The U.S. Department of Defense (DoD) has issued a revised Cybersecurity Discipline Implementation Plan. The previous version of the plan was issued in October 2015; the latest edition was released in February 2016.
Although the primary focus of the document is on the duties and responsibilities of commanders and supervisors in the DoD, the document may be useful to government contractors who are considering how to comply with the requirements for securing controlled unclassified information (CUI), as well as information systems provided under contract to the DoD. In fact, the document directs commanders and supervisors to mitigate risks and report cyber readiness for the information systems they own, manage, or lease for mission assurance through the Defense Readiness Reporting System (DRRS). So if a government contractor provides computer services for a DoD mission, the contractor may soon be hearing from DoD about complying with the provisions of this plan. In addition, all contractors should be expecting additional contract provisions about information security that require compliance with the plan.
In addition, the document can be reviewed for good general guidance about various information security issues, including strong authentication, device hardening, firewalls, discontinuing the use of Windows XP, and so forth.
See these previous posts:
- DoD gives contractors more time to implement cyber security requirements.
- DoD issues interim rule about computer security that affects all government contractors.
- The writing is on the wall for controlled unclassified information.
Items on this web page are general in nature. They cannot—and should not—replace consultation with a competent legal professional. Nothing on this web page should be considered rendering legal advice.