On August 26, 2015 DoD issued an interim rule effective immediately amending the DFARS to implement sections of the 2013 and 2015 National Defense Authorization Acts, which require contractor reporting on network penetrations. The interim rule is important to DoD contractors because it requires new cybersecurity safeguards and sets forth enlarged breach reporting obligations. In addition, the rule implements DoD policy on the purchase of cloud computing services.
In practical effect, the network penetration portions of this rule are the successors to a December 2013 DFARS final rule entitled Safeguarding Unclassified Controlled Technical Information, which called for contractors to implement certain NIST standards on their computer networks and quickly report certain hacking-type incidents to DoD. The new rule is more extensive and requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing in the system, or on a contractor’s ability to provide operationally critical support. The interim rule contains a significant flow down obligation that extends to all tiers (including commercial item subcontractors) and thus has broad applicability throughout the defense supply chain.
Comments on the interim rule are due by October 26, 2015.
Network Penetration Reporting
Pursuant to the new rule, DFARS subpart 204.73 is modified to expand safeguarding and reporting policy to require protection of covered defense information. Covered defense information includescontrolled technical information, export controlled information, critical information and other information requiring protection by law, regulation or Government-wide policy.
Definitions for each subcategory of information are set forth in the rule. Controlled technical information is essentially the same as unclassified controlled technical information as defined by the 2013 rule, i.e., military or space related-technical information that is subject to certain access or use controls by DoD directives. Export controlled information covers information subject to the Export Administration Regulations and the International Traffic in Arms Regulations, as well as export license applications. The definition of export controlled information is not a model of clarity, however, because the export controlled information apparently needs to be controlled for national security and nonproliferation reasons, which might be interpreted to mean that certain EAR-controlled information (which can be controlled for reasons not directly related to national security or nonproliferation) should be beyond the scope of the rule. But making that determination can be difficult, and contractors may need to bring experienced export control personnel into this process. Critical information is also defined imprecisely and covers specific facts identified through the Operations Security process (a term which is undefined in the rule) about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment. The catch-all category ofother information has the potential to be broadly interpreted and covers a range of proprietary, privacy or similar information. The new rule also does not require that the information be marked by the US government in order to be covered.
The rule contains companion DFARS contract clauses. The rule renames the existing clause at 252.204-712, to read “Safeguarding Covered Defense Information and Cyber Incident Reporting.” As its new name suggests, the scope of the clause is expanded to cover the safeguarding of covered defense information and require contractors to report cyber incidents involving systems housing covered defense information as well as any cyber incident that may affect the ability to provide operationally critical support. Given the breadth of the information covered by the clause and that many (if not most) defense contractors may have some of this information on their systems, the rule has potentially wide-ranging impact.
With respect to reporting, the December 2013 rule required prime contractors to report to DoD and by subcontractors in turn to primes. The new rule, however, requires lower tier entities to report up the supply chain to the entity to which they have a contract, as well as to the DoD via htt://dibnet.dod.mil. As in the prior rule, reporting is required within 72 hours, but the new rule simply references a DoD website rather than specifying precisely what needs to be reported, thus allowing DoD some future flexibility as to what it may request on the reporting form. The new rule also requires the submission to DoD of malicious software that was associated with the incident if the software can be isolated.
The prior rule required contractors to implement certain security controls called for by NIST 800-53 or to justify alternatives to the Contracting Officer. Under the new rule, NIST 800-52 has been replaced by NIST 800-171, entitled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” NIST SP 800-171 is a publication specifically tailored for use in protecting sensitive information residing in contractor information systems that refines the requirements from Federal Information Processing Standard (FIPS) 200 and controls from NIST SP 800-53 and presents them in an easier to use format.
The rule also contains a new provision at 252.204-7008, to ensure that offerors are aware of the requirements of clause 252.205-7012 and allows for a process to explain how alternative but equally effective security measures can compensate for the inability to satisfy a particular requirement of NIST SP 800-171 or why a particular requirement is not applicable.
Finally, the rule contains a clause 252.204-7009, Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information, which is added to protect information submitted to DoD in response to a cyber incident. This provision was added because of concerns that sensitive contractor information would need to be accessed by support contractors in the course of assisting the government in administering the rule.
The interim rule will require careful assessment by contractors and subcontractors. Although the rule contains a fair degree of definitional nuance, in practical effect, many contractors are likely to have some covered information and thus should be prepared to report under the rule. Contractors should consider developing appropriate mechanisms for identifying and reporting incidents to DoD, but consider how to manage these issues in their supply chain, protect proprietary information, and manage any collateral issues associated with reporting, such as whether disclosures may also need to be made in parallel to export control agencies. They should also study the new NIST standards carefully.
The rule specifies that DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and an agency’s needs, including the requirements specified in the rule. The rule notes that some examples of commercial terms and conditions are license agreements, End User License Agreements (EULAs), Terms of Service (TOS), and other similar legal instruments and agreements. It further notes that contracting officers shall incorporate any applicable service provider terms and conditions into the contract by attachment or other appropriate mechanism.
It goes on to note that the contracting officer shall only award a contract to acquire cloud computing services from any cloud provider (e.g., contractor or subcontractor, regardless of tier) that has been granted provisional authorization by DISA, at the level appropriate to the requirement, to provide the relevant cloud computing services in accordance with the Cloud Computing Security Requirements Guide (SRG). It notes that provisional authorization processes are also available at the SRG website.
Notably, cloud computing service providers are required to maintain within the 50 states, the District of Columbia, or outlying areas of the US, all “Government data” (defined as “any information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business”) that is not physically located on DoD premises unless otherwise authorized.
The rule contains a new solicitation provision at 252.239-7009, Representation of Use of Cloud Computing, which requires the offeror to represent whether it does or does not “anticipate” that cloud computing services will be used in performance of any resulting contract or subcontract.
The rule also contains a new clause at 252.239-7010, Cloud Computing Services to provide standard contractor language for the acquisition of cloud computing services, including limitations on access to and use and disclosure or Government data and “Government related data,” and security and reporting requirements. The reporting requirements are similar to those contained in the network penetration portion of the rule discussed above. The clause is required to be included in all subcontracts that “involve or may involve cloud services, including contracts for commercial items.”
This interim rule reflects work by DoD to establish a single reporting mechanism for DoD contractor reporting of cyber incidents on unclassified information systems. The DoD goal is to streamline the reporting process for DoD contractors and minimize duplicative reporting processes. The issues addressed by this interim rule go beyond DoD and contractors should be aware that these procedures and requirements may be utilized by other agencies in the future.