Just this past September, the Navy issued a policy memorandum, effective immediately, entitled “Implementation of Enhanced Security Controls on Select Industrial Base Partner Networks.” It called for stricter cybersecurity requirements under DFARS 252.204-7012 for critical defense contractors (the “7012 Clause”).
The memorandum required a new Contract Data Requirement List (CDRL) for selected contracts and asked Navy program officers to provide a list of the current and future contracts to which it will apply (due October 28, 2018). The 7012 Clause already required contractors to comply with the 110 controls in NIST 800-171, but to date, implementation of that clause did not require that an SSP show that all controls had been fully installed.
The Navy memorandum takes these requirements several key steps further:
- SSPs must be “fully implemented” and available for evaluation and approval,
- Multifactor authentication must be implemented,
- Encryption must be implemented for sensitive data at rest,
- CUI must be physically & logically segregated from contractor-owned information, and
- Contractors must agree to permit NCIS to install sensors on contractor systems if threats or vulnerabilities are detected.
All Navy contractors who could be affected by this memorandum need to make sure their System Security Plan (SSP) and Plan of Action and Milestones (POAM) is fully implemented and updated as soon as possible. Don’t forget the incident response, continuous monitoring and training requirements either.
Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, events, and more. This post was published in the November 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.