There were 2 policies implemented recently that impact all US government contractors in regards to how they protect their own internal networks.
The first was DFAR changes aimed at US defense contractors. On December 30, 2015, DoD amended both DFARS 252.204-7008 (Compliance with Safeguarding and Covered Defense Information Controls), and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) giving contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems.
Notwithstanding the 12/31/2017 phase-in period, contractors must still notify DOD within 30 days after contract award “of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award”. It would also be wise for DoD contractors to stay abreast of what may change with the DFARS safeguarding rule (2013-D018) found here and a new DFARS rule to specify liability protections for certain DoD contractors when reporting cyber incidents (2016-D025) found here.
The second new FAR policy aimed at ALL US government contractors. On May 16, 2016, the Federal Acquisition Regulation (FAR) was amended to implement requirements for the “Basic Safeguarding of Covered Contractor Information Systems.” See the Federal Register 30,439, available here. This final rule becomes effective on June 15, 2016.
The intent is to establish basic safeguarding measures that are (or should be) generally employed by contractors as part of “routine” business practices – the rule is a baseline and does not impact other more specific federal information safeguarding requirements, such as the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 noted above.