Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 goes into effect on December 31, 2017. This “Cyber Clause” applies to most companies that do business directly with the Department of Defense as well as subcontractors and vendors. The Cyber Clause applies to Covered Defense Information (CDI), which is broadly defined to include almost all nonpublic information. If the Cyber Clause applies to your work your information system that contains CDI, must be compliant with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Rev. 1. For all contracts awarded prior to October 31, 2017, contractors are required to notify the government of any security requirements specified by NIST SP 800-171 that were not implemented at the time of award. When a contractor discovers a cyber incident that affects a covered contractor information system or CDI the contractor must analyze the incident and rapidly report the incident to the government. To avoid or reduce the cost of compliance you need to determine as soon as possible whether a contract includes CDI. This should be done at the pre-bid stage and continue after contract award. Once you determine the scope of the identified CDI you can evaluate which steps to take for compliance. These may include: (1) Bringing your entire information system into compliance — likely the most costly method; (2) Disputing the identification of the CDI to reduce its scope; (3) Proposing alternative less costly security measures; (4) Establishing a segregated in-house information system that is NIST compliant; and, (5) Adjusting your prices and rates to account for the cost of compliance. In almost every circumstance compliance will be costly and time-consuming, but the penalty for non-compliance could be substantial. For more information, please contact the authoring attorney.
