Contractors must act now to address the Department of Defense's (DoD's) interim rule on Network Penetration Reporting and Contracting for Cloud Services. The rule applies many new Defense Federal Acquisition Regulation Supplement (DFARS) clauses into all DoD contracts. The interim rule has immediate effect,1 so any government contractor, subcontractor, or supplier should take these five immediate steps to demonstrate compliance with the new requirements:
- Register with the DoD to obtain a mandatory Medium Assurance Certificate.
Any contractor or subcontractor reporting a cyber incident under the DFARS must have a certificate in order to make its report.2 Act now to register for a certificate so you can rapidly report cyber incidents within the limited 72-hour window.
- Identify and mark all Attributional/Proprietary Information.
The DoD states in its interim rule that it will try to minimize the disclosure of any attributional/proprietary information included in a cyber incident report that could identify a contractor or its commercially sensitive information. Contractors and subcontractors should therefore identify and mark any such information now in order to prepare for a cyber incident disclosure.
- Consider Employee Nondisclosure Agreements.
Support services contractors that assist agencies in managing and responding to cyber incident reports must prohibit their employees from disclosing any information included in the reports. These contractors should develop and enter into NDAs with their employees to prepare to perform cyber incident response-related services.
- Flow down and incorporate the new DFARS clauses.
The new DFARS clauses must be incorporated into subcontracts, even commercial item subcontracts and small business subcontracts. Contractors should start incorporating the flow-down provisions into their subcontract templates and teaming agreements to prepare to demonstrate compliance with the new DFARS clauses.
- Monitor existing contract and task orders.
Customers may modify existing contracts and task orders to incorporate the new DFARS clauses. Contractors and subcontractors should monitor all modifications to be sure of the new requirements that are being imposed upon them.
The new DFARS clauses are wide-reaching, and apply to commercial item contractors, small businesses, and their subcontractors. The analysis below gives details of the many areas of compliance that all contractors must demonstrate.
The DFARS interim rule addresses two high-level issues: 1) contractor safeguarding of covered defense information (CDI) and reporting of network penetrations, and 2) DoD policy for the purchasing of cloud computing services.
Safeguarding CDI and Reporting Network Penetrations
New Safeguarding and Reporting Clause
DoD has renamed DFARS 252.204-7012 to "Safeguarding Covered Defense Information and Cyber Incident Reporting." The clause, which formerly focused on unclassified controlled technical information, now requires the safeguarding of the much broader range of covered defense information and obligates contractors to rapidly report within 72 hours cyber incidents that involve CDI, or that could affect operationally critical support.
CDI: A Broad Term Covering Nearly All DoD Unclassified Information
The interim rule applies to a wide range of unclassified information falling under the definition of CDI. Generally, CDI includes unclassified information that is provided to a contractor by or on behalf of the DoD in connection with performance of a contract, or information that is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance. If any of the information falls into the following categories summarized below, it is CDI:
- Controlled Technical Information: Technical information with a military or space application that is subject to controls including but not limited to access, use, reproduction, and disclosure.3
- Critical Information: Information identified in the operations security process that is vitally needed by adversaries.
- Export Control: Information concerning items, technology, software, or information whose export could reasonably be expected to adversely affect national security and nonproliferation objectives.
- Other Restricted Information: Information, marked or otherwise identified in the contract, requiring safeguard or dissemination controls.
Applies to Covered Contractor Information Systems
Contractors are required to provide adequate security for CDI on all covered contractor information systems, defined as systems owned, or operated by or for, a contractor that processes, stores, or transmits CDI.
The DoD prescribes different safeguarding requirements, depending on the contractor's system and access.
- Covered contractor information services that are part of IT service or system operated on behalf of the government;
- For cloud computing services, the contractor must comply with the new DFARS clause 252.239-7010, Cloud Computing Services;
- For any non-cloud computing related IT service or system, other contract requirements apply.
- Covered contractor information services not part of an IT service or system operated on behalf of the government;
- Under the interim rule, contractors must safeguard CDI by using the security controls under NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST SP 800-171 was issued shortly before the interim rule, and provides a set of security controls for the contractor to apply in safeguarding CDI. This replaces specific security controls under NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations that DoD prescribed under its predecessor rule. DoD also allows contractors, under DFARS 252.204-7008, to propose alternative, equally effective, security measures to protect CDI in order to compensate for an inability to satisfy a requirement under the clause; contractors may also explain why a particular safeguarding requirement in some cases is not applicable. Any proposed deviation from the safeguarding requirements must be approved, prior to award, by a representative of the DoD CIO.
72-Hour Cyber Incident Reporting
If a contractor discovers a cyber incident, it must investigate and report the incident to the contracting officer within 72 hours.
- Cyber Incident Discovery
A cyber incident is any action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. A contractor must investigate any cyber incident that affects: (i) a covered contractor information system or any CDI residing in that system; or (ii) the contractor's ability to perform any parts of a contract designated as operationally critical support.4
- Cyber Incident Review for Compromise
Upon discovering a cyber incident, the contractor must conduct a review, seeking evidence of a compromise of covered defense information. A compromise includes the disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media, may have occurred. The review may include:
- Identifying compromised computers, servers, specific data, and user accounts;
- Analyzing covered contractor information systems that were part of the cyber incident;
- Analyzing other information systems in the contractor's network that may have been accessed as a result of the incident;
- Identifying all compromised CDI, and any details that may affect the contractor's ability to provide operationally critical support.
- Cyber Incident Rapid Reporting
Within 72 hours of the discovery, the contractor must rapidly report a cyber incident to the DoD.
- Mandatory Medium Assurance Certificate Requirement: To report a cyber incident a contractor must have a DoD-Approved Medium Assurance Certificate.
Additional Post-Reporting Obligations
The DoD clarifies that a contractor's obligations do not stop at a report. Additional steps and coordination must be followed under the clause.
- Reporting Malicious Software
A contractor or subcontractor may discover and isolate malicious software in its cyber incident review. In this case the contractor must submit the malicious software per the instructions of the contracting officer.
- 90-Day Image Protection, Forensic Analysis, and Damage Assessment
For 90 days after reporting the cyber incident, the contractor must preserve and protect images of all known information systems affected by the cyber incident. The contactor must also provide the DoD with access to additional information or equipment necessary to conduct a forensic analysis. The contractor may also be obligated to provide the DoD any information related to a cyber incident damage assessment based on information preserved by the contractor.
- Protect Attributional/Proprietary Contractor Information
In some instances, the DoD will release information contained in the contractor's cyber incident report, including: (i) entities affected by the information; (ii) entities that may assist in diagnosis, detection, or mitigation of the cyber incident; (ii) law enforcement or counterintelligence entities; (iii) Defense Industrial Base (DIB) participants; and (iv) support services contractors. Therefore, the contractor must identify and mark any attributional or proprietary information (i.e., information that identifies the contractor or its trade secrets and other commercially sensitive information) included in its cyber incident report. The markings will be used by the government to minimize the release of the contractor's information.
Subcontractor Rapid Reporting Obligations are Flowed Down
The clause must be flowed down to subcontractors (and lower-tier subcontractors as necessary). Regardless of their place in the reporting chain, each subcontractor must rapidly report cyber incidents to the DoD within 72 hours, and to the prime contractor. Though subcontractors must also report their DoD-assigned incident report numbers to their higher-tier subcontractors, nothing in the rule obligates subcontractors to include any contractor other than the prime contractor among the recipients of a cyber incident report.
