Deadline For DFARS Cybersecurity Compliance Approaching

Jonathan DeMella
Davis Wright Tremaine LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Last week, I spoke in Portland, Oregon about cybersecurity requirements for federal contractors at an all-day seminar hosted by the Pacific Northwest Defense Coalition.  Speakers from the Department of Defense, the FBI, and consultants specializing in cybersecurity compliance offered interesting and (sometimes different) perspectives on compliance, which led to candid and robust discussion.  Many thanks to Kate Kanapeaux and PNDC for having me.

“ As was again made clear by DoD last week, it is the Government’s expectation that defense contractors will be in compliance with DFARS 252.204-7012 by the end of the year. 

This is no small undertaking, and will require thoughtful study of key documents such as NIST SP 800-171 and NIST SP 800-053.  I would recommend that federal contractors take advantage of resources offered by DoD (e.g., DoD’s “cybersecurity procurement toolbox”), as well as review the memorandum issued from the Office of the Undersecretary of Defense just last month.  This memorandum, which is titled “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” is directed to Government acquisition personnel.  It nevertheless offers an insightful perspective regarding the DoD’s expectations for contractor compliance, and highlights the significance of documenting a contractor’s implementation and planned implementation of NIST SP 800-171 security controls.  It also discusses the various means by which contractors can expect to see cybersecurity requirements incorporated within the source selection process.  This includes, for instance, including unique cybersecurity requirements within proposal instructions and evaluation specifics (sections L and M of the solicitation), establishing compliance with regulatory requirements (e.g., DFARS 252.204-7012) as a separate technical evaluation factor, requiring that proposals identify any security controls that will not implemented at the time of award (an interesting if not risky proposition), and identifying in the solicitation that all security requirements in NIST SP 800-171 be implemented at the time of award.

We welcome your thoughts and comments.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide