Government contractors are subject to cybersecurity requirements, found in the Federal Acquisition Regulation (FAR) and each agency’s supplement to the FAR, and some important deadlines are fast approaching. Set forth below is a high-level overview of cybersecurity requirements found in the FAR and the Department of Defense (DoD) FAR Supplement (DFARS).
The FAR requires government contractors that handle “federal contract information” to comply with 15 requirements for safeguarding that information. These requirements are similar to certain requirements found in NIST SP 800-171.
Under the FAR, “federal contract information” is defined as:
information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.
This is a broad category of information, and some commentators have suggested that it would apply to “virtually all” federal contracts.
DoD cybersecurity requirements apply to a more limited set of information but also have more stringent security requirements, plus an added breach notification component.
The DFARS clause applies to “covered defense information,” or CDI, which is defined as:
unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry . . . , that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
The first category of CDI is easy to identify, since it must be identified by the government. The second category is tricky and can be somewhat ambiguous. During its June 23, 2017, Industry Information Day, the DoD provided some guidance, clarifying that the phrase “in support of the performance of the contract” in the second section of the CDI definition is not meant to include the contractor’s internal information (e.g., human resources or financial information) that is incidental to contract performance.
Importantly, contractors subject to the DFARS cybersecurity requirements must comply with NIST SP 800-171 by December 31, 2017—which is soon. Contractors using external cloud service providers are also required to use providers that are FedRAMP Moderate approved.
Interestingly, a contractor can be in compliance with NIST SP 800-171 without actually implementing all of the security requirements by December 31, 2017. A contractor is in compliance with NIST 800-171 as long as it has a “Security System Plan” and a “Plan of Action and Milestones” in place before December 31 that accurately document the way in which it intends to comply with the NIST SP 800-171 requirements, even if the contractor will not achieve full compliance with each of those requirements until after December 31.
However, for all contracts awarded prior to October 1, 2017, the contractor must notify the DoD chief information officer within 30 days of contract award of any security requirements specified by NIST SP 800-171, but not implemented at the time of contract award. Individual contracting officers may also use compliance as an evaluation factor in solicitations.
Particularly with data breaches in the headlines on such a regular basis, it is important for government contractors to pay close attention to cybersecurity requirements, and stay on the leading edge of compliance. In addition to negative headlines, failure to comply with FAR and DFARS requirements can lead to government investigations and potential False Claims Act liability.