DoD Cybersecurity Regulation – What Happens Next?

I was fortunate enough to be able to interview Steve Britt, Partner & Director of Cybersecurity at Berenzweig Leonard LLP located in Tysons Corner, Virginia. Steve has extensive experience in the cybersecurity area. If you have questions on this topic, please contact Steve directly at sbritt@berenzweiglaw.com or 703.570.8010.

Karen: Steve, tell us a bit about Berenzweig Leonard and your personal background.

STEVE: Berenzweig is a government contracts and employment law firm. I served in 4 different Federal Agencies in prior Administrations and, since then, have practiced corporate & technology law. I spend about 50% of my time these days on cybersecurity law.

Karen: Now that DoD’s Network Penetration Clause is in effect, what should government contractors be doing?

STEVE: Well, let’s set some context as this subject is very complex.

• DFARs 52.204-7012 creates a new definition of “Covered Defense Information” and sets rules for the protection of that data and the systems that store it.
• Contractors must satisfy NIST S.P. 800-171 if they hold this data and are subject to this clause.
• The clause flows down to lower tier subcontractors and requires all contractors to protect this data and report cyber incidents to DoD within 72 hours of discovery.
• These requirements became effective on 12-31-17.

Karen: What contractors are covered by this regulation?

STEVE: This clause has been incorporated into all DoD contracts that involve the handling or development of Covered Defense Information. It also applies to all information systems that process or store such data.

Karen: So must every covered contractor now be in compliance with NIST-171?

STEVE: Well, yes and no. Every covered contractor must have taken steps to implement the NIST requirements but they are not required to have completed them. There are 110 controls and DoD recognizes that the entire compliance process takes time.

But what the contractor must have done is prepare a System Security Plan (SSP) that analyzes their entire network against those standards and created a Plan of Action for how to correct its network deficiencies and vulnerabilities.

Contractors must not leave themselves vulnerable to not having made a good faith effort to comply and a comprehensive SSP is the starting place.

Karen: Do we know how DoD will enforce these requirements?

STEVE: Well, in the event of an actual data breach – which may occur in the systems of either your prime or a lower tier subcontractor — all contractors in that supply chain can expect to be audited. A key issue will be the status of the contractor’s compliance with this clause. We can expect bad actors to get burned.

The Department has also made clear that it may condition future solicitations on the contractor’s compliance with these cybersecurity requirements as part of the source selection process. Most of the large primes have already been taking these issues into account in the selection of teaming partners all year.

Karen: OK, so it has to be done. How expensive is this for small companies?

STEVE: Well, expense must be taken in context, since being on the wrong side of this issue could put you out of business – or at least out of Federal government business.

But DoD recognizes that security is a process and not an event. So compliance has to fit into a reasonable budget, though the contractor is expected to properly prioritize and devote adequate
resources to compliance.

A contractor needs to get an assessment of its network and determine what data it is holding and how. It has to assess – and continuously monitor – its operational vulnerabilities, from unpatched software to access control.

But there are good options in these areas that will get you started and not put you out of business. But contractors must not trap themselves by thinking compliance can be avoided. The legal and regulatory environment is evolving and becoming more complex every day and this requirement will not go away.

Karen: That is helpful. Can we expect more cyber regulations this year?

STEVE: Yes. This past January, GSA published its semi-annual regulatory agenda and announced 2 sets of cyber rule makings (April & August this year). These GSAR rules will mandate that contractors protect unclassified GSA information and information systems. Both will mandate compliance with NIST 800-171.

We also expect a new FedCiv rule to implement Controlled Unclassified Information cyber requirements. So this will be another busy year for cyber.