The Department of Defense (DoD) has released an interim rule on cybersecurity that significantly increases cybersecurity requirements for all DoD contractors.The interim rule, published in the Federal Register on Wednesday, August 26, 2015, available here, applies to all DoD contractors (including small businesses and commercial item contractors) as well as subcontractors at all tiers. Due to “urgent and compelling reasons,” including recent high-profile breaches of government information systems, the rule was issued without an opportunity for public comment and is effective immediately.1
This is Part One of a series. This first part addresses the new rules applicable to safeguarding covered defense information and reporting cyber incidents. The new DoD cloud computing requirements imposed by this interim rule will be addressed in a later article as part of a comprehensive look at changes in DoD cloud computing.
The interim rule, which includes revisions to the Defense Federal Acquisition Regulation Supplement (DFARS), provides for the following substantive changes to prior DFARS cybersecurity requirements applicable to DoD contractors:
- The former DFARS subpart 204.73, Safeguarding Unclassified Controlled Technical Information (the “UCTI rule”), is now retitled Safeguarding Covered Defense Information and Cyber Incident Reporting. See our post on the UCTI rule here. This revised subpart includes expanded safeguarding and incident reporting requirements for the protection of “covered defense information,” a new category of information that includes “controlled technical information,” “critical information (operations security),” “export control,” and other information that is marked or otherwise identified in a contract that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and governmentwide policies (e.g., privacy, proprietary business information).
- The term ‘‘cyber incident’’ is removed from the definitions section of DFARS subpart 204.73 and is now defined at subpart 202.1. The terms ‘‘compromise’’ and ‘‘media’’ have also been added to subpart 202.1. The placement of these definitions in subpart 202.1 will ensure consistency across all DoD cybersecurity regulations.
- The former DFARS UCTI contract clause at 252.204-7012 is revised and significantly expanded to address the protection and reporting of cyber incidents affecting the new category of “covered defense information” and cyber incidents affecting a “contractor’s ability to provide operationally critical support.”
- The interim rule adds DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, which is intended to make offerors aware of the requirements of DFARS clause 252.204-7012, including the use of security standards found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, while also allowing offerors an opportunity to explain to DoD prior to contract award: (i) how an offeror’s proposed alternative security measures can compensate for the inability to satisfy a particular security standard; or (ii) why a particular security standard is not applicable.
- The interim rule adds DFARS 252.204-7009, Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information, which aims to protect contractor information submitted to DoD in a cyber incident report.
- DFARS subpart 239.76, Cloud Computing, is a new subpart added to implement policy for the acquisition of cloud computing services, with accompanying contract clauses DFARS 252.239-7009, Representation of Use of Cloud Computing, (which requires the offeror to indicate whether it intends to use cloud computing services in performance of the contract) and DFARS 252.239-7010, Cloud Computing Services (which provides standard contract language for the acquisition of cloud computing services, including access, security, and reporting requirements).
The interim rule, which is effective immediately, presents a number of key issues and challenges. These include:
- The rule does not reconcile its requirements with those imposed on defense contractors that are also subject to the requirements imposed by section 325 of the Intelligence Authorization Act of FY 2014.
- Whereas the prior DFARS UCTI clause applied to unclassified controlled technical information, the new clause applies to a broader category of information called “covered defense information” which includes export controlled information.
- The interim rule removes the UCTI clause’s detailed chart of security controls drawn from NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and instead replaces them with a general reference to the security families from NIST SP 800-171,Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, recently issued on June 18, 2015.2
- The scope of reportable cyber incidents has been significantly broadened from the UCTI rule.
- In the wake of a cyber incident, subcontractors are now explicitly required to report “up the chain” to the ultimate prime contractor and also to report directly to DoD.
- In addition to revisions of the existing UCTI clause, the rule adds new clauses for those contractors that are supporting and protecting the cyber incident report information submitted to DoD.
1. Relationship to Section 325 of the Intelligence Authorization Act for FY 2014
The preamble to the interim rule states that the DFARS is being revised to implement both section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 20133 and section 1632 of the NDAA for FY 2015.4 See our previous review of section 941 here. The rule makes no mention, however, of similar cyber incident reporting procedures for cleared intelligence contractors set out in section 325 of the Intelligence Authorization Act for FY 2014.5 Section 325 instructed the Director of National Intelligence and the Secretary of Defense to coordinate and establish procedures to permit contractors that qualify as both cleared intelligence contractors under section 325 and cleared defense contractors under section 941 of the NDAA for FY 2013 to submit a single report that satisfies both intelligence and defense requirements for cyber incidents.6 Consequently, contractors should expect further pronouncements on cyber incident reporting for companies that are covered by both the interim rule and the Intelligence Authorization Act requirements. See our previous Alert on the Intelligence Authorization Act here.
