800-171 Revision 1.
DFARS Implementation
At a minimum, this implementation requires contractors to perform an assessment of those information systems that store, process, or transmit CDI for compliance with NIST 800-171, and document this implementation in a System Security Plan (SSP). Areas which are found to be non-compliant must be documented in a Plan of Action and Milestones (PoAM) and managed towards remediation. While this regulation has had massive implications for DoD contractors large and small, as of yet, its reach has not extended beyond the defense and aerospace industries.
However, because nation-state sponsored cyber-espionage and other forms of cyber-attack have become a serious threat to all organizations that handle any form of sensitive or valuable information, new regulations have been proposed to protect this information outside of the defense space. Currently, the basic (non-defense) Federal Acquisition Regulation (FAR) incorporates only 15 of the 110 NIST 800-171 requirements. In the meantime, federal organizations are developing their own enhanced cybersecurity standards to get ahead of the potentially forthcoming changes to the FAR clause.
For example, the General Services Administration (GSA), a clearinghouse for federal procurement of goods and plan services, has proposed amendments to the GSA FAR Supplement (GSAR). This new supplement will impose enhanced control requirements on contractors who store, process or transmit unclassified GSA data. While the exact control requirements are still under development, existing federal cybersecurity requirements based on NIST controls are cited. Additionally, GSA has proposed an amendment which would impose breach and incident reporting requirements, similar to what is required under DFARS. These changes would affect nearly all contractors receiving contracts from GSA, and have far-reaching implications.
While the cybersecurity horizon is ever-changing, contractors to the federal government, in any capacity that requires access to federal data or information systems, should expect changes in contract language requiring implementation and documentation of enhanced security controls. Contractors who have a robust security program already in place will be best prepared to effectively navigate these changing regulations. In many cases, documented alignment with an existing industry standard, for example, NIST 800-171, NIST Cybersecurity Framework, or ISO 27001/2, is an excellent starting point for documenting compliance with the newly emerged regulation. Contact OCD Tech today for an assessment of your environment against industry standard security controls, in preparation for these forthcoming changes.
