Regardless of your legal experience or scope of practice, you’ve probably heard about the Department of Defense’s Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity compliance measures that came into effect at the beginning of this year, otherwise collectively known as DFARS 252.204-7012.
Let’s explore them in detail to find out what they could mean for you and your clients.
What’s the Scope of These Regulations?
If you have clients with Department of Defense (DoD) contracts that store, process or transmit covered defense information, they’re subject to the DFARS 252.204-7012 regulations. However, you may not be certain what constitutes covered defense information.
It’s data which is unclassified technical or other information in the CUI Registry that necessitates safeguards or controlled methods of dissemination. Other stipulations have to apply too.
Besides those above, the information must be marked or contractually identified and given to a contractor by the DoD to support the capability of carrying out the contract’s terms. If that does not apply, the material could also be handled in a variety of ways by the contractor working for the DoD during the span of the contract. They include:
What Must Contractors Do to Remain in Compliance?
The DFARS 252.204-7012 clause has several rules that DoD contractors and their legal representatives must remain aware of to stay compliant. One thing to remember is that it is in the government’s best interests to ensure the security of a contractor’s proprietary information, which in turn promotes the longevity of that establishment.
The first component of DFARS 252.204-7012 involves protecting the information described above through what’s known as NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations. Put simply, its purpose is to keep confidential information secure when it’s stored in non-federal repositories.
Contractors working for the DoD typically had to implement the NIST SP 800-171 guidelines by December 31, 2017. For all contracts awarded before October 2017, contractors had 30 days to notify the DoD of any reasons why their current processes did not comply with NIST SP 800-171. It was also necessary for the contractor to create a statement explaining why that was the case and describing the alternative, comparable security measures.
The next part of DFARS 252.204-7012 relates to reporting cybersecurity incidents and the process for doing so. If they’re associated with covered defense material and information or affect a contractor’s ability to perform roles that are critical to the operation spelled out in the contract, that entity must report the issue on an incident collection form.
If it is determined that there was malicious software on a contractor’s system that contributed to the event, the contractor must submit it to the DoD’s Cyber Crime Center. Additionally, the DoD can decide to formally assess the damage caused by the cybersecurity attack. If that happens, the contractor is required to surrender media and materials that could aid in carrying out that evaluation.
Could the DoD Verify a Contractor’s Compliance or Lack Thereof?
As a legal professional, one of the questions that likely comes to mind is whether the DoD has the power to check for DFARS 252.204-7012 compliance. This clause does not include a facet that requires the DoD to monitor compliance or ask for documentation that verifies it. In fact, the DoD will not accept related third-party certifications as proof.
However, by signing any contract that’s in effect after the start of 2018, a contractor is bound to adhere to DFARS 252.204-7012 by the nature of the content in the contract. Failing to do so could lead to a breach of contract allegation.
What Are Some of the Proactive Steps Contractors Should Take?
If you work in the areas of cybersecurity law or contract negotiations, DFARS 252.204-7012 is likely particularly applicable to the ways you assist clients. There are several recommended actions contractors could take to minimize the chances of unknowingly being noncompliant.
For example, they must communicate with subcontractors to verify those entities are also following the mandatory requirements of DFARS 252.204-7012. Subcontractors report cybersecurity incidents to the DoD themselves, but guidance from that government body suggests that primary contractors check with subcontractors to see if the information they handle while performing the requirements of a contract falls under covered defense information.
Also, in the case of a contractor’s documents that outline security measures for maintaining compliance, the DoD recommends marking those materials to designate that they contain proprietary or sensitive information.
Bear in mind that contractors need not apply DFARS 252.204-7012 to contracts retroactively. However, if an existing contract put into effect gets modified, it must accommodate the clause. Therefore, vigilance about contractual updates is essential.
This brief overview should get you on board about the crucial elements of DFARS 252.204-7012. Your awareness of them could help your professional efforts as well as your clients.