*This article first appeared in Law360 on December 18, 2017.
For well over a year, defense contractors have had New Year’s Eve 2017 circled on their calendars, and not because they love the “auld lang syne” and a good glass of champagne. (Or at least not only for those reasons.) Dec. 31, 2017, is the deadline for when covered contractors must comply with the U.S. Department of Defense’s new Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements. This holiday season contractors are thus making their lists and checking them twice in order to ensure that they will be compliant by the end of the year. And this intense focus is well warranted. The DOD is deeply committed to protecting its information, and the requirements are an important step in that regard.
But for all of the focus on Dec. 31, contractors must also remember that the focus on compliance must remain into the New Year — and beyond. New technologies will emerge. Contractors will buy new systems and hire new employees. And all the while, internal security teams will be trying to stay a step ahead of hackers and “white hat” security researchers. In short, despite contractors’ best efforts, gaps may be identified at any time. Moreover, these gaps may carry with them real consequences — not only the possibility of contract termination, but also the risk of costly and disruptive False Claims Act investigations and lawsuits, with the specter of treble damages, and the possibility of suspension and debarment, lurking. It is thus crucial that contractors continue to be vigilant about the regulations, and take steps to enable them to demonstrate their vigilance and compliance, in order to best position themselves to avoid liability.