Of all the U.S. federal agencies, the U.S. Department of Defense (DoD) tends to work more often with government contractors. During the 2017 fiscal year, the DoD awarded roughly $320 billion in contracts, more than all of the other federal agencies combined. Contractors looking to secure business with the DoD, however, will need to play by a stricter set of rules compared to those of other agencies—particularly when it comes to handling unclassified DoD data. These rules, found under the Defense Federal Acquisition Regulation Supplement (DFARS), require describe the specific standards private-sector contractors will need to follow in order to implement compliant data security safeguards when working on projects with the DoD. Failing to achieve these cybersecurity standards could not only result in lost business, but also potential civil and criminal penalties.
DFARS 252.204-7012 specifically requires DoD contractors and their subcontractors to take commensurate security measures to protect any “covered defense information” they receive from the DoD. This information includes anything the DoD marks or otherwise identifies in the parties’ contract and submits to the contractor for use in performing the contract. It can also include any information the contractor develops, receives, collects, uses, or transmits over the course of contract performance. In any event, private-sector contractors must protect this information in compliance with NIST 800-171. This standard, published by the National Institute of Standards and Technology, dictates how contractors are required to handle Controlled Unclassified Information (CUI)—which is described in more detail in the U.S. Archives’ CUI Registry—and requires contractors to implement a systemwide security plan that accounts for fourteen different security considerations, including access control, identification and authentication, auditing, and system and information integrity.
DFARS also requires contractors and subcontractors to follow stringent cyber incident reporting and response requirements. If they become aware of a cyberattack that impacts their information systems or their ability to meet the demands of their contracts, contractors are required to implement a comprehensive review of their information technology systems and file a cybersecurity incident report to the DoD. To do so, they must have a DoD-issued medium assurance certificate from the Information Assurance Support Environment (IASE). Contractors and subcontractors that are able to isolate malicious code must also submit it to the DoD for review and preserve hard drive images of their affected systems for a 90-day period in order to make them available for subsequent review by the DoD. Contractors will also need to be prepared to submit damage assessment information to the DoD upon the agency’s request.
Organizations that fail to meet DFARS’ security requirements could face liability under criminal, civil, administrative, and contractual law. They may also be liable to third-party beneficiaries of their government contracts. Fortunately, companies aren’t required to invest in IT system upgrades to ensure DFARS compliance. DFARS allows contractors to use cloud computing solutions and managed service partners to do this, so long as those providers comply with DFARS’ security and recordkeeping requirements and the Federal Risk and Authorization Management Program (FedRAMP)’s Moderate Baseline.