Federal contractors voiced concerns about the timeline for cybersecurity compliance requirements, originally believed to be mandated for 2016, and the U.S. Department of Defense (DOD) listened.
On December 30, 2015, the DOD granted more time for contractors and certain subcontractors to comply with the standards contained in the National Institute of Standards and Technology (NIST) Publication 800-171, “Protecting Controller Unclassified Information in Nonfederal Information Systems Organizations.” Contractors now have until December 31, 2017 to implement the new security requirements.
While additional time has been awarded, the DOD did not do so without certain conditions. The new solicitation clause requires offerors to identify to the contracting officer any variances between their cybersecurity procedures and those NIST SP 800-171 standards that are in effect at the time of contract award. The contractor’s submission will need to include an explanation as to why a particular security requirement is not applicable or how an alternative security measure will provide security and protection equal to that of the NIST standards. Submissions will be reviewed by the DOD Chief Information Officer, who will approve or disapprove the variances prior to the award. Any approved variances will be included in the final contract.
How exactly will this affect subcontractors? In addition to the extension of the compliance date, the DOD’s recent interim rules specify that the cybersecurity clauses should be flowed down to subcontractors only when their efforts involve covered defense information or they will provide operationally critical support.
In summary, government contractors now have more time to implement the NIST SP 800-171 standards. But they need to start “getting their ducks in a row,” considering their current security measures and where they will need to be tomorrow.
Click here to view the DOD’s NIST SP 800-171 publication. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
Information contained in this alert should not be construed as the rendering of specific accounting, tax, or other advice. Material may become outdated and anyone using this should research and update to ensure accuracy. In no event will the publisher be liable for any damages, direct, indirect, or consequential, claimed to result from use of the material contained in this alert. Readers are encouraged to consult with their advisors before making any decisions.