The U.S. Department of Defense issued final rulemaking on November 18, 2013 that will require DOD contractors to protect from attack confidential technical information on their computer systems, and to report and cooperate with DOD in the event that this information is compromised through a cyberattack. The rules come nearly two years after draft rules were first announced and in the midst of continuing public concern about the threat of state-sponsored trade secrets theft.
The final rules amend the “Defense Federal Acquisition Supplement” (“DFARS”) — a DOD supplement to the regulations federal agencies must follow for acquiring supplies and services. The DFARS apply to all “DOD government acquisition officials — and those contractors doing business with DOD — must follow in the procurement process for goods and services.” Going forward, it is now a requirement for DOD contracts that:
“DOD and its contractors and subcontractors will provide adequate security to safeguard unclassified controlled technical information on their unclassified information systems from unauthorized access and disclosure.” 78 Fed. Reg. at 69,280; 48 C.F.R. § 204.7302(a).
Notably, the definition of “controlled technical information” does not specifically state that such information must belong to DOD, unlike the draft rule that explicitly covered DOD information. This suggests that DOD contractors may also have to protect their own trade secrets with the same level of vigor or risk losing their defense contracts.
The rules specifically target “unclassified controlled technical information,” which is defined as “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” This definition does not cover information that is lawfully publicly available, but it nonetheless has a broad reach.
In a press release, Undersecretary of Defense for Acquisition, Technology and Logistics Frank Kendall gave some background on the impetus for the new rules:
Protection of technical information is a high priority for the department and is critical to preserving the intellectual property and competitive capabilities of our national industrial base. This information, while unclassified, is comprised of data concerning defense systems requirements, concepts of operations, technologies, designs, engineering, production and manufacturing capabilities.
The new rules require contractors and subcontractors to maintain “adequate security,” which imposes the following duties:
- IT Security. Under the rule, contractors must provide “adequate security,” meaning “protective measures commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” At a minimum, this requires that the contractor “implement information systems security in its project, enterprise or company-wide unclassified information technology system(s)” that may have the “controlled technical information.” The rules require IT security to meet certain standards promulgated by the NIST in SP 800-53, unless inapplicable or if the contractor can demonstrate it has systems providing “equivalent protection.” This security requirement is in addition to any other security measures required by federal or DOD regulations.
- Mandatory Reporting. In case of a “cyber incident” involving possible “exfiltration, disclosure, manipulation, or other loss or compromise of any unclassified controlled technical information” or other incident “that allows unauthorized access to the Contractor’s unclassified information system,” a contractor must notify DOD within 72 hours and provide details on the incident. Subsequently, the contractor is required to assist DOD in assessing the incident’s damages. DOD will keep the information about reported incidents confidential, unless that information is lawfully publicly available.
- Subcontractors. The new rules require that contractors place reporting and security requirements in their contracts with contractors/subcontractors. In addition, the rules apply to cloud applications and ISPs used by contractors, meaning that contractors are required to make sure that their ISP and cloud providers are also in compliance.
Very likely, the new rules will create significant compliance issues for at least some DOD contractors and could result in winnowing the field of contractors and subcontractors that are available for future DOD projects. Companies with robust IT security and reporting procedures stand to benefit as they can point to these measures as a way to stand out in the always competitive race for lucrative defense contracts.