Companies doing business with the government are facing a slew of new cybersecurity requirements. While the need for increased security is apparent, the standards to which contractors will be held are still developing. Contractors that want to remain competitive, however, need to understand the new regulations and develop procedures to comply with them.
The Department of Defense (“DOD”) is at the forefront of the new information system security measures. In November 2013, the DOD released a Final Rule amending the Defense Federal Acquisition Regulation Supplement (“DFARS”) to add a new subpart and contract clause focused on steps a contractor must take to protect sensitive data. The new clause (DFARS 252.204-7012) is mandatory for all DOD prime contracts and subcontracts and there are no exceptions for small businesses or commercial item contractors.
In July, the U.S. government passed the 2014 Intelligence Authorization Act, which requires the Director for National Intelligence (“DNI”) to develop procedures related to reporting by intelligence community (“IC”) contractors of “penetrations” of IC networks and information systems. The Act also mandates that, going forward, all IC contracts and renewals contain a clause requiring a network and information security plan by contractors with access to classified information.
Recognizing that the new IC requirements are similar to the DOD’s, the Act requires the DNI to work with the DOD to submit a single report recommending requirements satisfying both systems. While the requirements of IC contractors may not mirror those of DOD contractors, IC contractors can likely expect some of the same obligations. We will continue to follow these developments as they unfold. To read more about the three steps that DOD and IC contractors should take to assess their needs and to develop compliance procedures under these new obligations click here.