After the ball drops in Times Square this New Year’s Eve, many DoD contractors will wake up with a headache. And we don’t mean from too much champagne. We are talking about extensive DoD cybersecurity requirements these contractors must implement by December 31, 2017. Take this blog and call your PilieroMazza lawyer in the morning.
The 12/31/17 deadline has been known since last year and many contractors are surely ahead of the curve. But if you find yourself doing some last-minute cybersecurity shopping, here is a quick overview of what you need to know:
DFARS 252.204-7012 requires DoD contractors with nonfederal information systems that contain controlled unclassified information (“CUI”) to implement the security requirements in National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 by 12/31/17. So, understanding if you need to rush to implement the security requirements in NIST SP 800-171 begins with figuring out whether you perform DoD contracts that contain DFARS 252.204-7012 and if you have a nonfederal information system containing CUI (which the government is supposed to identify). If any of these conditions does not apply to you, wipe the sweat from your brow; you're off the hook... but keep on reading.
If you are subject to DFARS 252.204-7012 and NIST SP 800-171, you may not need to do as much as you think to alter your existing security practices. NIST SP 800-171 is performance-based so it does not mandate specific solutions. Your existing systems and practices may work, with some tailoring to implement company policies and practices geared around 14 “security families” in NIST SP 800-171. You may be able to do this internally, or with the help of an outside advisor. Note that there is no required third-party certification for compliance with NIST SP 800-171. But you may want the help of an outside advisor to make sure you are on the right path. You should also check out helpful guidance from NIST and DoD available online NIST SP 800-171A, DoD FAQ, and NIST Handbook 162.
Additionally, because NIST SP 800-171 does not mandate specific solutions, contractors have flexibility to implement alternatives or potentially avoid certain requirements altogether. Note that you must first obtain DoD approval for an alternative or exception before varying from NIST SP 800-171. Variance requests must be submitted in writing, as soon as possible, and should be carefully crafted.
Obtaining a variance can make it easier to comply with the NIST SP 800-171 requirements, and compliance is critical. A strong security program can give you a competitive advantage and avoid many adverse consequences of noncompliance. The “parade of horribles” if you do not comply with NIST SP 800-171 could include breach of contract, termination for default, poor past performance assessments, poor proposal evaluations, all the way to False Claims Act exposure and suspension and/or debarment. Yikes!
If you are not a DoD contractor subject to DFARS 252.204-7012, compliance with NIST SP 800-171 may not be an imminent concern. But focusing on cybersecurity should still be part of your New Year’s resolutions for next year. In 2016, basic cybersecurity requirements patterned on NIST SP 800-171 were added to the FAR via 52.204-21. And, a FAR clause is in the works (and could be implemented next year) that would require compliance with NIST SP 800-171. This means non-DoD contractors can only hope to remain blissfully oblivious to these requirements for so much longer. Better to get out in front of it now.
We help our clients with cybersecurity issues in a variety of ways, including understanding the applicable federal cybersecurity requirements in their contracts, preparing variance requests, preparing internal policies and procedures to memorialize and implement required security procedures, and in reviewing and drafting contracts with third parties to appropriately flow down cybersecurity requirements and allocate risk. To understand how NIST SP 800-171 may impact your business, please join Jon and Kimi for a 60 minute webinar on Thursday, December 14, 2017. More information and a link to register can be found here.
About the Authors: Jon Williams is a partner with PilieroMazza and a member of the Government Contracts Group. He may be reached at email@example.com. Kimi Murakami is counsel with PilieroMazza and focuses her practice on corporate transactions with an emphasis on mergers and acquisitions of government contractors. She can be reached at firstname.lastname@example.org.