London Office
Quick Contact


Image Alt


New DoD Rule Redefines Cybersecurity Compliance

Though long anticipated, the effect of recent amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) are nonetheless dramatic in application. They change the definition of a compliant cyber security system, and they impose sweeping new reporting requirements.

What constitutes “adequate security” has now changed. Previously, contractors were required to meet standards articulated in National Institute of Standards and Technology (NIST) Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” But this standard is no longer applicable. With the new rule, we are now obliged to comply with NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The DoD deems the new standard, finalized in June, “easier to use.” But ensuring the compliance of existing controls is sure to cause some near-term challenges.

The rule also expands those instances where a contractor must make mandatory reports of possible or actual security breaches. Previously, the DFARS required cyber incident reporting for Unclassified Controlled Technical Information (UCTI). Now, unclassified reporting requirements extend to data (“covered defense information”), either provided by DoD or “collected, developed, received, transmitted, used, or stored” by the contractor if it falls into one of four, broadly construed categories: (1) controlled technical information; (2) critical information; (3) export control information; or, (4) “any other” information deserving of protection under law, regulation or policy (e.g. personal identifying information).

The new DFAR rule casts a wide net; virtually all unclassified network information is now possibly subject to the enhanced reporting requirements. (Note that the new rule only applies to unclassified “covered defense information.” The NISPOM will continue to control reporting requirements relating to incidents involving classified information.)

The new rule became effective when it was published on August 26, 2015. Contractors should make haste in assessing their current security controls and reporting procedures to ensure compliance with the new requirements.