Since December 31, 2017, DoD contractors are required to have “implemented” DFARs Clause 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) by the implementation of NIST 800-171 on their covered information systems.
For most of the past year, contractors have been told they mainly need to have System Security Plans (SSP) and Plans of Operations and Milestones (POAM). Recent actions indicate that the Department is both enhancing those security requirements and enforcing them throughout the supply chain.
On January 21, 2019, Undersecretary of Defense for Acquisition and Sustainment Ellen Lord issued a memorandum tasking DCMA to assess contractor compliance with these requirements as part of DCMA’s review of contractor purchase systems. Significantly, since the cyber clause must flow-down, these audits should “review contractor procedures for assessing compliance of their Tier 1 Level Suppliers” with the clause.
All contractors should get their compliance house in order. A new version of NIST 800-171 with enhanced controls is being developed and contractors must show that the POAMs they have created are actually implemented and updated.
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, events, and more. This post was published in the February 2019 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.
Steve Britt is a Partner at Berenzweig Leonard and leads the firm’s Cybersecurity Law practice. Steve can be reached at sbritt@berenzweiglaw.com.