Recent high-profile attacks on government agencies highlight the risks federal contractors are taking when they aren’t serious about protecting government information.
For Department of Defense contractors, Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 imposes security safeguards and mandatory reporting requirements on DoD contracting companies.
In order to show compliance with DFARS, companies must implement, document, and validate compliance with National Institute of Standards and Technology (NIST) Special Publication 800-171, and validate a process for investigating and reporting cyber incidents.
In October, experts from Sera-Brynn and Kaufman & Canoles provided an overview of standards, compliance, incident reporting, and potential consequences for non-compliance.
“Being able to identify and report cyber incidents that affect Covered Defense Information, or CDI, is critical for any company working with the DoD,” said Heather Engel, Sera-Brynn’s Executive Vice President for Risk and Compliance. “Having an incident response plan is vital for any organization, but DoD contractors should be familiar with the specific cyber reporting guidelines required under this clause.”
Cyber incidents must be reported within 72 hours of discovery and subcontractors are required to report to the government directly and up the contracting chain. Images of all known, affected systems must be maintained for 90 days and contractors may be required to grant DoD access for forensic investigation.
Chris Page, an attorney with Kaufman & Canoles specializing in Government Contracts, was upfront with participants about the consequences for non-compliance.
“This clause does not describe specific penalties for non-compliance,” he said. “The scope of responsibility and potential liability is uncertain, but could include criminal or civil action, negative past performance ratings, reduced profits or award fees, or termination of contract.”
Navigating the myriad and arcane federal contractor regulations can be a daunting task. Kaufman & Canoles and Sera-Brynn can help federal contractors with questions about cyber security, adhering to government rules and regulations and being in compliance.
Sera-Brynn is a global Cyber Risk Management firm dedicated to helping clients secure their computing environments and meet applicable mandatory industry and government compliance requirements. Technology can no longer guarantee safety from data breaches, which is why Sera-Brynn focuses on strategies all organizations and businesses must employ to protect themselves and their reputations after the inevitable data breach. Specifically, compliance, insurance and response.
Ranked number 16 in the Cybersecurity 500 hottest companies in the world, Sera-Brynn is the only PCI QSA in North America directly partnered with a $6 billion financial institution, and the firm works closely with the insurance industry, legal offices nationwide, crisis management firms, financial institutions and law enforcement at all levels to provide the best possible protection. Sera-Brynn is the only cybersecurity firm able to offer and manage full cyber risk management services under one roof.
Sera-Brynn applies its holistic and all-inclusive approach to compliance, insurance and response with Fortune 1000 companies, hospital networks, retail establishments, government agencies, financial institutions, higher education, national non-profits, and international joint ventures.
Learn more about Sera-Brynn at www.sera-brynn.com, or connect @SeraBrynn.