UPDATE: DoD Cybersecurity Rules Expand Contractors’ and Other DoD Awardees’ Obligations to Safeguard Sensitive Data and Report Cyber Incidents

data privacy

On December 30, 2015, DoD published an interim rule, effective immediately, amending portions of the August Rule. Most importantly, pursuant to the new rule, contractors administering covered information systems that are not being operated on behalf of the government now have until December 31, 2017 to implement the new NIST SP 800-171 standards. Previously, through a class deviation, contractors were given an additional nine months after contract award to comply with the multifactor authentication provisions of NIST SP 800-171. The new December 31, 2017 deadline gives contractors significantly more time to implement all of the requirements of NIST SP 800-171.

Additionally, the interim rule provides that contractors must notify the DoD Chief Information Officer (CIO) via email within 30 days of contract award of any NIST SP 800-171 requirements not implemented at the time of the contract award. Finally, the new rule provides that the security and reporting requirements of the August Rule must flow down to subcontractors only when those subcontractors are dealing with CDI or providing operationally critical support.

This client alert is an update to an alert initially circulated on December 1, 2015. To view the original alert, please click here.