Mary Beth Bosco is a Partner in our Washington, D.C. office.
The Dec. 31, 2017 deadline for Department of Defense (DoD) contractors to comply with DoD's cybersecurity and breach reporting requirements is looming. The requirements, which are set forth in DoD's Oct. 21, 2016, final rule, "Network Penetration Reporting and Contracting for Cloud Services," apply to all contractors – including small businesses – that support DoD contracts and handle controlled unclassified information (CUI).
On June 23, 2017, DoD will host an Industry Information Day, open to all contractors, to brief industry on implementation of the new rules and to address industry feedback. In order to attend, companies need to register at osd.dibcsiaevents@mail.mil by June 12, 2017. Companies can also submit written questions to the same address by May 1, 2017. The public meeting will be held at the Mark Center Auditorium, 4800 Mark Center Drive, Alexandria, Va.
The DoD Industry Information Day underscores the scope and importance of the cybersecurity rules. By the Dec. 31, 2017 deadline, most DoD contractors will need to have information systems meeting the standards contained in National Institute of Standards and Technology (NIST) Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, or an "equally effective" system that must be approved before award. Contractors must additionally implement policies and processes designed to ensure compliance with the rule's 72-hour breach notification deadline.
DoD contractors who have not already done so will need to review their existing information security policies and procedures to identify and remedy any gaps between their information security systems and the NIST 800-171 standards by the end-of-year implementation deadline.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
