How Does This Impact your own Subs, Vendors, Partners and Non-Citizen Employees? <\/strong><\/span><\/p>\nEssentially, contractors and all their sub-contractors, must have the DFARS compliance controls- and the considerations outlined within 252.204-7012- in place if they\u2019re managing CUI in any capacity. However, there are exceptions for Commercial-off-the-shelf (COTS) distributors where DFARS compliance may not necessarily be required, as long as their CUI isn\u2019t incorporated into the final product deliverable. However, it\u2019s important to note, that many of these organizations- despite not needing to adhere to these requirements- are doing so, due to their prime\u2019s own compliance requirements and\/or preference. Simply put, any contractors who are functioning as distributors by incorporating CUI into modified COTS technology must comply with DFARS requirements. Contractors who merely use unmodified COTS products don\u2019t need to be compliant, although DFARS compliance may be advantageous from a marketing or best practices standpoint- especially if their vendors or primes require or prefer that they do so. At the end of the day, DFARS compliance holds contractors accountable to adequately verify the compliance posture of their subcontractors- commonly known as “flow-down”- to ensure they comply with DFARS and Clause 252.204-7012 clauses. This requirement creates a trickle-down effect starting from the DoD, down to the subs of their prime contractors. Moving forward, if an organization\u2019s subcontractors are out of compliance, they will be held accountable and can be penalized by losing their contract or in more serious cases, subject to legal ramifications such as fraud.<\/p>\n
Another frequent question we receive pertains to a contractor\u2019s non-citizen employees with access to CUI. It\u2019s important to keep in mind that although non-citizens employed by contractors working with CUI do not conflict with your DFARS compliance posture, the prime contractors are free to make this a requirement within their contracts if they require specific citizenship or residency requirements, which could be outlined within section H of the contract itself.<\/p>\n
In the event that an organization must adhere to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) standards that control the export of defense and military related technologies, then this data can only be shared with US persons- as defined within the regulation-, citizens and in many cases includes US corporations to determine a contractor\u2019s \u2018citizenship\u2019 and eligibility requirements.<\/p>\n
So, When Do You Actually Need Government Software Subscription Licensing?<\/strong><\/span><\/p>\nClause 252.204-7012 (b)(ii)(D) explains in further detail why Government level licensing isn\u2019t always required for contractors managing CUI but how it may be a requirement in instances when manage classified information and CUI that is owned and operated by federal agencies.<\/p>\n
\u201c(D)\u00a0 If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.\u201d<\/em><\/p>\nUnfortunately, we\u2019ve encountered a number of cases where IT leadership and\/or vendors mistakenly recommend these products to contractors managing CUI. Be aware that the most obvious reason to maintain this position- aside from simply misinterpreting these requirements- is that IT vendors stand to make a lot of money from Office 365 Government subscription sales and its very costly implementation due to not having a migration path. What does it mean to not have a migration path? Unlike a traditional migration to Office 365 where network settings, configurations and processes are simply transferred to the Office 365 cloud, migrating to Office365 Government will require you to rebuild your infrastructure from scratch which will amount to additional costs not including the implementation of the IT solutions addressing the DFARS controls.<\/p>\n
Looking to the Future; The Importance of Strategic Partnerships<\/strong><\/span><\/p>\nAs these IT compliance requirements continue to evolve and with actual enforcement arriving in the near future, the role of IT professionals has expanded beyond the server room. In order to stay ahead of the curve, developing strategic partnerships with the government officials spearheading these DFARS initiatives will have to become an ongoing practice to ensure the successful strategic alignment between your IT compliance strategy and business objectives. Because both compliance requirements and business technologies are always changing, we encourage contractors to partner with service organizations that not only have in-house, IT compliance expertise but have a proactive, forward thinking, service model to accommodate today\u2019s fast changing IT compliance and regulatory landscapes. States like California, Maine and New York have recently led the way toward implementing both commercial and consumer IT protection requirements, and MA based small businesses will only find it increasingly challenging to comply with new regulations once they inevitably become a reality. Today\u2019s SME requires an IT partner that can forecast evolving IT compliance trends and their associated requirements, to ensure their successful continuity into the future and maintain industry competitiveness.<\/p>\n
Keeping in mind these increasingly complex compliance requirements, we highly encourage that you routinely assess these factors and actively collaborate with your IT and compliance partners to verify your posture as well as accurately measure your risks.<\/p>\n
\u201cIf you fail to plan, you are planning to fail.\u201d \u2013<\/em> Benjamin Franklin<\/p>\nFinal Thoughts<\/strong><\/span><\/p>\nIn short, Government level licensing isn\u2019t required for CUI contractors unless specified in the contract or if the data the contractor has is classified or when a federal agency needs to store their own CUI or classified information with the CSP. This, alongside our other shared insights, are meant to help navigate these perceptibly convoluted requirements to help you more effectively address the IT security and compliance gaps within your strategy. If the stringent IT compliance requirements in states like California, Maine and New York are of any indication as to what may be coming to Massachusetts, this degree of collaboration will be needed to succeed within any industry and not just those that are DFARS required. Your security and compliance posture will become even more relevant as to how you\u2019re able to conduct day to day business and will affect how your vendors will engage you- or your competitors- in their vendor selection processes.<\/p>\n
Chris Souza is the CEO of Technical Support International (TSI), a New England-based IT support and cybersecurity compliance firm. He can be reached at: https:\/\/tsisupport.com\/tsistaging.<\/em><\/p>\n
![\"\"](\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2019\/12\/DFARS-DoD.jpg\")
<\/p>\n![\"blog-cta-building-upon-company-culture-remotely-img\"](\"https:\/\/tsisupport.com\/tsistaging\/wp-content\/uploads\/2020\/05\/blog-cta-building-upon-company-culture-remotely-img.png\" "\\"blog-cta-building-upon-company-culture-remotely-img\\"")
\n\t\t\t\t\t<\/div>\n\t<\/div>\n\t<\/div>\n<\/div>\n<\/div>\n<\/div>\n\t<\/div>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n<\/div>