As many contractors know well, federal and defense acquisition processes can be a complicated, rule-intensive process subject to frequent change. Fortunately, some recent changes appear to be well designed to provide for greater protection of government contract information and defense-related information. Companies that regularly enter into federal government contracts and/or defense-related contracts should carefully review all regulations applicable to those practices, and take care to incorporate the below-described updates into their practices.
First Update – Federal Acquisition Regulation Basic Safeguarding of Contractor Information Systems
In May 2016, the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics Space Administration (NASA, together with DoD and GSA, the “Agencies”) issued a final rule, which is now in effect, imposing significant new information security obligations on government contractors by requiring the inclusion of: information security-related statements in written acquisition plans for certain contract types, highly-particularized information security-related language in contracting entities, and the inclusion of that same language in contractor agreements with subcontractors. Interestingly, the final rule is drafted with the eye on protection of information systems that may process, store, or transmit “Federal Contract Information,” which is defined as “information, not intended for public release that is provided by or generated for the Government, but not including information provided by the Government to the public (such as on public Web sites) or simple transactional information, as necessary to process payments.”
The most significant changes arise from the information security requirements that must be imposed in government contracts (and subcontracts). That requirement will, in effect, mean that government contractors (and their subcontractors) are required to implement safeguards including:
- limitations on system access (both with respect to personnel and transactions allowed to provide access to the systems);
- verifications and controls on connections to external networks;
- sanitation or destruction of media containing Federal Contract Information;
- limitation of physical access to systems;
- visitor escorts, monitoring, and audit logs;
- monitoring, controls, and protections for organizational communications;
- implementation of subnetworks for publicly accessible system components that are physically or logically separated from internal networks;
- timely identification, reporting, and correction of system flaws;
- protections from malicious code and updates to those protections.
Companies regularly engaged in governmental contracts should carefully review in-place practices to determine if they are able to comply with newly-imposed requirements, and review subcontractor engagement processes to ensure that they are in compliance with specific contracting requirements.
Second Update – NIST Special Publication (SP) 800-171 Compliance by December 31, 2017
In October 2016 the Defense Federal Acquisition Regulation Supplement (DFARS) was updated to require subject entities to implement information security requirements set forth in Special Publication 800-171 from the National Institute of Standards and Technology (NIST) - Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations - before December 31, 2017. DFARS 252.204-7008.
The information security requirements applicable to defense information systems include requirements as may be imposed by contract, and particular security and diligence requirements for use of cloud computing services. DFARS 252.204-7012(b).
Although many defense contractors already have significant information security controls in place, strict compliance with Special Publication 800-171 may involve changes to operational practices and careful examination of in-place policies. Special Publication 800-171 includes particular requirements with respect to access controls, awareness and training, audit and accountability, configuration management, identification and multi-factor authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Contractors must submit requests for variances from Special Publication 800-171 for review by the CIO of the Department of Defense. DFARS 252.204-7012.
Perhaps most notably, DFARS now imposes an incident reporting requirement such that contractors must report “a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract” within 72 hours via an online portal provided by the Department of Defense. DFARS 252.204-7012(c).
Defense contractors and subcontractors that are registered with the Department of State, Directorate of Defense Trade Controls (DDTC) should consider submitting a voluntary disclosure to DDTC if a cyber incident includes the potential release of technical data (as defined in the International Traffic in Arms Regulations (ITAR)).