New Year New Rules for Defense Contractors

[via POLITICO.COM Morning Cybersecurity 2 JAN 2018]

DFARS cybersecurity rules take effect – The recent New Year festivities brought with them more than just mountains of confetti litter and discarded “2018” glasses. The last day of 2017 also marked the deadline for defense contractors to meet minimum cybersecurity requirements for the systems they operate for the Pentagon. A federal contracting rule gave firms until Sunday to “provide adequate security on all covered contractor information systems,” with the technical standards agency NIST publishing a list of required security measures. The new regulation is the government’s most serious attempt yet to protect military data from hackers who have breached a series of sensitive targets in recent years, including the email network of the Joint Chiefs of Staff.

But the cybersecurity rule presents “a problem for DoD because there’s a lot of subjectivity in what is ‘adequate security,'” Susan Cassidy, a partner at Covington and Burling who specializes in defense contracting regulations, told MC in an interview. The Pentagon will likely assess protections based on the sensitivity of each company’s work, she said. “If you are providing commercial items like cleaning products to the government, you might have less ‘adequate security’ requirements than if you are working on a large weapons system.” But DoD will also face a huge logistical challenge auditing contractors’ compliance with the new rules. The Defense Contract Management Agency lacks the manpower to review each of the more than 200,000 contracts for cybersecurity protections. “DoD knows that contractors are going to have to self-certify,” Cassidy told MC.

Faced with industry frustration, the Pentagon softened the requirement prior to the deadline, saying contractors only had to write an overall cybersecurity plan. In that plan, contractors must explain how and when they will deploy the rest of the required digital protections – including things like “Limit unsuccessful logon attempts” and “Monitor and control remote access sessions.” Cassidy said the plan is an important first step even if overall compliance remains unfinished: “What the government has now is information it can use to help it evaluate contractor compliance.” The Pentagon did not respond to a request for comment over the holiday weekend.

Companies are taking the new regulation seriously even though they have some breathing room to implement it, according to Cassidy. As of today, they must have their cyber plans ready for government inspection, and those documents must be accurate, because lying to the government is a crime. More generally, while companies with legacy IT may struggle to meet some requirements – like using multi-factor authentication – the contracting community has had four years to prepare for the new regulatory environment. “DoD’s been somewhat patient … on these security controls,” Cassidy told MC. “It’ll be interesting to see how much they enforce it going forward and how [DoD’s] auditing of this compliance works out in the coming year.”

While the new rule only applies to defense contractors, 2018 could be a big year for civilian contractor cybersecurity too. The government, Cassidy said, is likely to propose a new regulation “sometime in the next year” that standardizes data protection requirements no matter what agency a contractor is supporting. Currently, departments and agencies set their own expectations for contractors’ digital defenses, creating an unwieldy regulatory patchwork.