Suppliers on defense contracts are worried about how they will meet a new cybersecurity regulation that goes into effect at the beginning of next year. The regulation applies not just to defense contractors but any company that supplies items on defense contracts, except when the contract is solely for commercial off-the-shelf (COTS) components.
Few would disagree that the cybersecurity of U.S. companies in general needs fixing (think: Equifax). Even fewer could argue against improved protection of sensitive information in the defense industry supply chain. In May of this year, for example, sensitive files of a large contractor were found on a publicly accessible Amazon cloud. In October, Australian officials said a hacker stole information on defense programs by breaching the network of a small contractor.
But the devil is in the details. Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, which takes effect January 1, 2018, requires “covered defense information (CDI)” and “covered unclassified information (CUI)” that is generated, stored or transmitted through a contractor’s system to comply with 110 security processes and protocols outlined in Special Publication 800-171 of the the National Institute of Standards and Technology (NIST), titled, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations . The regulation requires contractors to report a cyber incident to the Department of Defense (DOD) within 72 hours, and to preserve and provide related information and documentation. It also requires prime contractors to flow these security and reporting requirements down to all subcontractors.
The biggest worry is a lack of definition for the terms CDI and CUI. Both prime contractors and subcontractors say they don’t know for sure what information will be covered. One law firm’s slide deck said that CDI means “unclassified controlled technical information or other information described in the Controlled Unclassified Information (CUI) registry published by the National Records and Archives, [and information that] requires safeguarding or dissemination controls and is marked or otherwise identified in the contract or is collected, developed, received, transmitted, used, stored, etc. by the contractor.”
Got that? No wonder companies want prime contractors to specify exactly what information in each contract is covered by the requirements. It’s not clear whether primes will do that. “If the contracting officer does not clearly identify CUI, then who is on the hook?” asks a white paper published by IT company DXC Technology.
What’s more, although the security requirements may apply only to certain types of information, they will impact a company’s entire information technology infrastructure, including any cloud-based services it uses to store or process information. And they apply even if only a small amount of business is DOD-related.
Most contractors aren’t ready. “Anecdotal evidence suggests that the majority of covered contractors will not meet the December deadline and need more time,” said a newsletter by law firm Wiley Rein LLP. “In theory, this could create a situation in which many contractors would be in breach of DFARS clause 252.204-7012 after the ball drop ushers in New Year’s Day.”
DOD acknowledges that contractors may not meet all requirements by the deadline. In guidance it recently issued, it said contractors should at least have in place a system security plan; a plan of action for how and when any unimplemented requirements will be met; and a statement of how and when they will correct any deficiencies and eliminate/reduce any vulnerabilities of systems.
Still, the sooner companies comply, the better. Both commercial and government suppliers risk damaging their reputation and losing the goodwill of their customers, ala Equifax, if a breach of their system results in the leak of sensitive information. And for contractors that conduct substantial business with the DOD, compliance could tip contract-award decisions in their favor.
“The [DOD] guidance suggests that DOD contracting [officials] consider making implementation of the cybersecurity protections a mandatory condition for award,” said the Coalition for Government Procurement. “The consistent theme of the guidance is the position of cybersecurity protections in DOD’s award decisions. Contractors with exemplary cyber policies and practices can expect a competitive advantage.”