Forget The Showers. April Brings Flurry of New Cyber Guidance.

April has marked a busy month for those following the DoD’s approach to contractor cybersecurity. Earlier in the month, the DoD published a much-anticipated revision to their Frequently Asked Questions regarding DFARS 252.204-7012 and other cybersecurity requirements, reflecting feedback on various questions posed by industry over the past year and including new information regarding:

• COTS and commercial items
• Scope of covered defense information
• Conflicts with foreign laws
• Subcontractor flowdowns
• System security plans (SSPs) and plans of action & milestones (POAMs)
• Requirements for FIPS-validation, multifactor authentication, and marking
• Cybersecurity requirements beyond NIST SP 800-171
• Cloud service providers
• Examples of cyber incidents
• Guidance for small businesses
• DCMA oversight

Then just weeks later, the DoD issued proposed guidance for evaluating contractor cybersecurity, including implementation of NIST SP 800-171. Importantly, contractors may comment on the draft guidance through May 31 – and would be well-served to familiarize themselves with the new FAQs before doing so.