Defense contractors will now need to implement security control requirements and ensure sensitive federal information remains confidential when stored in any nonfederal electronic system beginning December 31, 2017.  Earlier this year AGC hosted a webinar giving an overview of the new cybersecurity requirements to AGC members.
The purpose of the new requirements is to ensure that unclassified DoD information residing on a contractor’s internal information system is safeguarded from cyber incidents, and that any consequences associated with the loss of this information are assessed and minimized through cyber incident reporting and damage assessment processes. It is not required to be applied retroactively, but a contracting officer may modify an existing contract.  DoD has consistently stated that the agency does not plan to audit contractors’ electronic devices, but will rely on contractor’s attesting to their compliance with the requirements.
AGC has communicated to DoD the difficulty many contractors have had in implementing these new cybersecurity requirements. According to a DoD spokeswoman, contractors must still comply by Dec. 31, but compliance means documenting the state of your company’s information system in a security plan (SSP) and documenting how and when your company will implement any requirements that have not yet been implemented.  Further, individual, isolated, or temporary deficiencies should be managed through Plans of Action/Milestones (POAM).
For more information contact [email protected] or (703) 837-5368.