Third-Party Information Protection
A key feature of the new rule is its applicability to contractors that assist the DoD in handling cyber incidents, and therefore receive the cyber incident reports (Recipient Contractors). Under a new DFARS clause 252.204-7009, Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information, if a contractor (the Reporting Contractor) reports a cyber incident, any Recipient Contractor (or its subcontractor) that assists the DoD in handling the cyber incident and either has access to the report or develops information based on the report must protect the report against any further disclosure. The Recipient Contractor must not only protect the reported information, it must also ensure that its employees are subject to nondisclosure obligations before they can access the reported information. The Reporting Contractor is a third-party beneficiary under DFARS clause 252.204-7009. Any Recipient Contractor breaching its obligations is subject to multiple penalties, including criminal, civil, administrative, or contractual actions by the United States and civil actions and other remedies from the Reporting Contractor.
Purchasing Cloud Computing Services
Representation of the Use of Cloud Services
DoD in its interim rule added DFARS clause 252.239-7009, Representation of Use of Cloud Computing, to allow contractors to represent whether they intend to use cloud computing services in performance of the contract. Whether a contractor uses cloud computing services may determine the degree of burden the contractor must bear for securing CDI.
Use of Cloud Computing Services
The DoD also added DFARS clause, 252.239-7010, Cloud Computing Services, to address security requirements applicable to contractors providing cloud computing security requirements. The clause addresses access, security, and reporting requirements, and applies to all solicitations for information technology services, including commercial items solicitations.
Any contractor using cloud computing services under a DoD contract must implement and maintain administrative, technical, and physical safeguards and controls as required in the Cloud Computing Security Requirements Guide (SRG) effective at the time the Solicitation is issued.
Under the clause, the contractor must maintain within the U.S. or outlying areas all government data not located on DoD premises, unless the contracting officer provides written instructions to use another location.
Access and Disclosure Limitation of Government Data and Government-Related Data
The cloud computing services clause applies restrictions on access to, use of, and disclosure of government data, defined generally as information created or obtained by the government in the course of official business. The clause also imposes similar restrictions on government-related data, defined generally as information created or obtained by a contractor through storage, processing, or communication of government data. The term does not include contractor business records or any other data (e.g., operating procedures, software coding, or algorithms) not uniquely applied to the government data. A contractor is restricted to using government data and government-related data only for the purposes specified in the relevant contract, task, or delivery order. In addition, the contractor must impose access, use, and disclosure obligations on its employees.
Cyber Incident Reporting
As with the new DFARS 252.204-7012, a contractor providing cloud computing services must report all cyber incidents related to the cloud computing services provided under the contract to the DoD.
Malicious Software, Media Preservation and Protection, Forensic Analysis, and Damage Assessments
A contractor providing cloud computing services that reports a cyber incident must adhere to the same requirements under DFARS 252.204-7012 with regard to:
- Furnishing malicious software as instructed by the contracting officer;
- Preserving and protecting images of all known affected information systems for 90 days after the report;
- Granting the DoD access to information and equipment for forensic analysis; and
- Providing damage assessment information.
Records Management and Facility Access
A cloud computing service contractor is under certain information-handling restrictions. Government data and government-related data must be transmitted to the contracting officer and, at contract closeout, disposed of, in accordance with contract requirements. In addition, in the course of audits, investigations, inspections, or other activities, the contractor must grant the government (or authorized representatives) access to:
- Government data and government-related data;
- Contractor personnel;
- Contractor facilities with government data.
Third Party Access
The contractor must notify the government of any third-party requests for access to government data or government-related data, including warrants, seizures, or subpoenas. If such a request is made, the contractor is required to take all measures necessary to protect against unauthorized disclosure of the data.
In addition to cyber incidents, cloud computing contractors must report spillage, defined as an incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited for the appropriate security level. Either the contractor or the government may detect spillage. Upon notification of a spillage, the contractor must cooperate with the contracting officer to address the spillage.
As with the other requirements of the DoD's interim rule, a prime contractor must flow down the requirements under DFARS 252.239-7010 in all subcontracts that involve or may involve cloud services, including subcontracts for commercial items.