DFAR Cybersecurity FAQs Provide Practical Guidance Highlighting Expansive Scope of Contractor Requirements

For defense contractors, January 1, 2018 brought with it not only a new year, but also a new era – an era in which contractors must comply with the entire set of more detailed cybersecurity requirements under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  As we have flagged before on Data Matters, this DFRAS provision applies to all Department of Defense (DOD) contracts (except for those involving commercial, off-the-shelf items) and places a number of substantial obligations on contractors, including that they comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” and report certain cyber incidents to DOD.

With the requirements now in force, defense contractors have turned their attention from preparing for the compliance deadline to making sure they stay on top of their obligations in a world of constantly changing threats and technologies.  Recently, DOD took two important steps to help contractors in this latter regard, updating its frequently asked questions (FAQs) about the DFARS cybersecurity requirements and issuing draft guidance for procurements requiring the implementation of NIST SP 800-171.

Although a full discussion of these FAQs and draft guidance is beyond the scope of this short piece, they are both well worth a read.  The draft guidance – on which DOD is seeking comments by May 31, 2018 – contains two documents.  The first, titled DOD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented (hereinafter, “DOD Guidance”) prioritizes “the NIST SP 800-171 security requirements; addresses the method(s) to implement the security requirements; and when applicable, provides clarifying information for security requirements that are frequently misunderstood.”  The second document, titled Assessing the State of a Contractor’s Internal Information System in a Procurement Action, then describes how the DOD Guidance may be used to assess a contractor during a procurement.  These are key tools for any contractor.

The FAQs also cover a number of important topics – from the responsibilities of primes to flow down the DFARS requirements and to audit their sub-contractors (#8, #17, #19) to what to do when the DFARS requirements that have been flowed down to a foreign sub-contractor conflict with that sub’s local laws (#9) to how the DFARS requirements may interact with HIPAA (#34).

We believe the new FAQs concerning cyber incident reporting are of particular interest.  Under the DFARS cybersecurity provision, contractors must report certain cyber incidents to DOD within 72 hours; the provision further defines cyber incidents as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”  One FAQ (#35) makes clear that “the discovery of malware on a contractor information system or network that was not blocked” is an event with a “potentially adverse effect,” even though the malware “may or may not have affected covered defense information.”  Another FAQ (#36) makes clear that the following situation would constitute a “potentially adverse effect”:  a “workstation without covered defense information,” but that is part of a contractors covered information system, “has antivirus software installed and operating, but malware gets through the antivirus software and gets installed and not activated on the workstation” without covered defense information.  In short, FAQs like these (and others in the new document) make clear the substantial breadth of the DFARs reporting requirement – “potentially adverse effects” are not merely those where a contractor thinks there may have been an incident, but just hasn’t gotten to the bottom of it.  Rather, the FAQs make clear that this part of the reporting trigger covers the installation of malware even if it remains inactive.

The new information released by DOD thus underscores what contractors already knew – DOD takes cybersecurity very seriously.  Given this, and the potential consequences of noncompliance – e.g., termination, False Claims Act investigations and lawsuits, suspension and debarment – contractors must show an equally serious commitment to protecting DOD’s information and safeguarding their networks.