Although DoD remains on the cutting edge of cybersecurity protections in the government contracts world, it continues to hone and refine that edge. Recently, DoD issued an updated frequently asked questions (FAQ) page for DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. The new FAQs addresses many, but not all of the types of questions many contractors found themselves asking after the October 21, 2016 final rule came out. Key clarifications in the FAQ include:
Clarifying which version of the clause applies to contracts that have been in-performance while the clause undertook several revisions
Reinforcing the scope and strength of flow-down requirements (i.e., “if a subcontractor does not agree to comply with the terms of [the clause], then covered defense information [“CDI”] should not be on that subcontractor’s information system”)
Explaining the relationship between CDI and information included in the National Archives and Record Administration (“NARA”) controlled unclassified information (“CUI”) program and the circumstances under which certain classes of data (e.g., export control data) may be considered CDI
Elaborating on DoD’s procedures for granting a variance from required NIST 800-171 controls
The FAQs also dedicates several questions specifically to the implementation of NIST 800-171 controls, discusses how DoD may evaluate an offerors’ compliance with the DFARS clause and NIST 800-171 during the source selection process, and offers some guidelines for small businesses facing the new requirements with limited resources. While the FAQs themselves do not have the force of a law or regulation, they provide a good indication of how DoD agencies intend to administer the clause, and contractors can rely on the FAQs to get a sense of how DoD expects them to comply. Contractors should keep in mind, though, that this is at least the third version of the FAQs, and they may change again.