DoD Contractor’s DFARS Cybersecurity Deadline

Cybersecurity and Privacy Alert

Client Alert


At this time last year, the Department of Defense issued a Defense Federal Acquisition Regulation Supplement (DFARS) intended to better protect controlled data and national security networks from cybersecurity threats.

The 2016 DFARS cybersecurity regulations cover defense information on contractor information systems that support the performance of DoD contracts, and establish that covered systems comply with the security requirements in the NIST CUI. The cybersecurity requirements for covered information systems can be found in NIST Special Publication (SP) 800-171.

In addition to preventative cybersecurity measures, DoD contractors will also be required to “rapidly report” cyber incidents to the DoD within 72 hours of discovery, provide any malicious software to the DoD Cyber Crime Center, preserve a copy of affected systems for 90 days from a report, and allow DoD access for a forensic analysis.

DoD contractors and subcontractors who have access to “controlled unclassified information” have until Dec. 31, 2017, to prepare to comply with the new DFARS cybersecurity requirements.

A Continued Effort to Address Growing Cyber Threats

Earlier in May of this year, cleared government contractors were required to complete training for all cleared personnel as part of an “insider threat program” (ITP) as required by the DSS under Change 2 of the NISPOM.

The new DFARS cyber protection regulations expand the government’s efforts to protect national security data and networks from cleared entities to include all DoD contractors who have access to controlled information.  

Be mindful of yearend holidays in completing assessments and implementation of any resulting policy and procedure changes by the December 31, 2017, deadline.

The applicable DFARS provisions and guidance are available on the DoD website.

Bradley Cybersecurity and Privacy Practice Group

Cybersecurity and privacy are ongoing and pressing concerns for today’s businesses. Information is value. Technology is value. Both can present large risks. The protection and management of information and technology infrastructure are key. Legal decisions are becoming increasingly complex and affect a variety of significant regulatory, transactional, civil liability, and reputational matters. Our Cybersecurity and Privacy team has over 25 years of experience in this space and works with clients to protect against, plan for, respond to, and recover from a variety of cyber threats. Bradley's multidisciplinary team has industry-specific groups, including a group that specializes in the unique challenges faced by government contractors in complying with rapidly changing cybersecurity requirements and reporting obligations. Our government contracts partners have broad experience in cybersecurity for both defense and civilian government contractors, positioning us to provide essential legal counsel on protecting sensitive information and avoiding exposure to the serious legal, financial, and reputational risks that accompany cyber incidents.