Contractors that hold contracts with the Department of Defense must be compliant with any Defense Federal Acquisition Regulation Supplement (DFARS) clauses specified in their contracts. DFARS is a set of acquisition regulations that govern the way the Federal Government acquires goods and services. Failure to follow some clauses of the DFARS may lead to early termination of the contract, making DFARS compliance an existential issue for contractors. In a worst-case scenario, failure to comply with contractual DFARS clauses could lead to a contractor losing all of their work with the DOD. One pertinent regulation with which contractors must be familiar is the DFARS clause defining cybersecurity standards. This clause requires contractors to implement the requirements identified in the National Institute of Science and Technology (NIST) Special Publication 800-171. This particular standard addresses the storage and transmission of Controlled Unclassified Information (CUI).
Oftentimes, in the course of their performance of a government contract, contractors come into possession of CUI. The definition of CUI is non-classified information for which government regulation requires safeguarding or disseminating controls. While unclassified, protection of this information is still in the national interest. This could involve private information, the disclosure of which would damage the person or entity who owns that information. In the past, this information was given the designation of “Sensitive but Unclassified.”
Although the worst-case scenario involves loss of contracts, it is ultimately the Contracting Officer’s responsibility to determine what action to take for noncompliance. For contracts involving CUI, attestation of compliance is a prerequisite for submitting bids for future DOD contracts. Small contractors who act as subcontractors to prime contractors can expect their primes to be vigilant about ensuring their compliance, as contractual clauses typically flow down to subcontractors.
For smaller contractors, the issue has become how to best find a compliance strategy for these rules. Compliance will usually revolve around having sound controls and a reporting mechanism. The rule first requires that contractors have adequate security on covered information systems. The DFARS cyber clause is also focused on prompt reporting of cybersecurity incidents. The regulation states that if a cybersecurity incident occurs, the contractor must provide the DOD with an incident report, the malicious software and access to the contractors’ information systems upon request. The good news for contractors is that the rules state that the occurrence of an incident is not an automatic implication that the contractor failed to protect CUI. However, contractors should be prepared for enhanced scrutiny by the government of their systems in the event of a cyber incident.
In such a case, contractors should be prepared to disclose what actions they took to comply with the DFARS cyber clause. This may include submitting evidence of implementation of each requirement in the contractors System Security Plan. Contractors will have to recognize that they are partners with the government in safeguarding this information.
For contractors, the question they will ask first is what constitutes adequate security when it comes to DFARS compliance. This is addressed by the aforementioned NIST SP 800-171 standard. The standard has 110 security requirements that can fall into one of fourteen categories. At a minimum, contractors must describe how they have implemented, or plan to implement, the safeguards described in the special publication. These rules apply in all cases when CUI resides on a contractor network, whether that environment constitutes on-premise servers, an internal cloud as a component of an internal enterprise network system, smartphones or tablets, or any other data processing system.