Login | January 21, 2019

New data security rules for federal defense contractors

Technology for Lawyers

Published: December 29, 2017

So, somebody finally got the US Department of Defense to pay attention to data security. Here come some new data security regulations, replacing outdated or, more like, nonexistent ones. So if you are a Department of Defense contractor, or represent one, and the contract involves sensitive information, you have to be cognizant of a whole slew of new data security rules are about to be implemented for you and/or your clients.

The new rules, called the Defense Federal Acquisition Regulation Supplement (DFARS), go into effect as of December 31, 2017. They have been included as a de facto part of certain government contracts for about a year, so many people who need to know about them should already know.

Nevertheless, here are a few points about the new DFARS.

The new regs cover data which is classified as “controlled unclassified information”, or CUI. The rules will apply to anyone who handles, stores, or transmits this data. They also apply to any third party that comes in contact with this data.

CUI covers software and hardware. It can include such disparate items as credit card numbers, cloud storage, healthcare info, or the more obvious data relating to weapons development and communications.

It also includes information on any physical and virtual infrastructure whose failure could cause problems or a security breach. The full list of the dozens of items that constitute CUI is here: https://www.archives.gov/cui/registry/category-list.

If you or your client handle any of that data, then you move on to the next step, which is conformance with standards that are set out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which is found here: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf.

SP 800-171 lists 14 specific areas of data security that contractors must comply with, from access control to system information integrity.

Now—how rigid are these regs? How does one conform to them? They are really a set of best practices, so if your contractor can do a better job in one of these areas than the reg lays out, that’s cool. All you have to do is prove that your solution has the same or better effect on data security as the government solution.