*This is the third post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a handy compliance checklist relating to the new DoD cyber security regulations.
- Acquire a DoD-approved medium assurance certificate to report cyber incidents. (Source: DFARS 252.204-7012(c)(3)
- Provide adequate security for all covered defense information on all covered contractor information systems that support the performance of work under the contract. (Source: DFARS 252.204-7012(b)
- For cloud computing – For covered contractor information systems that are part of an IT service or system operated on behalf of the Government, the administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG) in effect at the time the solicitation issues or as authorized by the Contracting Officer, and any other security requirements specified in the contract. (Source: DFARS 252.204-7012(b)(1)(i)
- For other than cloud computing – The security requirements in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations in effect at the time the solicitation issues or as authorized by the Contracting Officer, or alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection approved in writing by an authorized representative of the DoD Chief Information Officer prior to contract award. (You can read our summary of the NIST SP 800-171 guidelines here.) (Source: DFARS 252.204-7012(b)(1)(ii)
- For both – Other information systems security measures when the contractor reasonably determines that information systems security measures, in addition to those above, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. (Source: DFARS 252.204-7012(b)(2)
- Train Your Employees – Adopt employee policies and procedures to govern access and train the employees on such policies and procedures before they obtain access to information. (Source: DFARS 252.204-7009(b)(3)
- Investigate a compromise – When a cyber incident is discovered that affects a covered contractor’s information system, covered defense information, or a contractor’s ability to provide operationally critical support, conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This includes analyzing covered contractor information system(s) that were part of the cyber incident, as well and other information systems on the contractor’s network(s) that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the contractor’s ability to provide operationally critical support. (Source: DFARS 252.204-7012(c)(1)(i)
- Rapidly report (within 72 hours of discovery) the cyber indent to DoD and the prime contractor. You can report the cyber incident here. (Source: DFARS 252.204-7012(c)(1)(ii)
- Identify, isolate, and provide a copy of the malicious software in accordance with instructions by the Contracting Officer. (Source: DFARS 252.204-7012(d)
- Preserve and protect images of all known affected information systems and all relevant monitoring/packet data for at least 90 days from submission of the cyber incident report to allow DoD to request the media or decline interest. (Source: DFARS 252.204-7012(e)
- Provide access upon request by DoD to additional information or equipment necessary to conduct a forensic analysis. (Source: DFARS 252.204-7012(f)
- If DoD elects to conduct a damages assessment, provide all of the damage assessment information gathered in connection with the media preservation and protection provisions of DFARS 252.204-7012(e). (Source: DFARS 252.204-7012(g)
- When providing information, to the maximum extent practicable, identify and mark attributional / proprietary information to allow DoD to safeguard the contractor’s attributional and proprietary information. This is important because any information obtained under this clause may be used and released outside of DoD for purposes and activities authorized by DFARS 252.204-7012(i) and “for any other lawful Government purpose or activity” subject to restrictions on the Government’s use and release of such information under DFARS 252.204-7012(j). (Source: DFARS 252.204-7012(h)
- Conduct activities under this clause in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data. (Source: DFARS 252.204-7012(k)
- Include the substance of this clause in all subcontracts, including subcontracts for commercial items, and require subcontractors to rapidly report cyber incidents directly to DoD and the prime contractor. (Source: DFARS 252.204-7012(m)
Ramifications for Failing to Employ Adequate Security A cyber incident reported by a prime or subcontractor shall not, by itself, be interpreted as evidence that the prime or subcontractor has failed to provide adequate information safeguards. DFARS 204.7302(d). However, a breach of these regulations may result in criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States, and civil actions for damages and other appropriate remedies by the third party that reported the cyber incident, as a third-party beneficiary of this clause. DFARS 252.204-7009(b)(5).
For more information on achieving compliance with the new regulations or submitting comments, you may contact the author Bill Wagner. Bill holds the CIPP/G, CIPP/US, CPCU designations, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production, and serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.