Deadline Looming on New Cybersecurity Standards for Defense Contractors
In order to hold defense contracts beyond December 31, 2017 companies must comply with a more rigorous IT security protocol, which many firms are finding difficult to understand or implement. And with a government self-assessment workbook weighing in at 164 pages, we can see why.
In preparation, MANTEC has developed relationships to help assess your current practices against the requirements, and offer guidance and solutions to overcome this challenge.
We urge affected contractors (and sub-contractors) to act immediately to avoid jeopardizing this segment of their business. Give us a call for a professional review of your situation. 717-843-5054.
Here are some helpful resources:
- Acquire a DoD-approved medium assurance certificate to report cyber incidents. (Source: DFARS 252.204-7012(c)(3)
- Provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under the contract. (Source: DFARS 252.204-7012(b)
- For cloud computing – For covered contractor information systems that are part of an IT service or system operated on behalf of the Government, the administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG) in effect at the time the solicitation issues or as authorized by the Contracting Officer, and any other security requirements specified in the contract. (Source: DFARS 252.204-7012(b)(1)(i)
- For other than cloud computing – The security requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations in effect at the time the solicitation issues or as authorized by the Contracting Officer, or alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection approved in writing by an authorized representative of the DoD Chief Information Officer prior to contract award. (You can read a summary of the NIST SP 800-171 guidelines here.) (Source: DFARS 252.204-7012(b)(1)(ii)
- For both – Other information systems security measures when the contractor reasonably determines that information systems security measures, in addition to those above, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (Source: DFARS 252.204-7012(b)(2)
- Train Your Employees – Adopt employee policies and procedures to govern access and train the employees on such policies and procedures before they obtain access to information. (Source: DFARS 252.204-7009(b)(3)
- Investigate a compromise – When a cyber incident is discovered that affects a covered contractor’s information system, covered defense information, or a contractor’s ability to provide operationally critical support, conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This includes analyzing covered contractor information system(s) that were part of the cyber incident, as well and other information systems on the contractor’s network(s) that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the contractor’s ability to provide operationally critical support. (Source: DFARS 252.204-7012(c)(1)(i)
- Rapidly report (within 72 hours of discovery) the cyber indent to DoD and the prime contractor. You can report the cyber incident here. (Source: DFARS 252.204-7012(c)(1)(ii)
- Identify, isolate, and provide a copy of the malicious software in accordance with instructions by the Contracting Officer. (Source: DFARS 252.204-7012(d)
- Preserve and protect images of all known affected information systems and all relevant monitoring/packet data for at least 90 days from submission of the cyber incident report to allow DoD to request the media or decline interest. (Source: DFARS 252.204-7012(e)
- Provide access upon request by DoD to additional information or equipment necessary to conduct a forensic analysis. (Source: DFARS 252.204-7012(f)
- If DoD elects to conduct a damages assessment, provide all of the damage assessment information gathered in connection with the media preservation and protection provisions of DFARS 252.204-7012(e). (Source: DFARS 252.204-7012(g)
- When providing information, to the maximum extent practicable, identify and mark attributional / proprietary information to allow DoD to safeguard the contractor’s attributional and proprietary information. This is important because any information obtained under this clause may be used and released outside of DoD for purposes and activities authorized by DFARS 252.204-7012(i) and “for any other lawful Government purpose or activity” subject to restrictions on the Government’s use and release of such information under DFARS 252.204-7012(j). (Source: DFARS 252.204-7012(h)
- Conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. (Source: DFARS 252.204-7012(k)
- Include the substance of this clause in all subcontracts, including subcontracts for commercial items, and require subcontractors to rapidly report cyber incidents directly to DoD and the prime contractor. (Source: DFARS 252.204-7012(m)