Photo of Laura Jehl

Reprinted from The Government Contractor, with permission of Thomson Reuters. Copyright © 2017. Further use without the permission of West is prohibited. For further information about this publication, please visit, or call 800.328.9352.

In Part 1, we discussed the cybersecurity requirements applicable to federal contract information under Federal Acquisition Regulation 52.204-21(b)(1) and covered defense information (CDI) under Defense FAR Supplement 252.204-7012, which requires contractor compliance by December 31. See 59 GC ¶ 25. In Part 2, we examine other safeguarding and reporting requirements for unclassified information, including agency-specific regulations, of which Government contractors should be aware. Many of these requirements have been in place for years, and your company may already have plans and processes for compliance. However, it is worth reexamining these requirements and considering the data and systems they affect, as well as how security may be improved when planning for compliance with the DFARS rule by December 31.Continue Reading Achieving Cyber-Fitness In 2017: Part 2—Looking Beyond The FAR And DFARS— Other Safeguarding And Reporting Requirements

On May 18, 2016, the Department of Defense issued Conforming Change 2 of the “National Industrial Security Operating Manual” (“NISPOM”).   NISPOM Change 2 requires all U.S. government contractors who require access to U.S. classified information to implement an Insider Threat Program (“ITP”) that will gather, integrate and report relevant information related to potential or actual insider threats among cleared employees by November 30, 2016. Insider threats – a growing phenomenon – arise when employees or contractors exploit legitimate access to an organization’s data for unauthorized or malicious purposes. Much of the impetus for the new rule appears to be a valid concern about large-scale thefts of classified data, as exemplified by Edward Snowden’s release of a vast trove of sensitive documents stolen from the U.S. National Security Agency.
Continue Reading Insider Threat Programs – A New Challenge for Cleared Contractors

On February 16, 2016, Secretary of Homeland Security Jeh Johnson announced interim guidelines and procedures for sharing cyber threat indicators under the Cybersecurity Information Sharing Act of 2015 (“CISA”). Because the guidelines are voluntary, the next question is, should your company share information with the Government?
Continue Reading To Share or Not to Share (with the Government)? That is the Question: DHS Announces Interim Guidelines for Sharing Cyber Threat Indicators