2.“Covered Defense Information”
Whereas the prior UCTI clause applied only to unclassified controlled technical information, under the interim rule contractors must provide adequate security for all “covered defense information” on all covered contractor information systems. “Covered defense information” is unclassified information either (i) provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and falls in any of the following categories:
- controlled technical information;
- critical information related to operations security;
- export controlled information; or
- any other information, marked or otherwise identified, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and governmentwide policies (e.g., privacy, proprietary business information).
The interim rule’s revised definition of “controlled technical information” no longer includes a marking requirement. The UCTI rule required contractors to safeguard unclassified controlled technical information that was marked with a restrictive distribution legend pursuant to DoD Instruction 5230.24 Distribution Statements on Technical Documents. The interim rule now requires contractors to safeguard controlled technical information that “would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth” in the instruction. This seemingly puts the burden on contractors to identify and safeguard this subset of information even if it has not been properly marked.
The interim rule’s definition of “export control” is quite broad and does not explicitly exclude publicly available information or fundamental research. “Export control” is limited to the export of a wide variety of items “whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives,” but the interim rule does not provide guidance on how the public should interpret this limitation. The definition of “export control” is drafted in an unclear and overbroad fashion, stating “dual use items; items identified in export administration regulations, international traffic in arms regulations, and munitions list; license applications; and sensitive nuclear technology information.” The interim rule includes imprecise terms like “license applications”, provides no citations to the U.S. export control regulations to which it appears to be referring (e.g., 22 C.F.R. Parts 120-130), and also does not use capital letters when referring to the U.S. Munitions List.7
Finally, the interim rule includes a new “catch all” provision requiring the safeguarding of other information “marked or otherwise identified in the contract.” The language used in the “catch-all” may contemplate coverage of Controlled Unclassified Information (CUI), a term that pertains to the National Archives and Records Administration’s (NARA’s) recent proposed rule on CUI.8 NARA’s proposed rule defines CUI as “information that laws, regulations, or government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”9 It is unclear why DoD declined to use the term “CUI” in the interim rule, particularly when it references the security protections of NIST SP 800-171, which specifically applies to CUI on contractor information systems.10 The DFARS catch-all provision for “any other information” may conflict with the NARA CUI proposed rule to the extent that the DFARS rule requires coverage of information that is not identified on the NARA CUI Registry.11 The NARA proposed rule will require all CUI to be appropriately marked according to the marking requirements in the CUI Registry, whereas the DFARS interim rule does not explicitly identify its subcategory of “any other information” as “CUI.” These two rules are not totally consistent and will likely need to be reconciled through further rulemaking.
Notably, whereas the UCTI clause applied only to information received from DoD, the interim rule now clearly applies to information that is “collected, developed, received, used, or stored by or on behalf of the contractor in support of the performance of the contract.” This definition appears to represent a significant expansion of the scope of information that is subject to these security requirements because it captures not only information supplied by DoD or generated under a DoD contract but also information developed independently of any DoD contract if such information is being used “in support of the performance of the contract.” Accordingly, the new rule appears to require contractors to protect their own proprietary technical data at the same level of DoD-originated data whenever that data is being used in support of a DoD contract. Contractors should also carefully consider information they receive, either from DoD or from other contractors, that is not clearly marked or otherwise identified, as it may fall under these categories of “covered defense information.”
3. Application of NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (June 2015)
The UCTI rule included a chart with 51 baseline security standards from NIST 800-53 that contractors were required to use for safeguarding unclassified controlled technical information. The interim rule removes the NIST 800-53 baseline and instead refers to NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.12 NIST SP 800-171 refines the requirements from Federal Information Processing Standard (FIPS) 200 and the security controls from NIST SP 800-53 and presents them in a simpler format. By replacing the chart of applicable SP 800-53 controls in the UCTI rule with a general reference to NIST SP 800-171, DoD claims in the rulemaking that this will “[reduce] the burden placed on the contractor by eliminating federal-centric processes and requirements currently embedded in NIST SP 800-53. For example, a task analysis comparing the requirements of NIST SP 800-171 to the current table of security controls (based on NIST SP 800-53) demonstrates a reduction in required tasks by “30 percent.” However, the 800-53 controls include detailed procedures and enhancements providing guidance to contractors on “how-to” implement such security controls. In contrast, 800-171 describes 14 “families” of security requirements (they are not called “controls”) that only include general narratives and no specific procedures on how a company should implement them. While this gives companies greater flexibility in choosing how to meet 800-171 requirements, removing the explicit chart of 800-53 controls from the UCTI rule may also result in greater uncertainty on whether a contractor has the “adequate security” that DoD expects.
