Deadline for DFARS Cybersecurity Compliance Approaching
Last week, I spoke in Portland, Oregon about cybersecurity requirements for federal contractors at an all-day seminar hosted by the Pacific Northwest Defense Coalition. Speakers from the Department of Defense, the FBI, and consultants specializing in cybersecurity compliance offered interesting and (sometimes different) perspectives on compliance, which led to candid and robust discussion. Many thanks to Kate Kanapeaux and PNDC for having me.
As was again made clear by DoD last week, it is the Government’s expectation that defense contractors will be in compliance with DFARS 252.204-7012 by the end of the year.
This is no small undertaking, and will require thoughtful study of key documents such as NIST SP 800-171 and NIST SP 800-053. I would recommend that federal contractors take advantage of resources offered by DoD (e.g., DoD’s “cybersecurity procurement toolbox”), as well as review the memorandum issued from the Office of the Undersecretary of Defense just last month. This memorandum, which is titled “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” is directed to Government acquisition personnel. It nevertheless offers an insightful perspective regarding the DoD’s expectations for contractor compliance, and highlights the significance of documenting a contractor’s implementation and planned implementation of NIST SP 800-171 security controls. It also discusses the various means by which contractors can expect to see cybersecurity requirements incorporated within the source selection process. This includes, for instance, including unique cybersecurity requirements within proposal instructions and evaluation specifics (sections L and M of the solicitation), establishing compliance with regulatory requirements (e.g., DFARS 252.204-7012) as a separate technical evaluation factor, requiring that proposals identify any security controls that will not implemented at the time of award (an interesting if not risky proposition), and identifying in the solicitation that all security requirements in NIST SP 800-171 be implemented at the time of award.
We welcome your thoughts and comments.