Many companies have contracts with the federal government, and there are laws designed specifically for them to protect the federally-sourced data they receive from inappropriate exposure. As cybersecurity risks evolve and emerge, the government modifies the data security regulations to reflect those new threats. Additional laws that also affect government procurements can also be changed when data security standards shift, and the Berry Amendment is one such law. Contractors who fail to comply with these laws and their ongoing amendments risk the termination of their contract.
Protecting State-Controlled Data
The federal government generates and collects vast volumes of data every minute. While some categories of that information are highly classified (state secrets, spy activities, etc.), other types are less classified, but still require enhanced security protections because they contain sensitive data. The specific class of “controlled unclassified data” (CUI) is sensitive information that requires protection from public disclosure. (Find the CUI registry here.) It includes social security numbers, banking data, and other ‘personally identifying information’ (PII).
The Defense Federal Acquisition Regulation Supplement (DFARS) directs how the government contracts and pays for goods and services when it uses ‘appropriated funds’ for that purpose. Congress allocates ‘appropriated funds’ to achieve specific governmental purposes. Contractors who provide those goods and services must abide by the rules that govern the data that is sent and received in response to those contract activities.
In 2015, The DFARS rules were modified to reset the standards for how these government contractors must protect their federally obtained CUI. The revised DFARS rules require contractors to comply with the data security standards set out by NIST 800-171. All contractors were mandated to make necessary changes and those contractors who had not attained that DFARS compliance by December 31, 2017 are now at risk of losing their Department of Defense (DoD) contracts.
Establishing DFARS Compliance
The revised DFARS rule requires that contractors:
- maintain ‘adequate security’ to safeguard CUI that resides in or transits through contractor systems. According to the DFARS compliance statutes, ‘adequate security’ refers to ‘protective measures that respond to the consequences and probabilities related to the loss, misuse, unauthorized access to, or modification of CUI.’
- And, contracting organizations must ‘rapidly report’ cyber incidents to the DoD, including allowing access by the DoD to those compromised files and records. Again, the statute defines ‘rapidly report’ as submitting the notice within 72 hours of the discovery of any cyber-related incident.
The challenge for contractors is to clarify and apply to their systems the definition of ‘adequate security,’ and then pass a readiness assessment based on the guidelines set out in NIST 800-171.
DFARS Security Requirements
Full DFARS compliance requires contractors to take ‘adequate security’ measures regarding these 14 classes of IT information management:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Additionally, DFARS compliance isn’t a one-time event, but instead mandates an ongoing review, revision and assessment process over all relevant IT security procedures. Contractors are expected to not just comply with DFARS but maintain that compliance for the life of the contract.
To assist with DFARS compliance, NIST issued a publication that provides guidance for organizations that hold CUI in ‘non-federal information systems.’ The publication stresses that appropriate security activities encompass not just ‘confidentiality,’ but also ‘integrity’ and ‘availability’ as the highest priority security objectives. It clarifies that the guidelines established by NIST 800-171 are the base standards with which all government contractors must comply.
The Berry Amendment
Originally passed in 1941 and amended several times since then, this law states that contractors can only spend appropriated funds on those classes of goods and products that are wholly American sourced and made. Because federal contractors purchase many of their supplies with appropriated funds, they are bound by the Berry Amendment to purchase only U.S.-originating goods. Those items explicitly listed in the current version (2006) of the Berry Amendment include the following.
- An article or item of food;
- clothing;
- Canvas items, including tents, tarpaulins, or covers;
- Natural fiber products including cotton, woven silk or woven silk blends; spun silk yarn for cartridge cloth, and wool (whether in the form of fiber or yarn or contained in fabrics, materials, or manufactured articles);
- coated synthetic fabric or synthetic fabrics (including all textile yarns and fibers that are for use in such fabrics);
- any manufactured item of individual equipment made from or containing such fibers, yarns, fabrics, or materials as per Federal Supply Class 8465; and
- hand or measuring tools.
Despite the comprehensiveness of the included list, there are also several exceptions to the Berry Amendment:
- The Amendment doesn’t apply if the value of the prime government contract is below the Simplified Acquisition Threshold (SAT) of $250,000 (as of December 12, 2017).
- Contractors can obtain waivers from the Berry Amendment if they can’t find the items they need from an American source, including those that are predetermined to be unavailable under the H Buy American Act. Agencies seeking a waiver must be prepared to prove the U.S.-based unavailability of the good or product.
- Emergency acquisitions or those obtained outside the U.S. for combat operations are also exempt, as are
- Incidental purchases of otherwise prohibited fabrics or fibers when the value is less than ten percent of the SAT.
Contractors who make purchases that are covered by the Berry Amendment must also achieve DFARS compliance to maintain their agreement with the federal government.