With an eye toward securing potentially sensitive information, the U.S. Department of Defense has spent the past few years updating its cybersecurity regulations covering defense contractors and subcontractors. The major 2015 hack at the Office of Personnel Management has, among other incidents, served as a catalyst, and the new Defense Federal Acquisition Regulation Supplement, or DFARS, cybersecurity requirements are mandatory. Defense contractors — and any company working for them on defense contracts — must prepare for this change.
While contractors not in compliance can still win contracts today, they risk consequences — liability in the event of a breach, poor government performance ratings and the potential termination of contracts, among others. Contractors who have already addressed their compliance issues ahead of the Dec. 31 deadline, on the other hand, will enjoy a competitive advantage and avoid those consequences.
New mandated security measures include multi-factor authentication, ongoing monitoring and written company cybersecurity and breach response guidelines. Contractors are also required to report any cybersecurity breach to the DoD within 72 hours of discovery.
However, the application of new regulations has not been a hiccup-free process. Many contractors have been confused about which regulations take priority and how requirements have evolved over time.
And while the requirements are federal, they affect Texas more than most. In addition to hosting 15 active military bases — including the two largest in the country — Texas is home to numerous defense contractors whose compliance status will play an important role in the state’s economy.
Regulations are under the title “Safeguarding Covered Defense Information and Cyber Incident Reporting,” which will require contractors to implement the security controls found in National Institute of Standards and Technology Special Publication 800-171. A set of cloud-specific regulations is also covered under the title “Cloud Computing Services.”
Contractors or subcontractors have 30 days from the award of a contract to report their compliance status, and they have until the Dec. 31 deadline to be in compliance.
The DoD has made it clear that the new regulations are a priority and it will not work with noncompliant companies in 2018, so contractors need to act quickly. The process involves assessing current compliance, outlining remedial steps and implementing changes and ongoing conformance practices. It can take several months to achieve compliance, so contractors need to begin their assessments now if they haven’t already.
Of course, confusion about the requirements has affected whether contractors have begun compliance efforts — or when they did so — but the DoD has released an updated set of FAQs so contractors can get on track.
For instance, contractors wondered whether certain federal regulations — like the National Archives and Records Administration’s ruling on the protection of controlled unclassified information — conflicted with DFARS. Misunderstandings like this have intimidated some contractors, but the DoD’s FAQs make it clear they’re not in conflict.
Questions surrounding the cloud have also created confusion. The DoD has now clarified that for contractors using their own internal clouds, NIST Special Publication 800-171 rules apply. For contractors using external cloud providers, they must ensure that those vendors meet the standards of the Federal Risk and Authorization Management Program’s “Moderate” baseline.
While it’s tempting to view compliance as merely another regulatory burden, the process presents an opportunity for contractors to review their IT setup and plan their technology roadmap going forward, including planning for upgrades that can boost productivity and save money. Contractors and subcontractors who haven’t started conducting an assessment already risk falling behind — getting started immediately should be their top priority.
Magnet Solutions Group offers thorough cybersecurity compliance consulting and remediation services.. If your company is not currently fully compliant or needs to assess its level of compliance, please call us at 512.298.2101.
(This article originally appeared in Austin Business Journal.)