Home > Media Room > COUNTING DOWN TO DEADLINE FOR DoD REQUIREMENTS FOR SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBERSECURITY INCIDENT REPORTING

COUNTING DOWN TO DEADLINE FOR DoD REQUIREMENTS FOR SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBERSECURITY INCIDENT REPORTING

Authored by Managing Partner Michael L. Sterling, msterling@vanblacklaw.com; 757.446.8626

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 goes into effect on December 31, 2017. This “Cyber Clause” applies to most companies that do business directly with the Department of Defense as well as subcontractors and vendors. The Cyber Clause applies to Covered Defense Information (CDI), which is broadly defined to include almost all nonpublic information. If the Cyber Clause applies to your work your information system that contains CDI, must be compliant with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 1. For all contracts awarded prior to October 31, 2017, contractors are required to notify the government of any security requirements specified by NIST SP 800-171 that were not implemented at the time of award. When a contractor discovers a cyber incident that affects a covered contractor information system or CDI the contractor must analyze the incident and rapidly report the incident to the government. To avoid or reduce the cost of compliance you need to determine as soon as possible whether a contract includes CDI. This should be done at the pre-bid stage and continue after contract award. Once you determine the scope of the identified CDI you can evaluate which steps to take for compliance. These may include: (1) Bringing your entire information system into compliance – likely the most costly method; (2) Disputing the identification of the CDI to reduce its scope; (3) Proposing alternative less costly security measures; (4) Establishing a segregated in-house information system that is NIST compliant; and, (5) Adjusting your prices and rates to account for the cost of compliance. In almost every circumstance compliance will be costly and time-consuming, but the penalty for non-compliance could be substantial. For more information, please contact the authoring attorney.

Acknowledgement

You must read and accept these terms in order to send us email.

Use of this website for communication does not constitute or create an attorney-client relationship for any legal matter for which we do not already represent you. Please do not send any confidential or privileged information electronically via this website unless we have already agreed to represent you.

If you send us information electronically via this website, you agree that our review of that information, even if you submitted it in a good faith effort to retain us, and, further, even if it is highly confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.