For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the interim rules promulgated in late 2015. The first rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS Rule”) and went into effect on October 21, 2016. The second rule modifies the previously voluntary DoD cybersecurity information-sharing program in connection with the Defense Industrial Base (“DIB Rule”) and went into effect on November 3, 2016.
We previously explained the changes brought about by the interim rules. Here, we explain what changed after the rules’ comment periods, and provide suggestions for compliance.
The new DFARS Rule amends the interim rule published in August 2015, implementing a number of important changes:
- First, contractors must provide adequate security for all “covered defense information” (CDI) on “all covered contractor information systems that support the performance of work under the contract.” Revising the interim rule, the final rule narrows the definition of CDI to mean unclassified controlled technical information or other information as described in the National Archives and Records Administration’s Controlled Unclassified Information Registry. Moreover, to qualify as CDI, information must somehow be identified and provided to the contractor by the government or “collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract.” For covered contractor information systems not operated on behalf of the government, the standard defining adequate security was generally specified by the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171.
- Second, the DFARS Rule updated certain reporting and other requirements, notably maintaining the requirement that contractors report cyber incidents to DoD within 72 hours. After the initial report, the interim rule contemplated that the government and a contractor may share additional information, such as forensic analyses, mitigation steps, and remediation actions.
- Third, if a contractor uses an external cloud service provider to store, process or transmit any CDI in performance of a contract, the contractor must require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (“FedRAMP”) moderate baseline and must comply with certain DFARS 252.204-7012 requirements, including the reporting requirement.
- Fourth, contractors that make use of cloud computing in providing information technology services to DoD must implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required by DoD’s Cloud Computing Security Requirements Guide.
- Lastly, the DFARS Rule clarifies that the flow-down requirement only applies when the subcontract is for operationally critical support or when performance of the subcontract involves CDI.
The final DIB Rule amends the October 2015 interim DIB Cybersecurity Activities regulation. The interim DIB Rule made two important changes.
- First, the DIB Rule mandates cyber incident reporting for DIB agreement holders, which was previously voluntary.
- Second, under the DIB Rule the eligibility criteria for DoD’s voluntary cybersecurity information-sharing program now allows participation by a greater range of agreement holders.
- Third, DoD makes clear in the final version of the rule that it covers activity associated with all types of private sector agreements with DoD: “contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement.”
- Lastly, similar to the DFARS rule, the DIB Rule uses the new definition of CDI outlined above, and clarifies that these requirements must be flowed down to “subcontractors that are providing operationally critical support or for which subcontract performance will involve a covered contractor information system.” Although DoD has defined operationally critical support, the broad definition is somewhat cumbersome and the Department has advised that it is developing procedures to notify contractors when they are providing goods or services that meet the definition. For now, contractors are encouraged to seek clarification on this issue from their contacts within DoD.
What Should You Do?
- Contractors should review their cyber incident response plan to ensure that it includes an incident reporting protocol and a process for identifying the facts necessary to determining whether such a reporting obligation exists. If it is not already, the plan should be widely disseminated among both IT professionals and management personnel.
- As part of all negotiations with DoD, contractors should inquire whether the agreement will cover goods or services that are operationally critical.
- Contractors should begin planning how to incorporate these requirements into future subcontracts subject to the rule.
- If eligible, contractors should seriously consider participating in the DoD-DIB Cybersecurity Information sharing program. The program facilitates information-sharing about cyber threats and incident reporting and will assist in identifying adversarial activity that is targeting DIB participants. This is not only helpful for compliance with the DIB Rule and the DFARS Rule, but it also qualifies as a generally good cybersecurity practice, and is strongly encouraged by a number of state and federal regulatory authorities.
- Cloud service providers who provide services to government contractors should conduct regular assessments against the FedRAMP to ensure that they are complying with its requirements.