DoD Issues New FAQs on Cybersecurity Compliance


Although DoD remains on the cutting edge of cybersecurity protections in the government contracts world, it continues to hone and refine that edge. Recently, DoD issued an updated frequently asked questions (FAQ) page for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The new FAQs addresses many, but not all of the types of questions many contractors found themselves asking after the October 21, 2016 final rule came out. Key clarifications in the FAQ include:

  • Clarifying which version of the clause applies to contracts that have been in-performance while the clause undertook several revisions
  • Reinforcing the scope and strength of flow-down requirements (i.e., “if a subcontractor does not agree to comply with the terms of [the clause], then covered defense information [“CDI”] should not be on that subcontractor’s information system”)
  • Explaining the relationship between CDI and information included in the National Archives and Record Administration (“NARA”) controlled unclassified information (“CUI”) program and the circumstances under which certain classes of data (e.g., export control data) may be considered CDI
  • Elaborating on DoD’s procedures for granting a variance from required NIST 800-171 controls

The FAQs also dedicates several questions specifically to the implementation of NIST 800-171 controls, discusses how DoD may evaluate an offerors’ compliance with the DFARS clause and NIST 800-171 during the source selection process, and offers some guidelines for small businesses facing the new requirements with limited resources. While the FAQs themselves do not have the force of a law or regulation, they provide a good indication of how DoD agencies intend to administer the clause, and contractors can rely on the FAQs to get a sense of how DoD expects them to comply. Contractors should keep in mind, though, that this is at least the third version of the FAQs, and they may change again.

Written by:


Kilpatrick Townsend & Stockton LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.