2 Looming Cybersecurity Deadlines for 
Government Subcontractors

2 Looming Cybersecurity Deadlines for Government Subcontractors

12/31/17 – The latest date that contractors and subcontractors can continue to maintain and receive new defense related work unless certified for the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7008 requirements about protecting Controlled Unclassified Information (CUI). 

10/1/17 – Contractors and subcontractors receiving awards before this date must report their status within 30 days of their award date if they haven’t become certified for the DFARS clause 252.204-7008.

These regulations involve cyber incident reporting and the protection/dissemination of information related to government work that is in the category of Controlled but Unclassified. Let’s pick this language apart:

  • Unclassified information – information that is not subject to the government national security classification system so is often “unmarked”.
  • Controlled Information- unclassified information requiring continued safeguards or dissemination controls consistent with laws, regulations and government-wide policies
Before entering into any government contract or subcontract, companies should be acutely aware of any applicable cyber or IT requirements and assess whether they have any compliance gaps.  Pepper Hamilton, LLP .

These controls are documented in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. It lays out the 109 controls required to meet compliance. These requirements impact various technology and policy areas such as:

  • access controls and physical protection
  • employee security, awareness and training
  • audit and accountability
  • configuration management and media protection
  • identification and authentication
  • security and risk assessment
  • system and communication protection
  • system and information integrity
  • maintenance
  • incident response

The process to become compliant starts with conducting a gap analysis and determining a remediation approach for deficient areas. Activities also involve documenting controls and IT policies. Once the appropriate controls and documents are in place, businesses must monitor them for operating effectiveness. If controls are not applicable to the services provided, contractors can submit an exception request to the DoD Chief Information Officer (CIO).

The DFARS regulations are likely to be required if there is a DFARS provision in the contract or if the work involves the use of Controlled Unclassified Information (CUI). This includes even smaller subcontractors in the federal supply chain with access to CUI. It also includes any Cloud provider involved with defense contracts involving CUI.

CUI is defined as unclassified information used in connection with the performance of the contract or information collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract. CUI has a broad definition and can be technical, administrative or operational in nature. They fall into the following 4 categories:

  • Technical Information
  • Critical information
  • Export control information
  • Contract marked or identified information requiring safeguards 

By now, most businesses with government contracts should be well on their way toward finishing the first two steps:

  • Conducting a gap analysis to determine how their current situation differs from the standard
  • Creating a plan for remediation with dates attached to the completion of the improvements

Many of the key measures require creating policy statements, assigning people to be responsible and communicating the policy. Many items don’t involve huge hard-dollar costs and can often be done with internal resources. Policy templates are available at NIST and other websites.

Another good option is to attend Cybersecurity Compliance for Vermont DOD, GSA and NASA Contractors, a workshop being held by VMEC and Vermont PTAC on July 11 at the Williston campus of Vermont Technical College. 

Also feel free to contact me with any questions you have when preparing for these requirements. Everyone here at NPI Technology Management is committed to helping the impacted manufacturers to meet this deadline.

John Burton

Director of Research for the Vermont Futures Project

7 年

2017 is flying by. Are you watching for important technology security compliance deadlines? These are deadlines you don't want to miss!

回复

要查看或添加评论,请登录

John Burton的更多文章

  • Ever wonder what a CIO does?

    Ever wonder what a CIO does?

    1 条评论
  • Think your business is too small for cyber insurance?

    Think your business is too small for cyber insurance?

    The general perception is that only large businesses have vulnerabilities to cyber breaches. In truth, small businesses…

    2 条评论
  • Preventing Business Banking Fraud Part II

    Preventing Business Banking Fraud Part II

    Any private data your business possesses, company and personal, can be predisposed to fraud. Is your organization…

  • Deadline fast approaching for DOD manufacturers

    Deadline fast approaching for DOD manufacturers

    As you may know, many manufacturers with DOD contracts must be compliant with new cyber security requirements…

    1 条评论
  • Facing an IT Audit? Don’t Panic.

    Facing an IT Audit? Don’t Panic.

    IT audits are one of many tools to help manage risk and identify areas of your business that are not only open to…

    2 条评论
  • Do you trust your business continuity plan?

    Do you trust your business continuity plan?

    All businesses--regardless of size--have a digital presence. This mandates that both mundane and mission critical data…

    5 条评论
  • Hard to Cry for the WannaCry Victims

    Hard to Cry for the WannaCry Victims

    The WannaCry ransomware attack ended up causing tens of millions of dollars of damage when it encrypted important data…

    4 条评论
  • Discovering value at business trade shows

    Discovering value at business trade shows

    This post was written by our Marketing Coordinator Dawn McGinnis who is a veteran trade show exhibitor. If you try…

    3 条评论
  • Arrest bogus wire fraud

    Arrest bogus wire fraud

    Business owners are seeing a huge increase in attempted wire fraud. The FBI reports that this problem has cost…

    5 条评论
  • Taming the security monster in your printer

    Taming the security monster in your printer

    When the subject of security comes up, most businesses focus on their everyday devices such as PCs, laptops, tablets…

    2 条评论

社区洞察

其他会员也浏览了