On October 21, 2016, the United States Department of Defense (DoD) updated the Defense Federal Acquisition Regulations Supplement (DFARS) with an updated rule. This updated rule replaced the prior Unclassified Controlled Technical Information (UCTI) Rule, and it imposed new, more stringent standards for cyber security. In addition, the updated rule expanded the information subject to safeguarding and implemented more thorough policies for safeguarding Covered Defense Information (CDI), which is tied to Controlled Unclassified Information (CUI) Registry. Baseline standards for reporting requirements were also bolstered by the updated rule, which has significantly more stringent procedures that must be followed for reporting cyber incidents.
The most important changes implemented in this latest version of the DFARS Clause 252.204-7012 include:
- All contractors must be in full compliance with the requirements outlined in NIST 800-171
- Contractors must report cyber incidents within 72 hours or less to the DoD
- All non-compliant aspects must be reported to the DoD within 30 days after contract award
- Compliance must extend to all operation aspects – all suppliers and subcontracts storing, processing and/or creating CDI that is part of contract performance
What does this mean for contractors?
The updated DFARS rule affects every aspect of how DoD contractors fulfill their contracts. Compliance must be maintained at every level of contract fulfillment, thus the revision to DFARS clause 252.204-7012 requires all suppliers and subcontractors to be in and maintain compliance with all operation aspects. Failure to meet the updated compliance requirements may result in a loss of current contracts and forfeiture of all future contracts.
Additional protocols have also been made necessary, including requiring contractors to complete a DFARS CDI Assessment (current cybersecurity posture) and report the findings to the DoD Chief Information Officer (CIO), within 30 days of contract award.
With the threat of cyber attacks escalating every day, the federal government is putting a higher importance on addressing cyber security threats. Cyber compliance standards will continue to expand and intensify as digital threats become more sophisticated and will not lessen.