Forget The Showers. April Brings Flurry of New Cyber Guidance.
May 1, 2018
April has marked a busy month for those following the DoD’s approach to contractor cybersecurity. Earlier in the month, the DoD published a much-anticipated revision to their Frequently Asked Questions regarding DFARS 252.204-7012 and other cybersecurity requirements, reflecting feedback on various questions posed by industry over the past year and including new information regarding:
- COTS and commercial items
- Scope of covered defense information
- Conflicts with foreign laws
- Subcontractor flowdowns
- System security plans (SSPs) and plans of action & milestones (POAMs)
- Requirements for FIPS-validation, multifactor authentication, and marking
- Cybersecurity requirements beyond NIST SP 800-171
- Cloud service providers
- Examples of cyber incidents
- Guidance for small businesses
- DCMA oversight
Then just weeks later, the DoD issued proposed guidance for evaluating contractor cybersecurity, including implementation of NIST SP 800-171. Importantly, contractors may comment on the draft guidance through May 31 – and would be well-served to familiarize themselves with the new FAQs before doing so.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.