From: GovernmentContractsBlog
In response to industry concerns and comments, on December 30, 2015, the Department of Defense issued a new interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules promulgated in August. Specifically focusing on provision 252.204–7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, under this second interim rule contractors have until December 31, 2017 to implement the security control requirements specified by National Institute of Standards and Technology Special Publication 800-171 (SP 800-171). As the prior interim rule had no grace period for implementing the new cybersecurity controls, this a fortunate change for DoD contractors. This welcome extension, however, is not without conditions. Contractors, in line with the notification outlined in DoD’s class deviation addressing “multifactor authentication for local and network access,” now have 30 days to inform the DoD Chief Information Officer (CIO) if any of the SP 800–171 security requirements are not implemented at the time of contract award. Absent that notice, DoD will presume contractors are meeting all of the NIST-established controls. As the new interim rule describes, this 30-day period will allow DoD the opportunity to monitor progress across its government contractors to identify and address any problems with the implementation of the NIST security controls.
The other changes in the interim rule limit the manner in which certain regulations are to be flowed down to subcontractors and limit the scope of DoD review:
Leave a Reply