[The referenced article was originally published in Law360.]
Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been on meeting this deadline, contractors should add to their New Year resolutions compliance with other areas of DFARS 252.204-7012 (“DFARS Cyber Rule” or “Rule”) and confirm that their existing processes and procedures anticipate how the Department of Defense (“DoD”) will measure compliance with the Rule in the year to come. In particular, contractors should assess whether they are providing “adequate security” beyond NIST SP 800-171, review their obligations with regard to their supply chain’s cyber risks, understand how the System Security Plans and Plans of Action and Milestones could be used by the government, and confirm that their incident response plan incorporates the requirements of the DFARS Cyber Rule. The answers to these and other questions are included in the article that was originally published in Law360 and is linked here.