“The cyberthreat is not going away; we have to defend our networks and systems, and you’re part of that defense,” acting DOD CIO John Zangardi said Friday. “DOD is facing the same threats that you are. And with these regulations, we are asking to implement some of the same defenses as we are implementing for the department’s networks.”
“Safeguarding Covered Defense Information and Cyber Incident Reporting,”a new DOD regulation, will go into effect for how contractors respond to and report cyber incidents., and defense contractors have until the end of calendar year 2017 to begin complying.
At an event for vendors that work with DOD, Zangardi said that the updated regulations will be “critical” for ensuring the safety of “information we put out there, that you receive or that you develop in support of DOD’s warfighting mission is protected.”
“We can’t expect anything less in this current environment,” he added. “This is the thing that gets us to where we want to be in terms of protecting our data.”
“Protecting this information saves warfighter lives,” he said.
Defense information is “unclassified controlled technical information or other information” as described in the National Archive and Records Administration’s Controlled Unclassified Information (CUI) Registry “that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies,” according to a new acquisition regulation final rule passed in October 2016.
Contractors will be expected to at minimum comply with the National Institute of Standards and Technology’s Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” for information held on their networks or systems, and follow cybersecurity guidance on multifactor authentication and cyber-incident response.