2018 was another banner year for government contract cybersecurity requirements.  Reports separately released by OMB and MITRE suggest that risks for cyber intrusions remain as prevalent as ever, if not more so.  Accordingly, dozens of statutory, regulatory, and agency guidance memoranda on this critical subject were released in 2018 and more are expected to come in 2019, and beyond, as those measures are fleshed out for further development and implementation.

One of these more significant developments is the Department of Defense’s (DoD) increased emphasis on maintaining supply chain integrity for cybersecurity risks.  In this regard, the DFARS Safeguarding Clause 252.204-7012, which applies in all DoD procurements, governs the protection of covered defense information provided to or generated by defense contractors.  In particular, the Clause requires contractors that access covered defense information to take precautions to protect this information.  It also requires that contractors who access this information report cyber incidents, submit malicious software to the Department of Defense Cyber Crime Center, and facilitate a damages assessment in the event of a cyber incident.  The Clause also defines covered defense information to be unclassified controlled technical information or other information marked as such in the contract, or collected, developed, received, transmitted, used, or stored on behalf of the contractor in support of the performance of the contract.
Continue Reading

Federal government contractors, grantees and those with cooperative agreements may find themselves in possession of (or handling) government information which the U.S. Department of Defense (DoD) considers to be sensitive or confidential but not considered “classified.” On Dec. 31, 2017, in accordance with DFARS 252.204-7012 the National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” or the “Cyber Clause” went into effect. The purpose of the clause is to provide a uniform standard for the handling of CUI and to provide a roadmap for safeguarding CUI and covered defense information (CDI) that is a subset of CUI.  Specifically, the new regulation focuses on addressing “deficiencies in managing and protecting unclassified information” including “inconsistent markings” and “inadequate safeguarding” by “standardizing procedures” for the handling of CDI/CUI and “providing common definitions through a CUI Registry.

CDI is defined as unclassified information, as described in the CUI Registry that requires safeguarding or dissemination controls and requires, at minimum, the implementation of NIST SP 800-171 controls.
Continue Reading