Additional Cybersecurity Regulations for Defense Contractors
A supplement to the existing Defense Federal Acquisition Regulation (DFAR) is coming up titled 252.204.7012: Safeguarding Covered Defense Information and Cyber Incident Reporting and goes into effect on December 31st, 2017. This gives contractors working with the Department of Defense (DoD) less than 30 days to become fully compliant. The regulation was first approved in October 2016 and outlines the specific rules and definitions of classified defense information, and the proper ways they should be handled.
The DoD has implemented improved cybersecurity standards in order to protect sensitive data and now mandates the same due diligence from its contractors. These additional security standards are coming in the form of an updated supplement outlining proper safety procedures, basic best practices, and requirements for training personnel.
DFARS 252.204.7012 is a mandate that contractors must abide by if they wish to continue working with government-sponsored security projects. Specifically, the legislation requires compliance with the National Institute of Standards and Technology's (NIST) Special Publication (SP) 171-800, which describes how to work with controlled unclassified information. In addition to fulfilling NIST SP 171-800, contractors will have to amend the way they store sensitive data and how they report a cyber incident.
WhiteHawk CEO, Terry Roberts, noted how these changes would affect smaller businesses, stating, "Small (and even some midsize) businesses are always at a disadvantage in understanding and meeting the growing number of government cybersecurity
related regulations and requirements, because of the complexity of solution and best practice space, the limited number of true experts who can help them, and their own limited resources. That is why we focus on enabling these companies upon which the U.S. government depends."
With a little less than two weeks until the compliance deadline, most companies will already be complying with the regulation. However, even if your company does not interact directly with the Pentagon, this supplement's requirements are good to follow as they improve your overall cybersecurity. For more information or for help implementing aspects of the regulation, please feel free to contact WhiteHawk Advisory Services or review WhiteHawk's compelling and actionable cybersecurity report on the Defense Industrial Base.