Federal government contractors, especially those who do business with the Department of Defense (DoD), should expect cybersecurity to continue to be an area of great concern to the federal government. On November 4, 2010, President Obama issued Executive Order 13556, Controlled Unclassified Information. The purpose of the executive order was to establish a uniform program for the federal executive agencies to manage controlled unclassified information (CUI). As a result of this executive order, the government implemented two key clauses applicable to government contractors: DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, and FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. Additional FAR agency supplement clauses are in the works. The Department of Homeland Security issued its own proposed cybersecurity clause in January 2017, and General Services Administration announced its intentions to issue its own cybersecurity clause in January 2018.
Currently, DFARS 252.204-7012 contains the more stringent requirements. DFARS 252.204-7012 is required to be included in all government contracts with DoD, except for contracts solely for the acquisition of commercial off-the-shelf items. As a result, DoD construction contracts should contain DFARS 252.204-7012.
DFARS 252.204-7012 imposes security and cyber incident reporting requirements on DoD contractors who have access to covered defense information (CDI). CDI is unclassified controlled technical information or other information that requires safeguarding or dissemination controls as described in the National Archives and Records Administration’s CUI Registry. Examples of potential CDI include engineering data, engineering drawings, and specifications. DoD contractors were supposed to have implemented the requirements of DFARS 252.204-7012 by December 31, 2017.
A requirement of DFARS 252.204-7012 is for the contractor to have adequate security to protect CDI residing on or transiting the contractor’s information systems. Adequate security is based primarily on the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST 800-171 has 110 security controls with which DoD contractors must comply. The security controls address such things as access control, awareness and training, incident response, personnel security, and physical protection.
The good news is that DoD contractors don’t have to be fully compliant with all 110 NIST 800-171 standards in order to be considered to have implemented adequate security and be in compliance with DFARS 252.204-7012. Instead, DoD contractors generally will be considered to have implemented adequate security if they have performed an assessment of their current security measures against the NIST 800-171 standards, have a System Security Plan (SSP) in place that details their plan for ensuring the security of CDI, and have a Plan of Action and Milestones (POAM) that identifies the tasks that the contractor still needs to accomplish, the resources required to accomplish the plan, any milestones in meeting the tasks, and the scheduled completion dates for those milestones. The government still may request to review the SSP and POAM to determine if they are adequate.
DoD contractors who cannot meet a NIST 800-171 standard also can request a variance. The DoD Chief Information Officer will review the request and may grant the variance if the standard is not applicable or the contractor has an alternative, but equally effective, security measure in place. Such requests should be made prior to award (see DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls) but can be made after award.
In addition to having adequate security, DFARS 252.204-7012 also requires DoD contractors to rapidly report cyber incidents to DoD when the contractor discovers a cyber incident that affects: (1) a contractor information system that processes, stores, or transmits federal contract information; (2) CDI residing in the contractor’s information system; or (3) the contractor’s ability to perform operationally critical support requirements of the contract. Cyber incidents are actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. In addition to rapidly reporting, the contractor has to conduct a review for evidence of compromise of CDI.
Even if the contractor does not have a DoD contract, it still will be subject to cybersecurity requirements in FAR 52.204-21 if it has a government contract with another federal executive agency. FAR 52.204-21 requires federal government contractors to apply 15 safeguarding controls to protect contractor information systems when that information system processes, stores, or transmits non-public federal contract information. The 15 safeguarding controls include limiting access to the contractor’s information systems, controlling information posted or processed on publicly accessible information systems, and escorting visitors and monitoring visitor activity.
Contractors who are not yet compliant with the applicable FAR or DFARS cybersecurity clauses should take steps to do so. Some steps that contractors should take include:
Surely professionals may want to consider sharing this information with their construction clients.
This article is by Lori Ann Lange, Esq., a partner in the Washington, DC office of the law firm of Peckar & Abramson, P.C., who specializes in government contract law, bid protests, and corporate compliance counseling. She represents a range of government contractors, including construction contractors, major defense contractors, informational technology contractors, and service contractors. She can be reached at firstname.lastname@example.org or 202.293.8815 ext. 7103.