Kilpatrick Townsend’s Gunjan Talati, partner in the Government Contracts and Construction & Infrastructure Group, recently moderated a panel for the Association of Corporate Counsel National Capital Region chapter on Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements. The panel, consisting of both in-house counsel and government officials, discussed the cybersecurity requirements at DFARS 252.204-7012 (the “DFARS Clause”). The panel covered what the DFARS Clause requirements for contractors are and best practices for compliance.5 key takeaways from the presentation include:
- The DFARS Clause requires contractors and subcontractors with certain defense contracts to provide “adequate security” for “all covered defense information” in accordance with NIST 800-171. Contractors and subcontractors must also rapidly report security incidents to agencies and perform specific actions in response to such incidents.
- Contractors can demonstrate compliance with the DFARS Clause by developing a system security plan and plan of action to remedy any applicable deficiencies or vulnerabilities within their system.
- Contractors should also ensure that any cyber incident response plan has provisions for handling required reporting under the DFARS Clause as well as other forensics requirements such as submitting malicious software in accordance with a contracting officer’s direction and preserving and protecting images of impacted information systems.
- The DFARS Clause also requires contractors to flowdown the requirements of the DFARS Clause to subcontractors when subcontractor performance will involve operationally critical support or covered defense information. Contractors should closely examine their relationship with any cloud service providers to determine whether they would be considered a “subcontractor” for purposes of the DFARS Clause.
- Each organization’s needs for DFARS Clause compliance will vary depending on the type of work they perform but all should consider having a formal compliance plan in place that is reduced to writing and incorporates all other plans, such as an incident response plan, as necessary.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.