Dec. 31, 2017 should be an important date for Department of Defense contractors, since by that date you will be expected to be following the cybersecurity requirements of the National Institute of Standards & Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Although this deadline specifically applies to the DOD, all federal contractors should be familiar with the NIST standards for Non-Federal Organizations, since every federal agency expects that its contractors will have an adequate security policy in place.
The information that is covered is not classified, but might be considered sensitive. It is the type of business information that a company would keep confidential. The NIST requirements, outline requirements in the following areas:
- Access Control
- Awareness And Training
- Audit And Accountability
- Configuration Management
- Identification And Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System And Communications Protection
- System And Information Integrity
The requirements are logical, and the NIST publication breaks down each of the categories into “Security Requirements” that every organization should be doing in any case. For example, under category 2, Awareness Training, the Basic Security Requirements list the following:
- Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
- Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
- Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, is the source of the December 31, 2017 requirement. While the NIST document includes incident response requirements as part of its standards, DFARS 252.204-7012 also makes explicit that security breaches (“cyber incidents”) must be rapidly reported to the Department of Defense.
DOD contractors must have their systems in place to follow these requirements by year end. But other federal contractors should be ready as well.
About the Author
Theodore Banks, Partner at Scharf, Banks, Marmor LLC, concentrates his practice on antitrust, compliance, food law, and other corporate matters. Mr. Banks has extensive experience with corporate litigation, including responsibility for contested mergers, environmental contamination, advertising, insurance coverage, products liability, employment law, consumer protection, and packaging and recycling. He has a national reputation for work in corporate compliance and antitrust, and was an early proponent of corporate opt-out suits as plaintiff in antitrust litigation, such as Vitamin, Carbon Dioxide, Corrugated Container, Folding Carton, and Citric Acid Antitrust Litigation, recovering more than $100 million. Through his experience in all aspects of the food industry, Mr. Banks has deep familiarity with the regulatory frameworks and state and federal laws governing food manufacture, distribution, sales, and safety.