CONTRACTORS FACE CONFUSION, CHANGING RULES, ON CYBERSECURITY
Companies selling to the Department of Defense have been gearing up to become Cybersecurity Maturity Model Certification (CMMC) approved. Even GSA is eying the inclusion of CMMC requirements for some of its contracts as DOD is often their largest user. Now, however, the National Institute for Standards and Technology (NIST) has come out with new requirements (https://csrc.nist.gov/publications/detail/sp/800-172/draft) that will eventually be incorporated into certain CMMC levels. How that will impact companies among the first to be certified under the current guidance is unknown. Guidance from DOD, especially for companies that provide cloud services, is also changing. Don’t even start with the cybersecurity requirements that Commercial Off the Shelf (COTS) procurements are and are not exempt from. It’s enough to make a contractor seek an easier career like commercial fishing. What is clear is that FAR clause 52.204-21 on Federal Contract Information (FCI) is increasingly being incorporated into a wide range of government contracts, including those for commercial items. Make sure your company can comply with the 15 basic NIST security requirements referenced in the clause. Not all cyber guidance has found its way to the FAR yet, though. DOD contractors need to increasingly examine DFAR clauses to ensure they understand the cybersecurity and cloud standards required of them and those standards that need to be passed down to subcontractors. There are many key terms to know, but two of the most frequent are Covered Defense Information (CDI) and Controlled Unclassified Information (CUI). CUI is actually included in the definition of CDI, so if your company meets standards on how such information needs to be handled, it likely meets the other. While COTS providers are, in fact, exempt from CMMC and some other requirements, that differentiation may be lost on DOD buyers and prime contractors. Such companies will need to be prepared to answer why they feel they are exempt from certain compliance standards, or become compliant. The situation is changing, but ensuring that your company follows the changes and stays compliant with applicable rules is critical to doing continued government business.