The window for Department of Defense (DoD) contractors to bring themselves into compliance with cybersecurity requirements is closing.
Specifically, changes to the Defense Federal Acquisition Regulation Supplement (DFARS) published in late 2016 require that DoD contractors and subcontractors provide “adequate security” on “covered information systems.” The new rule also imposes reporting requirements for cyber incidents. Failure to comply with these requirements could result in loss of government contracting opportunities and civil and criminal liability for responsible companies and individuals.
Background
On October 21, 2016, DoD published a final rule significantly expanding the obligations of private industry with respect to cybersecurity on contractor information systems that host certain government and other sensitive data. 81 Fed. Reg. 72986 (Oct. 16, 2016). Specifically, the new rule amends the contract clause at DFARS 252.204-7012, which addresses “Safeguarding Covered Defense Information and Cyber Incident Reporting.” According to DoD, “[t]he objectives of the rule are to improve information security for DoD information stored on or transiting contractor information systems as well as in a cloud environment.”
The amended DFARS clause imposes a critical and fast-approaching compliance deadline for DoD contractors and subcontractors to implement specific security measures on their “covered systems” by December 31, 2017.
The new contract clause at DFARS 252.204-7012 mandates that DoD contractors and their subcontractors “provide adequate security” on all “covered contractor information systems.”
Keep reading this article at: http://www.jdsupra.com/legalnews/alert-dod-contractors-required-to-meet-65186/