Defense contractors are wrestling with new contracting rules that went into place, sort of, as of December 31, 2017, with the requirement to be in compliance with NIST SP 800-171.
NIST SP 800-171 defines over 100 cyber security requirements that defense contractors and sub-contractors must comply with. Prime contractors must ensure that their subs are in compliance with this and both primes and subs can be barred from government contracts if they fail to comply or lie about their compliance status.
For those familiar with the government contracting rules, this was implemented by creating a new DFAR. NARA, the National Archives and Records Administration said last year that they planned to create the equivalent of a DFAR for the civilian government, called a FAR, and now they have begun the process.
The GSA has published a notice that they intend to create a set of contractor cyber security rules, similar to NIST SP 800-171.
Part of what GSA is doing is codifying existing rules to ensure that they are mandatory in the contracting process, but that is only part of it. These rules call for protecting the confidentiality, availability and integrity of government information and also the reporting requirements for cyber incidents. The reporting time frame for incidents for defense contractors is now 72 hours – way stricter than any state regulation.
Once this process is complete, which will happen toward the end of this year, these requirements will become mandatory for all GSA contracts.
Last year defense contractors started worrying about implementing good cyber security practices; this year it is the civilian government contractors that need to pay attention. Smart contractors will begin working on enhancing their cyber security program based on the concepts inside NIST SP 800-171 in order to get a head start of the requirements.
Information for this post came from Fedscoop.