DFARS Cybersecurity Compliance Countdown: Are You Ready?

November 13, 2017

Government Contracts Navigator

It’s almost here. After years of rulemaking, covered defense contractors will soon be fully subject to heightened cybersecurity standards for covered defense information (“CDI”) on IT systems under DFARS 252.204-7012, and contractors submitting new proposals will be representing that their systems are compliant with these security requirements pursuant to DFARS 252.204-7008. We discuss in this post seven compliance tips beyond the basics that are worth revisiting during this final compliance push.

First, some brief background.  It is well-known that by December 31, 2017, covered contractors must have a cybersecurity plan in compliance with the recommended security control standards currently set forth in the National Institute of Standards and Technology (“NIST”) Special Publication 800-171 Rev. 1. Pursuant to DFARS 252.204-7012, NIST SP 800-171 provides 110 security control requirements to establish “adequate security” on covered systems. Among other things, the requirements relate to access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. The requirements also provide for documenting how unimplemented security requirements will be addressed, and require a plan of action and milestones (“POAMs”) for such items.

To read the full blog article, please click here