There are several helpful resources for contractors looking to comply with the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” To help contractors meet the requirements, NIST recently issued NIST Handbook 162, entitled “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.” The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in
Continue Reading NIST SP 800-171 Resources for Government Contractors
Government Contractors
Selling Software to the Government: Four Cybersecurity Lessons from a Failed DoD Bid Protest


A recent GAO decision denying a contractor’s protest because of cybersecurity concerns offers contractors four lessons on how to avoid making the same mistakes.
I. Background Facts and Decision
Syneren Technologies Corporation was one of 20 contractors who responded to a Navy RFP to award an ID/IQ contract for IT systems and software to support human resource operations involving a variety of business enterprise services. The work was to be performed at a government facility and involved DoD and Navy…
DSS Directs Federal Government Contractors to Stop Using Products Made by AO Kaspersky Lab

You may have heard news recently that federal government agencies were directed to stop using products made by the computer security vendor Kaspersky Lab because of potential security risks from links between Kaspersky officials and the Russian government. The directive was issued by the U.S. Department of Homeland Security (DHS) Secretary Elaine Duke on Sept. 13, 2017.
Kaspersky products have broad access to files and elevated privileges on the computers on which they are installed. As a result, the DHS…
Continue Reading DSS Directs Federal Government Contractors to Stop Using Products Made by AO Kaspersky Lab
DHS Proposed Rules Cover Privacy Training, IT Security Awareness Training and the Safeguarding of CUI


In January, we wrote about the new training requirement for employees who handle personally identifiable information (“PII”) or who build systems containing PII. On the same day that rule went into effect, Jan. 19, 2017, three related Department of Homeland Security (“DHS”) proposed rules were published in the Federal Register covering mandatory privacy training, information technology (“IT”) security awareness training, and the safeguarding of controlled unclassified information (“CUI”). Comments on all three proposed rules are due on Monday, March 20,…
Continue Reading DHS Proposed Rules Cover Privacy Training, IT Security Awareness Training and the Safeguarding of CUI
DoD’s New Cybersecurity Regulations: How to protect yourself when a Government support services contractor wants to inspect your data and devices


The US Department of Defense’s (DoD) new cybersecurity regulations require defense contractors to cooperate with Government support services contractors investigating a “cyber incident that affects a covered contractor information system or the covered defense information residing therein or that affects the contractor’s ability to provide operationally critical support.” DoD’s Defense Industrial Base Cybersecurity Activities Final Rule, 32 CFR 236.4(b), (m)(5) (effective Nov. 3, 2016); Response to Public Comments, 81 FR 68312 (Oct. 4, 2016).
It doesn’t take much imagination to…
Continue Reading DoD’s New Cybersecurity Regulations: How to protect yourself when a Government support services contractor wants to inspect your data and devices
Will the New DoD Cybersecurity Regulations Cause a New Wave of Protest Disputes?
The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).
However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a…
Continue Reading Will the New DoD Cybersecurity Regulations Cause a New Wave of Protest Disputes?
Webinar Replay Now Available on the New Defense Department Cybersecurity Rules
The U.S. Department of Defense published its Network Penetration Reporting and Cloud Computing Services regulations as an interim rule in August 2015 and updated them in December 2015. Watch this new webinar replay at your convenience to learn about the regulations, how they may impact your business, and the concerns of industry groups. Click HERE to watch the webinar in its entirety.
Continue Reading Webinar Replay Now Available on the New Defense Department Cybersecurity Rules
Checklist for Complying with the DoD Contracting for Cloud Services Regulations

*This is the fourth post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a compliance checklist for contracting for cloud services regulations relating to the new DoD cyber security regulations and also details the ramifications for failure to comply…
Continue Reading Checklist for Complying with the DoD Contracting for Cloud Services Regulations
Checklist to Comply with the Duties and Obligations of the Network Penetration Reporting Regulations

*This is the third post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a handy compliance checklist relating to the new DoD cyber security regulations.
- Acquire a DoD-approved medium assurance certificate to report cyber incidents. (Source: DFARS 252.204-7012(c)(3)
- Provide
New Key Terms for DoD’s New Cyber Security Regulations

*This is the second post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post defines key terms relating to new DoD cyber security regulations.
The regulations introduce several new key terms. Some of the terms appear vague and may impose more…
Continue Reading New Key Terms for DoD’s New Cyber Security Regulations