Key Information About DFARS Regulations

By Heather Engel, Sera-Brynn, Executive Vice President 

This article is the sixth in a series about DFARS.

December 2017 seems like a long way off. It’s not.

While that’s the deadline imposed by the Department of Defense (DoD) to comply with new contractor regulations regarding safeguarding information, we recommend considering the Gen. George Patton approach: “ A good plan violently executed right now is far better than a perfect plan executed next week.”

That’s because “next week” can become a plan extended in perpetuity … as in, “There’s always next week.”

Don’t put off what you can start now because as we all know, time has a way of getting away from us. It’s critical to plan for the deadlines imposed by DoD when it comes to cybersecurity, and we can help you with what can seem like daunting tasks.

Background on DFARS

In review from Parts I, II, III, IV and V of this DFARS series, it’s incumbent upon government contractors and subcontractors to comply with federal acquisition regulations (FAR). If you do business with the DoD, you must comply with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 to safeguard controlled unclassified information (CUI) and report cyber incidents to the DoD Defense Industrial Base (DIB) portal at http://dibnet.dod.mil.

Relationship between DFARS 252.204-7008 and DFARS 252.204-7012

An interim rule of DoD was used to amend DFARS 252.204.7008 (Compliance with Safeguarding Covered Defense Information Controls) and DFARS 252.204-2012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) in December 2015 to provide contractors additional time to implement NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Information Systems an Organizations) control requirements.

Contractors must comply with NIST SP 800-171 controls and requirements as soon as practical but not later than Dec 31, 2017. This is gentle encouragement to get started now.

If a contractor is awarded with a contract with DoD, the contractor must specify the security requirements and controls that are not implemented at the time of award and submit this information to the DoD CIO (osd.dibcsia@mail.mil) within 30 days. So at a minimum, any new contract awards require your organization to have gap analysis in order for to you know where you stand.

Alternatively, the contractor may use equally effective security measures used to compensate for the inability to satisfy a particular requirement while achieving equivalent protection accepted in writing by an authorized representative of the DoD CIO. The status of control implementation provided by the contractor will allow the DoD to monitor the progress, classify trends in the implementation of the requirements and identify any issues that may require clarification or adjustment.

The key takeaways

Here’s the key takeaway from the Sera-Brynn perspective: There are consequences — potentially serious ones — for contractors and subcontractors dealing with a cyber breach. Subtract the element of compliance for a moment, and recognize that a data breach costs a lot of money. Incident response, forensic analysis, system upgrades, downtime, and resources all present a burden that can be avoided. Compliance does not equal security, so if for no other reason than to protect your intellectual property, it makes sense to consider cyber as part of an overall risk management strategy.

While contractors and subcontractors have additional time to implement the security standards by the December 2017 deadline, most will not be compliant at first pass. You will need to invest time and resources, and perhaps budget for new equipment. Planning to do this now gives you flexibility in budgeting and cost pool allocation while allowing time to phase in changes that will enhance security maturity.

If you have questions, feel free to reach out to us. We can help with strategic planning and long-term risk management of your DoD contracts.

About Heather Engel

Heather Engel is a Fully Qualified Navy Validator, which requires credentials that include: Advanced certifications in Information Assurance; A minimum of five years performing Certification and Accreditation on Navy Systems; Additional training in Systems Management; Systems Certification and Risk Analysis; Demonstrated knowledge of Navy IA policies and the responsibilities of a Navy Validator. Engel provides risk management and business intelligence to Sera-Brynn clients across a wide variety of industries, carrying more than 15 years of experience in risk and compliance system integration, disaster recovery, security policy and security testing and evaluation.