Cyberattacks are an increasing threat. Deputy Defense Secretary Patrick Shanahan said that the Pentagon wants to set the bar for protecting against cyber incidents “so high that it becomes a condition of doing business.” The DoD’s final rule on Safeguarding Covered Defense Information and Cyber Incident Reporting institutes new safeguards and increased reporting requirements targeted at protecting covered defense information and reducing these cyber incidents. Berenzweig Leonard’s Steve Britt answers some questions about the regulation and its requirements.
Q: Steve, tell us a little bit about your background.
A: I started my career serving in four different Federal agencies in prior administrations. After leaving the government, I’ve focused my practice on corporate and technology law. I spend about 50% of my time these days on cybersecurity.
Q: Now that DoD’s Network Penetration Clause is in effect, what should government contractors be doing?
A: Well, let’s set some context as this subject is so complex.
DFARs 52.204-7012 creates a new definition of “Covered Defense Information” and sets rules for the protection of that data and the systems that store it.
Contractors must satisfy NIST S.P. 800-171 if they hold this data and are subject to this clause.
The clause flows down to lower tier subcontractors and requires all contractors to protect this data and report cyber incidents to DoD within 72 hours of discovery.
These requirements became effective on December 31, 2017.
Q: So must every covered contractor now be in compliance with NIST-171?
A: Well, yes and no. Every covered contractor must have taken steps to implement the NIST requirements but they are not required to have completed them. There are 110 controls and DoD recognizes that the entire certification process takes time.
But what the contractor must have done is prepare a System Security Plan (SSP) that analyzes their entire network against those standards and created a Plan of Action for how its network deficiencies will be corrected.
Contractors must not leave themselves vulnerable to not having made a good faith effort to comply and a comprehensive SSP is the starting place.
DoD does not require that SSPs be submitted to the Department (they contain very sensitive data) but prime contractors are likely to ask if they exist. Contractors must be wary of false claims liability as bidding on solicitations that contain this clause constitutes the contractor’s self-certification that it will comply.
Q: Do we know how DoD will enforce these requirements?
A: Well, in the event of an actual data breach – which may occur in the system of a prime or a subcontractor – all contractors in that supply chain can expect to be audited. Among the issues will be, what was the status of the contractor’s compliance and what representations had it made about its status. We can expect bad actors to get burned.
The Department has also made clear that it may condition future solicitations on the contractor’s compliance with these cybersecurity requirements as part of the source selection process. Prime contractors have been taking these issues into account in teaming partner selections all year.
Q: Okay, so it has to be done. How expensive is this for small companies?
A: Well, expense must be taken in context as putting yourself on the wrong side of this issue could sink your company.
But DoD recognizes that security is a process and not an event. So compliance has to fit into a reasonable budget, though with high priority and resource allocation for sure.
A contractor needs to get an assessment of its network and determine what data it is holding and how. It has to assess – and continuously monitor – its operational vulnerabilities, from unpatched software to access control.
But there are good options in these areas that will get you started and not put you out of business. We can make solid recommendations to clients if they need help. The legal and regulatory environment is evolving every day and each change creates even more complexity. Contractors must not trap themselves by thinking compliance can be avoided.
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the February 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.