The Defense Federal Acquisition Regulation Supplement (DFARS) at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, mandates that certain cybersecurity procedures to safeguard unclassified Department of Defense (DoD) information provided to a Government contractor by the DoD and resident on the contractors computer equipment or handled by the contractor, must be in place to minimize cyber incidents and enhance reporting and damage assessment.
This DFARS clause requires that “covered contractor information systems” comply with the requirements of NIST 800-171, that is, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Chapter 3 of NIST 800-171 focuses on:
Awareness and Training
Audit and Accountability
Identification and Authentication
System and Communication Protection
System and Information Integrity
What information must be protected?
This DFARS clause only applies to “covered contractor information systems” (CCIS) that hold “covered defense information.” (CDI) which is unclassified, controlled technical information or other information provided by the US Government to the contractor described in the Controlled Unclassified Information Registry published by the National Records and Archives, AND that requires safeguarding or dissemination controls, AND is marked or otherwise identified in the contract, OR collected, developed, received, transmitted, used, or stored by the contractor.
This does not include information that is lawfully publicly available without restrictions. It does mean technical data as those terms are used in DFARS 252.227-7013, Rights in Technical Data, Noncommercial Items which includes:
Executable software code and source code;
Protected analyses and related information;
Research and engineering data;
Engineering drawings and related lists; and
Specs, standards, and process data.
These compliance procedures, though not retroactive, must be flowed down to lower-tier subcontractors if that subcontractor will handle “covered defense information”; a mandatory flow down requirement.
If a cyber incident is discovered, the contractor must conduct a review for evidence of compromise of the information including identifying the compromised computers, servers, specific data, and user accounts; and report the incident to the DoD within seventy-two (72) hours of discovery.
The contractor must:
Preserve images of affected information;
Protect those images from loss for a minimum of ninety (90) days from the date of the report of the breach;
Provide the DoD with access to all information;
Provide the DoD with access to all equipment; and
Allow the DoD to conduct its own analysis regarding the incident.
The cybersecurity requirements in the Federal Acquisition Regulation (FAR) are more limited. Most companies that store data already have compliance processes in place that satisfy the FAR cybersecurity requirements.
The FAR rules apply to “covered contractor information systems” meaning systems that process, store, or transmit “Federal Contract Information” which is information generated for or provided by the Government under a contract to develop or deliver a product or service but does not include any information which is legally publically available, or transactional information like information necessary to process contractor payment.
Regarding security for “Federal Contract Information”, the FAR rule does not require:
Mandatory cyber-incident reporting;
Strict breach response;
Data image collection for compromised data;
Forensic analysis; or
Strict compliance with NIST 800-171.
But the FAR does require:
Limiting access to authorized users;
The ability to identify information system users and processes acting on behalf of users or devices;
Controlling information that is processed or posted on a system that is publicly accessible;
Verification of connection to outside, external information systems;
Limitation on information system access to the types of transactions and functions that users are permitted to execute.
Authentication controls which stop unauthorized use;
Verification controls to stop unverified use;
Destruction of controlled information before disposal;
Limits on physical access to information systems to authorized users;
Monitoring visitors who use the system to protect external boundaries and key internal boundaries to the system;
Implement subnetworks if needed to satisfy FAR cybersecurity requirements;
Identification, timely reporting, and timely correction of system flaws; and
Installation, updating of anti-malware and anti-virus software, and periodic scanning of systems to protect confidential data
For the most part, FAR compliance is less cumbersome, and most companies that hold sensitive information in their computer equipment already have cyber-security systems in place which satisfy FAR compliance requirement.
The major difference from a practical viewpoint between FAR and DFARS cybersecurity requirements are rapid reporting; a better chance of audit in the event of a breach; stricter rules regarding post-incident preservation of images; forensic analysis; NIST 800-171 compliance requirements. Neither the DFARS nor the FAR cybersecurity requirements are applicable if the only item procured is a commercial off-the-shelf item.
DFARS and the FAR cybersecurity requirements are doable for most contractors dealing with protected information, but it is crucial that this extra burden is priced into the response to the applicable solicitation so that a compliance surprise does not cut deeply into the expected profit after award.