Tag Archives: DFARs

GSA Proposing Changes To Fed Contracting CyberSec Rules

Defense contractors are wrestling with new contracting rules that went into place, sort of, as of December 31, 2017, with the requirement to be in compliance with NIST SP 800-171.

NIST SP 800-171 defines over 100 cyber security requirements that defense contractors and sub-contractors must comply with.  Prime contractors must ensure that their subs are in compliance with this and both primes and subs can be barred from government contracts if they fail to comply or lie about their compliance status.

For those familiar with the government contracting rules, this was implemented by creating a new DFAR.  NARA, the National Archives and Records Administration said last year that they planned to create the equivalent of a DFAR for the civilian government, called a FAR, and now they have begun the process.

The GSA has published a notice that they intend to create a set of contractor cyber security rules, similar to NIST SP 800-171.

Part of what GSA is doing is codifying existing rules to ensure that they are mandatory in the contracting process, but that is only part of it.  These rules call for protecting the confidentiality, availability and integrity of government information and also the reporting requirements for cyber incidents.  The reporting time frame for incidents for defense contractors is now 72 hours – way stricter than any state regulation.

Once this process is complete, which will happen toward the end of this year, these requirements will become mandatory for all GSA contracts.

Last year defense contractors started worrying about implementing good cyber security practices;  this year it is the civilian government contractors that need to pay attention.  Smart contractors will begin working on enhancing their cyber security program based on the concepts inside NIST SP 800-171 in order to get a head start of the requirements.

Information for this post came from Fedscoop.

Defense Contractors Have To Disclose Breaches Within 72 Hours

As if complying with 47 states individual laws on breaches wasn’t complicated enough, if you are a defense contractor, you now have to comply with DoD rules on disclosing breaches.  I suspect that part of this is due to the fact that the DoD thinks that many of the state laws are too loose and the fact that, with contractors, they want to control what happens.  It is fair that there should be a higher bar with defense contractors.  The rule says that this cost comes out of your pocket, not the government’s.

The first thing that stands out about it is that contractors do not have 30-60-90 days to disclose a breach like they do in most of the state laws but rather 72 hours.

This disclosure  is required whether or not there is DoD information compromised.  After all, you likely won’t know that in 72 hours.

The next step  is to do a review to see if defense information was in fact compromised.  So, you have to tell DoD that you were breached and then tell them if their stuff was stolen.

Unlike state laws, under the DoD rule, you need to identify which computers, servers and user accounts were compromised as well as the specific data exposed.

Contractors also have to preserve system images (exact copies of the disks) as well as network packet capture – for at least 90 days.

This definitely raises the bar for defense contractors.  My guess is that other than the very large contractors, no one is ready to deal with this new rule.

These new rules apply to unclassified information systems.  The rules for classified systems, which are governed by the NISPOM (National Industrial Security Program Operating Manual).

I suspect it will take a little time for DoD to wrap its arms around this, but as they do, contractors should be ready to respond to DoD inquiries about their capabilities in this area.

This new rule is required to be included in all new contracts and work orders.


Information for this post came from an article by the law firm of Seyfarth Shaw on Lexology.

The actual rule (16 pages, single spaced) is available on the Federal Register for Oct 2, 2015, here.