Securing DoD Contractor Information Systems – Are You Ready?
This past year, the US Government implemented significant policy changes that impact DoD Government contractors with how they protect their own internal networks and compete for DoD contracts.
Attacks to information systems can range from denial of service, espionage, manipulation of data, and more. Cyber criminals and hackers are actively seeking to compromise systems related to US Government activities. In the wake of multiple large “hacks” in US Government systems, and after many years of debating security controls, DoD Contractors are themselves being held to higher cybersecurity requirements. There is a deadline looming that mandates cybersecurity changes in US Government DoD contractor systems.
Dates to know:
December 30, 2015 – DoD amended the Defense Federal Acquisition Regulation Supplement (DFARS) concerning Controlled Defense Information (CDI).
- DFARS 252.204-7008 Compliance with Safeguarding and CDI Controls
- DFARS 252.204-7012 – Safeguarding CDI and Cyber Incident Reporting
December 31, 2017 – DoD Deadline to fully implement all NIST SP 800-171 controls on contractor information systems.
- NIST SP 800-171 provides guidance in the protection of Controlled Unclassified Information (CUI) in nonfederal information systems and organizations
- NIST SP 800-171 defines categories of security requirements of all information assets covering people, process, and technology to include suppliers and vendors
These requirements will be added to some existing and all new contract clauses, including solicitations. These rules apply to ALL contractors with Covered Defense Information transiting their information system. Demonstrating compliance to the DoD CIO is mandatory.
This is just a high-level overview. There are other changes that have occurred this year for ALL US Government contractors, and other existing rulesets for cybersecurity compliance still apply. Achieving and demonstrating cybersecurity compliance is essential to compete and win DoD (and other) Government Contracts.
Understanding these new changes, and the impact to your organization, can be tough work. If you need assistance understanding what is required, how to crosswalk all the regulations, where does your company stand, what work needs to be done and how much will it cost, let us know.
- We look at your unique situation and provides solutions tailored to your budget and requirements.
- We are NOT “sales-driven” so we don’t work under any pressure to “up-sell” you beyond your needs.
- We don’t apply a vendor-specific solution to your gaps, rather we work with you to find the optimal solutions to help you reach compliance
Help your organization be prepared well in advance of that looming deadline. Contacting us is easy- just drop us a line at email@example.com.
(Don’t worry, we won’t add you to a spam list – we don’t like that either)
This information is not intended as legal advice.
- NIST SP 800-171: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8 00-171.pdf
- Federal Register – DOD implementation: http://www.gpo.gov/fdsys/pkg/FR-2015-08-26/pdf/2015- 20870.pdf
- Federal Register – DOD implementation (Amended): https://www.gpo.gov/fdsys/pkg/FR-2015-12-30/pdf/2015- 32869.pdf
- Controlled Unclassified Information: https://www.archives.gov/cui/
- DOD – Safeguarding Covered Defense Information and Cyber Incident Reporting: http://www.acq.osd.mil/dpap/policy/policyvault/USA005505-15- DPAP.pdf