DoD Contractors: December 31st Compliance Deadline New Cyber Regulations
All DoD contractors, of every size, and at all levels in the defense industrial base, are subject to new cyber DFARS regulation and are required to comply with 110 separate security requirements in NIST Special Publication (SP) 800-171 by no later than Dec. 31, 2017. The DFARS also requires reporting of cyber incidents to DoD within 72 hours of discovery.
Here’s Why It Matters: Consequences Of Your Non-Compliance
There’s a lot at stake for companies facing the looming DoD cyber compliance deadline.
Eligibility for new DoD prime contracts/subcontracts may depend upon your ability to demonstrate “adequate security”. Some DoD components will evaluate your system security plans in contract selection decisions. Solicitations may require that you represent you now satisfy all security requirements.
Also, when a company reports a cyber incident – as is required – DoD can respond with an investigation, assess DFARS compliance and evaluate whether your cyber controls were adequate.
The challenge is to do what the regulations require without spending too much or doing the unnecessary. Without an informed understanding of the complex DFARS requirements, a sound security strategy and implementation plan, and ongoing mitigation, your DoD business could be in jeopardy.
Here’s How To Protect Your Contracts and Your Company
To ensure your compliance before December 31st, we recommend that you:
• Know where you have “Covered Defense Information” (CDI) subject to the regulation
• Analyze how the DFARS applies to your business situation
• Assess your present security to identify gaps against NIST requirements
• Prepare and document your System Security Plan (SSP) and Plan of Action (POAM)
• Satisfy higher tier customers you will fulfill “flow down” cyber obligations
• Resolve issues as needed with Contracting Officers and other DoD officials
• Prepare, document and test your Incident Response Plan (IRP)
The law firm of Rogers Joseph O’Donnell, P.C. (RJO) can guide you to compliance using a modular approach tailored to your unique needs and budget. RJO’s Cyber Compliance Service consists of separate elements, which can be provided in series or individually. Our intent is to expedite your ability to demonstrate compliance, to mitigate cyber risk and save you time and expense by avoiding unnecessary measures. (For many contractors, these compliance costs will be recoverable on government contracts.)
Here’s what the service offers, and below you’ll see how it can be customized to your needs:
- Preliminary Assessment. Map your DoD business and objectives; identify contracts and CDI subject to the DFARS; resolve issues of how DFARS and NIST apply to your situation; compare present security to DFARS requirements; outline alternatives.
- Assist in DFARS security strategy. Assist in your review of gaps vs. NIST requirements; recommend resources and methods (as needed) to improve hardware, software, policy, process or procedure; review third party recommendations; aid in enterprise security strategy.
- Documentation review and preparation. Assist to prepare and enhance necessary documentation, e.g., self-assessment, SSP, POAM, IRP – so you can demonstrate compliance.
- Government coordination and support. Help to prepare and present positions to Contracting Officers, Requiring Activities, DoD CIO, leveraging RJO’s experience and knowledge of Government organizations for issue resolution.
- Incident Response Counsel. Assist your readiness to identify and act upon cyber incidents; document response assignments, plans and actions; test organizational incident response. (Work of outside legal counsel in incident response may be protected by the attorney-client privilege.)
Why Do I Need RJO for This?
You should use in-house resources, of course, and consultants can provide valuable assistance. However, RJO brings value difficult to duplicate through other resources:
- We are experts in how to interpret and apply the complex DFAR regulation.
- Our analysis is recognized and respected in government and industry.
- Our experience means you benefit from prior assignments and in faster response.
- We apply our regulatory expertise and cyber knowledge for least-cost, prompt solutions.
Leading our effort is Bob Metzger, nationally recognized as a leading expert in cyber regulations and government contract law. You can review RJO cyber and supply chain publications here and listen to Bob’s recent Federal News Radio interview. We aim to save you time and money by focusing on what matters, and telling you what doesn’t. We won’t recommend “gold-plated” answers or long-term third-party involvement. Our objective is to provide you with a clear roadmap to meet the compliance deadline and sustain security.
If you are late in starting, we can help you to rapidly reach sufficient compliance by the 12/31 deadline. We can help even after the compliance deadline passes.
Here’s What To Do Next
Every DoD contractor and subcontractor is different. To begin, call or contact RJO to discuss your situation and objectives. The initial conversation is without charge or obligation.
If you agree, the next step is to schedule a Preliminary Assessment – a prompt, fixed-fee review, which concludes with documented observations and recommendations. You then decide whether, when and how RJO should assist you further.