In 2017, the government sought additional protection for information on the internet by implementing additional regulations in the Defense Acquisition Regulation Supplement (“DFARS”). These new regulations are referred to as, “Safeguarding Covered Defense Information and Cyber Incident Reporting” or DFARS 252.204-7012. These regulations will affect anyone who has contracts with the Department of Defense (“DoD”) involving the storing, processing or transmitting of defense information.
The government’s purpose in implementing these guidelines was to ensure the security of a contractor’s prosperity information or any covered defense information (“CDI”). CDI is defined as any information the government has marked as CDI or information collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract. These provisions are only applicable to solicitations and contracts where defense information or commercial items are involved, as opposed to commercial off the shelf items.
One of the major differences between this regulation and previous legislation is the mandated compliance with the National Institute of Standards and Technology Special Publication (“NIST SP”) 800-171. Beginning on December 31, 2017, the DFARS required defense contractors to implement and maintain versions of NIST SP 800-171 security requirements. Unless the contractor is a cloud service provider, who stores data on the DoD’s behalf, they must abide by the DFARS Cloud Computing Services guidelines. When implementing these provisions, the DoD was not trying to force contractors to remodel their entire systems, they just wanted contractors to modify their existing systems to comply.
Not only is it the contractor’s burden to ensure they are following the required procedures, they must also ensure their subcontractors are following these procedures. If contractors want to err on the side of caution, they should try to limit the amount of defense information they release to subcontractors. The less CDI a subcontractor has access to, the less likely the information is to be released. However, the DFARS understands in some circumstances subcontractors may be required to know a substantial amount of CDI to complete a job, which is why there is no regulation on what they can and cannot know. If subcontractors must know CDI, contractors are recommended to closely monitor subcontractor’s activities and explain the requirements of DFARS to them thoroughly. Contractors may also want to mark documents and materials containing CDI, so subcontractors are aware of sensitive or proprietary information contained within and can handle it accordingly.
If a contractor fails to follow the provisions of the DFARS they are at risk of losing an awarded contract, possible liability under the False Claims Act, a bid protest, suspension, disbarment, and default termination. However, the regulation does not specifically require the DoD to monitor a contractor’s conformity, giving the government the ability to determine a contractor’s compliance. Contractors should be cautious however, because starting in 2018 contractors are bound to follow the provisions through their respective contracts and failure to do so could result in a breach of contract allegation.