Cyber Securitry Compliance
Historically, compliance with CyberSecurity best practices was seldom a primary consideration for Government Contractors operating in contingency areas. Recent developments, however, have necessitated a corporate focus on DoD’s new CyberSecurity mandates as identified in two important clauses: The Compliance Clause located at DFAR 252.204-708; and, the Safe Guarding Clause contained in DFAR 252.204-7012.
DFAR 252.204-708 elicits a promise from the contractor that if they receive the award of a contract, they will implement the security mandates identified in the standard. It is prospective in its application.
Cyber Security Compliance Program
DFAR 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The standard mandated by the clause is one of “adequate security” as identified in NIST standard SP800-171 on the systems that are “covered” by the regulation. The contractor must have prepared a Systems Security Plan (‘SSP”) showing how the standards are met and produce it if requested by the administrative contracting officer. The standard also mandates reporting of a security breach within 72 hours of discovery. The “covered systems” should not be confused with those containing information classified as secret and above. On the contrary, the regulations mandate that adequate security be provided on a broad range of unclassified information. This application impacts information held by both prime and subcontractors.
The standards referenced above apply to information that could create a risk to, among other categories, troop safety and security. Consequently, most LOGCAP contractors and their subcontractors can expect that they will be in possession of covered information that must be protected. If a breach occurs, then there is mandated reporting to the cognizant contracting officer for further action. If a breach does occur it does not mean there was a violation of the DFAR. It is certain, however, that the DCMA or other Administrative Contracting Officer, working with law enforcement and the requiring activity, will want to see a copy of the contractor’s SSP to determine if the plan was followed.
The staff at McCAHON Law can assist your company in the preparation of the SSP and the accompanying plan of action for you and your subcontractors. We use a risk-based approach to this endeavor, tailoring the SSP to your particular company, while providing for all of the NIST controls.
We are experienced and trained in both the legal and technical aspects of CyberSecurity for contractors. Our team consists of highly trained and certified personnel, including certification in CyberSecurity from GIAC supported by staff members trained in CyberSecurity by organizations including SANS, the American Bar Association, and Georgetown Law School.