May 152018

DFAR Cybersecurity FAQs Provide Practical Guidance Highlighting Expansive Scope of Contractor Requirements

Colleen Theresa Brown and Christopher Fonzone
, , ,

For defense contractors, January 1, 2018 brought with it not only a new year, but also a new era – an era in which contractors must comply with the entire set of more detailed cybersecurity requirements under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  As we have flagged before on Data Matters, this DFRAS provision applies to all Department of Defense (DOD) contracts (except for those involving commercial, off-the-shelf items) and places a number of substantial obligations on contractors, including that they comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” and report certain cyber incidents to DOD.

With the requirements now in force, defense contractors have turned their attention from preparing for the compliance deadline to making sure they stay on top of their obligations in a world of constantly changing threats and technologies.  Recently, DOD took two important steps to help contractors in this latter regard, updating its frequently asked questions (FAQs) about the DFARS cybersecurity requirements and issuing draft guidance for procurements requiring the implementation of NIST SP 800-171.

Although a full discussion of these FAQs and draft guidance is beyond the scope of this short piece, they are both well worth a read.  The draft guidance – on which DOD is seeking comments by May 31, 2018 – contains two documents.  The first, titled DOD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented (hereinafter, “DOD Guidance”) prioritizes “the NIST SP 800-171 security requirements; addresses the method(s) to implement the security requirements; and when applicable, provides clarifying information for security requirements that are frequently misunderstood.”  The second document, titled Assessing the State of a Contractor’s Internal Information System in a Procurement Action, then describes how the DOD Guidance may be used to assess a contractor during a procurement.  These are key tools for any contractor.

The FAQs also cover a number of important topics – from the responsibilities of primes to flow down the DFARS requirements and to audit their sub-contractors (#8, #17, #19) to what to do when the DFARS requirements that have been flowed down to a foreign sub-contractor conflict with that sub’s local laws (#9) to how the DFARS requirements may interact with HIPAA (#34).

We believe the new FAQs concerning cyber incident reporting are of particular interest.  Under the DFARS cybersecurity provision, contractors must report certain cyber incidents to DOD within 72 hours; the provision further defines cyber incidents as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”  One FAQ (#35) makes clear that “the discovery of malware on a contractor information system or network that was not blocked” is an event with a “potentially adverse effect,” even though the malware “may or may not have affected covered defense information.”  Another FAQ (#36) makes clear that the following situation would constitute a “potentially adverse effect”:  a “workstation without covered defense information,” but that is part of a contractors covered information system, “has antivirus software installed and operating, but malware gets through the antivirus software and gets installed and not activated on the workstation” without covered defense information.  In short, FAQs like these (and others in the new document) make clear the substantial breadth of the DFARs reporting requirement – “potentially adverse effects” are not merely those where a contractor thinks there may have been an incident, but just hasn’t gotten to the bottom of it.  Rather, the FAQs make clear that this part of the reporting trigger covers the installation of malware even if it remains inactive.

The new information released by DOD thus underscores what contractors already knew – DOD takes cybersecurity very seriously.  Given this, and the potential consequences of noncompliance – e.g., termination, False Claims Act investigations and lawsuits, suspension and debarment – contractors must show an equally serious commitment to protecting DOD’s information and safeguarding their networks.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Christopher Fonzone

cfonzone@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).