10.26.2015
|
Updates
The Department of Defense (DoD) issued an interim cybersecurity rule in August 2015 that, among other things, revises the existing Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clause and increases security and reporting obligations for DoD contractors. The obligations described below apply to essentially all DoD prime contractors and subcontractors.
Contractors should strive to comply with these obligations now, given that the interim rule's expanded cybersecurity clause is already appearing in DoD contracts. Comments on the interim rule are due by October 26, 2015.
Scope of the Cybersecurity Clause
By way of background, in November 2013, DoD issued a new mandatory contract clause, DFARS 252.204-7012, that applied to all DoD contracts/subcontracts, including contracts/subcontracts for commercial items. The clause required contractors and subcontractors to report "cyber incidents" that affect Unclassified Controlled Technical Information (UCTI) and to provide "adequate security" to safeguard UCTI from compromise.
DoD has now instructed contracting officers to include an expanded cybersecurity DFARS clause, Safeguarding Covered Defense Information and Cyber Incident Report, in all solicitations and contracts, including those for the acquisition of commercial items. DFARS 204.7304(c). In addition, prime contractors must include the clause in all subcontracts, including those for commercial items. DFARS 252.204-7012(m). There are no exemptions for small business. In short, the clause will continue to apply to most federal prime contracts and subcontracts.
In addition, the scope of the new clause is broad. Under the old clause, contractors had safeguarding obligations whenever they had "unclassified controlled technical information" on, or "transiting through," their information systems. DFARS 252.204-7012(b)(1) (NOV 2013). Limiting the clause to UCTI was significant because UCTI is defined as "technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination." DFARS 252.204-7012(a).) In addition, UCTI had to be marked to fall within the clause's protection. DFARS 252.204-7012(a) (NOV 2013). The UCTI and marking requirements established a relatively simple bright-line test for determining when the clause applied.
The new clause, on the other hand, dispenses with the marking requirement and encompasses a broad range of data called "covered defense information." This includes controlled technical information, "critical information (operations security)," "export control" information, and "[a]ny other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information)." DFARS 252.204-7012(a). The old clause apparently applied only to information that DoD transmitted to the contractor. The new clause also applies to information that is "[c]ollected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract." Id. Contractors, then, must protect their own and third- party information in support of contract performance at the same level as DoD-received information.
In addition, "export control" information under the new clause includes items such as data in license applications and information "whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives." DFARS 252.204-7012(a).
In short, the information subject to the new rule is broad and unclear. The information also does not need to be marked for the requirements of the clause to apply. So much for bright lines.
Cybersecurity Obligations
The interim rule includes a number of obligations related to data security, data reporting and cloud computing:
Data Security. The security standard that applies under the new clause is National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. SP 800-53 applied under the former clause. SP 800-171 establishes 14 security areas, each of which establishes the minimum level of information security a contractor should have to adequately safeguard covered information. These requirement areas are more extensive than those of SP 800-53. For example, SP 800-171 includes a Personnel Security requirement that is not in the SP 800-53 standard.
As under the old clause, contractors may provide written explanation to the contracting officer justifying deviations from the NIST elements. The contractors, however, are to propose these deviations before any award is made.
Data Reporting. The interim rule expands reporting requirements. Like the old rule, contractors [1] must report to DoD any cyber incidents that affect "controlled technical information." DFARS 252.204-7012(a). Under the interim rule, however, contractors also must investigate and report cyber incidents involving three additional areas of information: "critical information (operations security),"[2] "export control,"[3] and any cyber incident that affects the contractor's ability to perform "operationally critical support"[4] functions of a contract. DFARS 252.204-7012(a).
When an incident occurs, the contractor must, among other things, conduct a review for evidence of a compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data and user accounts. The review must include analyzing covered contractor information systems that were part of the cyber incident. The review also must include other information systems on the contractor's networks "in order to identify compromised covered defense information or [information] that affect[s] the contractor's ability to provide operationally critical support." DFARS 252.204-7012(c)(1).
The contractor must "rapidly report" cyber incidents within 72 hours of discovery. The report must address all of the elements (to the extent known within the 72-hour period) listed at the DoD-DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal. These elements include the following:
- Contracting officer and program manager points of contact
- Impact to covered defense information
- Ability to provide operationally critical support
- Date incident discovered
- Locations of compromise
- DoD programs, platforms or systems involved
- Type of compromise
- Description of technique or method used in cyber incident
- Incident outcome
- Incident/compromise narrative
Cloud Computing. The interim rule establishes two clauses related to cloud computing services: DFARS 252.239-7009, Representation of the Use of Cloud Computing, and DFARS 252.239-7010, Cloud Computing Services. These clauses require that contractors do three key things: (1) restrict access to government data; (2) house all government data in the United States unless otherwise authorized in writing; and (3) implement administrative, technical and physical safeguards and controls outlined in DISA's Cloud Computing Security Requirements guide.
In addition, DFARS 252.239-7010 requires that contractors report cyber incidents related to cloud services employed in performing the contract.
Recommendations for Meeting Obligations and Reducing Compliance Risk
There are numerous actions that contractors and subcontractors can take to meet their obligations and reduce their risk of compliance with the interim cybersecurity rule. Here are some of them:
- Contractors should familiarize themselves with the reporting requirements set forth at the cyber incident reporting portal. Subcontractors should do the same and also be prepared to report incidents to prime contractors.
- Contractors must plan in advance to take advantage of certain flexibility in the new clause. Again, under the prior version of the clause, contractors could, during contract performance, provide written explanation justifying deviations from the NIST elements. The interim rule states that such justification must now be provided before an award.
- As discussed, the scope of information covered under the new clause is less than clear. Contractors should work with their contracting officers to better define the type of information that is covered under a given contract.
- Contractors should consider the possibility that the government may disclose to third parties the information provided by the contractor in a cyber incident report. The interim rule allows DoD to disclose a contractor's reported information in a variety of circumstances, such as for national security purposes and "to entities with missions that may be affected by such information." DFARS 252.204-7012(i)(1).
Given the government’s interest in cybersecurity, there will be future government rules regarding this issue. In addition, at some point, government enforcement of these requirements will begin to gain traction.
ENDNOTES
[1] These reporting requirements also generally apply to subcontractors that have accepted the prime contractor's flowed-down version of DFARS 252.204-7012. We generally refer to both contractors and subcontractors as "contractors."
[2] "Critical information (operations security)" means "[s]pecific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process). DFARS 252.204-7012(a).
[3] "Export control" includes "[u]classified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives" and "[a]ny other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information)." DFARS 252.204-7012(a).
[4] "Operationally critical support" means "supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation." DFARS 252.204-7012(a).
© 2015 Perkins Coie LLP
