2018 was another banner year for government contract cybersecurity requirements. Reports separately released by OMB and MITRE suggest that risks for cyber intrusions remain as prevalent as ever, if not more so. Accordingly, dozens of statutory, regulatory, and agency guidance memoranda on this critical subject were released in 2018 and more are expected to come in 2019, and beyond, as those measures are fleshed out for further development and implementation.
One of these more significant developments is the Department of Defense’s (DoD) increased emphasis on maintaining supply chain integrity for cybersecurity risks. In this regard, the DFARS Safeguarding Clause 252.204-7012, which applies in all DoD procurements, governs the protection of covered defense information provided to or generated by defense contractors. In particular, the Clause requires contractors that access covered defense information to take precautions to protect this information. It also requires that contractors who access this information report cyber incidents, submit malicious software to the Department of Defense Cyber Crime Center, and facilitate a damages assessment in the event of a cyber incident. The Clause also defines covered defense information to be unclassified controlled technical information or other information marked as such in the contract, or collected, developed, received, transmitted, used, or stored on behalf of the contractor in support of the performance of the contract.