12/31/17 – The latest date that contractors and subcontractors can continue to maintain and receive new defense related work unless certified for the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7008 requirements about protecting Controlled Unclassified Information (CUI).
10/1/17 – Contractors and subcontractors receiving awards before this date must report their status within 30 days of their award date if they haven’t become certified for the DFARS clause 252.204-7008.
These regulations involve cyber incident reporting and the protection/dissemination of information related to government work that is in the category of Controlled but Unclassified. Let’s pick this language apart:
- Unclassified information – information that is not subject to the government national security classification system so is often “unmarked”.
- Controlled Information- unclassified information requiring continued safeguards or dissemination controls consistent with laws, regulations and government-wide policies
Before entering into any government contract or subcontract, companies should be acutely aware of any applicable cyber or IT requirements and assess whether they have any compliance gaps. Pepper Hamilton, LLP
These controls are documented in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. It lays out the 109 controls required to meet compliance. These requirements impact various technology and policy areas such as:
- access controls and physical protection
- employee security, awareness and training
- audit and accountability
- configuration management and media protection
- identification and authentication
- security and risk assessment
- system and communication protection
- system and information integrity
- maintenance
- incident response
The process to become compliant starts with conducting a gap analysis and determining a remediation approach for deficient areas. Activities also involve documenting controls and IT policies. Once the appropriate controls and documents are in place, businesses must monitor them for operating effectiveness. If controls are not applicable to the services provided, contractors can submit an exception request to the DoD Chief Information Officer (CIO).
The DFARS regulations are likely to be required if there is a DFARS provision in the contract or if the work involves the use of Controlled Unclassified Information (CUI). This includes even smaller subcontractors in the federal supply chain with access to CUI. It also includes any Cloud provider involved with defense contracts involving CUI.
CUI is defined as unclassified information used in connection with the performance of the contract or information collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract. CUI has a broad definition and can be technical, administrative or operational in nature. They fall into the following 4 categories:
- Technical Information
- Critical information
- Export control information
- Contract marked or identified information requiring safeguards
By now, most businesses with government contracts should be well on their way toward finishing the first two steps:
- Conducting a gap analysis to determine how their current situation differs from the standard
- Creating a plan for remediation with dates attached to the completion of the improvements
Many of the key measures require creating policy statements, assigning people to be responsible and communicating the policy. Many items don’t involve huge hard-dollar costs and can often be done with internal resources. Policy templates are available at NIST and other websites.
Another good option is to attend Cybersecurity Compliance for Vermont DOD, GSA and NASA Contractors, a workshop being held by VMEC and Vermont PTAC on July 11 at the Williston campus of Vermont Technical College.
Also feel free to contact us with any questions you have when preparing for these requirements. Everyone here at NPI Technology Management is committed to helping the impacted manufacturers to meet this deadline.