Cybersecurity Compliance Deadlines Are Approaching
Entities contracting with the Department of Defense (DOD) face a December 31, 2017 deadline to comply with modified DOD cybersecurity requirements. The modified requirements impose heightened reporting obligations, which require investigation and rapid reporting of a cyber incident.
By the end of 2017, contractors may have to take preventative measures to protect certain data and national security networks from exposure to attacks. Now is the time to put an action plan in place.
A year ago, DOD adopted a final rule supplementing the regulations that govern data storage, government, and protection of private entities in possession or control of government data. The new rule, found at 81 CFR 72986, amends previous regulations governing certain cyber information and cyber incident reporting.
Required Precautions
The supplemented regulations impose a December 31, 2017 deadline to comply with certain technical requirements depending on the mechanics of the contract-specifically whether the IT systems at issue are operated on behalf of the government and whether cloud-computing services are provided:
- Where the IT system is operated on behalf of the government, and cloud-computing services are provided, Defense Federal Acquisition Regulation Supplement 252.239-7010 will apply.
- Where the IT service is not provided on behalf of the government, contractors must implement National Institute of Standards and Technology’s Special Publication 800-171.
Rapid Reporting
The amended rule requires contractors to investigate and “rapidly report” a cyber incident involving a covered information system or certain defense information within 72 hours of the discovery of the incident.
Subcontractors
To the extent Subcontractors gain access to information or systems covered by the regulation, they too must comply with the relevant DOD requirements. Subcontractors must report any incident directly to DOD. Both Subcontractors and Contractors must self-report any incident.
Conclusion
While all entities possessing sensitive data or using networks that provide access to such data must exercise diligence in preventing cyber attacks and complying with applicable laws and regulations, entities contracting with the DOD or the government generally must take particular care to ensure compliance with heightened standards. Woods Rogers has significant experience in guiding businesses through ever-changing regulations and laws governing cybersecurity and mitigating losses and damage when the worst happens.