Cyber Security Regulations Coming Due
If your company is a Department of Defense (DoD) contractor or subcontractor, the Department of Defense Cyber requirements are something you will need to understand and comply with by December 31, 2017. The purpose of this article is not to go into detail on the requirements, but to alert you to their existence and where to find more information.
Having to comply with the regulations depends on what type of contract you have with the DoD and if within that contract, certain clauses are listed. Commercial items that are bought “off the shelf” (no customization), are generally not required to have the clauses in their contracts. Agricultural bulk products and petroleum products are subject to the regulations.
In general, the DoD clauses require contractors to safeguard certain information that is either on their internal system or network, or passing through their system or network. The clauses also require the contractor to report cyber incidents that either affect certain information or that affect the contractor’s ability to perform “operationally critical support” requirements. The contractor is also required to submit any malicious software discovered that was “isolated in connection with a reported cyber incident” to the DoD Cyber Crime Center. If requested by the DoD, they also need to “submit media and additional information for damage assessment.”
The definition of information that needs to be protected is past the scope of this tip. However, the regulations that define it can be found here: DFARS Regulations. Review DFARS clauses 252.204-7008 and 252.204-7012.
DoD has several programs, both regulatory and voluntary, to improve cyber security. They are using the National Institute of Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” as a framework for companies to follow when developing a cyber security program. The standard is available here: NIST SP 800-171.
If you are doing business with the Department of Defense, take the time to understand their cyber security rules and regulations and be aware that implementation is due by December 31, 2017. For more information, please contact the Wyoming SBDC Network PTAC at (307) 772-7372 or email@example.com.