Under the UCTI clause contractors were allowed to provide DoD with a written explanation any time the contractor implemented “an alternative control or protective measure” that could achieve “equivalent protection” to the specified NIST 800-53 standards. Under the new clause at DFARS 252.204-7008,Compliance with Safeguarding Covered Defense Information Controls, contractors similarly will be allowed to justify deviations from the NIST SP 800-171 standards through a written explanation to DoD. However, under the interim rule, a contractor seeking a deviation from the standards must request approval by DoD prior to contract award.13 Contractors should now carefully consider whether they can meet the 800-171 standards prior to contract award in order prepare a deviation request if necessary.
4. Cyber incidents
Under the UCTI rule, “reportable cyber incidents” included (i) a cyber incident involving possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through, Contractors', or its subcontractors’, unclassified information systems, or (ii) any other activities that allow unauthorized access to the contractors' unclassified information system on which unclassified controlled technical information is resident on or transiting.14 Thus the UCTI rule only covered the protection of and reporting of incidents affecting controlled technical information.
The interim rule increases both the number of possible information systems where contractors must implement security safeguards as well as the circumstances in which a contractor must report incidents. Under the interim rule, a “covered contractor information system’’ is an information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. The interim rule requires reporting of any “cyber incident” that “affects a covered contractor information systemor the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support.”15 (emphasis added).
A cyber incident that affects the contractor’s ability to perform “operationally critical support” could also include incidents on systems beyond “covered information systems” and the interim rule requires reporting of those incidents as well.16 Also the breadth of the interim rule has implications for defense contractors whose cyber incidents might involve export control violations. Disclosures to DoD prior to submission of a voluntary disclosure to the U.S. government agency with jurisdiction over the relevant export control regulations could eliminate the penalty mitigation that the agency otherwise would grant to companies that voluntarily disclose their export control violations to the agency.
Although these are more exacting report requirements, the incident reporting period remains at 72 hours.
Also, the interim rule does not tell contractors what information is now required in a cyber incident report. The UCTI rule included a specific checklist while the interim rule does not, but instead directs contractors to the Defense Industrial Base Voluntary Cyber Security / Information Assurance (DIB CS/IA) portal athttp://dibnet.dod.mil. While the DIB portal has been updated to include a checklist similar to that contained in the previous UCTI rule, any DoD contractors and subcontractors that were not previously participating in the DIB and now find themselves covered by the expanded scope of this new rule will not be able to identify cyber incident reporting requirements by reference to the DFARs alone but should familiarize themselves with the DIB portal. See our previous Hogan Lovells discussion on the DIB here.
The UCTI rule required “that prime contractors report when unclassified controlled technical information has potentially been compromised regardless of whether the incident occurred on a prime contractor’s information system or on a subcontractor’s information system.”17 (emphasis added). The UCTI rule was unclear on how a prime contractor should police a subcontractor’s security controls or ensure that a subcontractor reported applicable cyber incidents to the prime, who was then obligated to report them to DoD.
Under the interim rule, subcontractors are now required to report cyber incidents to both the prime contractor and DoD, with lower-tier subcontractors required to report cyber incidents directly to DoD and up the chain of contract privity until the prime contractor is reached. Due to the expanded scope of “covered defense information” and covered information systems, DoD subcontractors that previously were not covered by the UCTI rule may now find themselves subject to the broader coverage of the new DFARS requirements. Furthermore, such subcontractors will now have to 1) ensure they have incident reporting mechanisms in place to notify the prime contractor of a cyber incident and 2) familiarize themselves with the reporting mechanisms at the DIB portal in order to submit cyber incident reports directly to DoD as well.
6. Contractors that are supporting cyber incident reporting activities at DoD
The interim rule further establishes the new clause DFARS 252.204-7009, Limitation on the Use and Disclosure of Third-Party Contractor Reporting Cyber Incident Information. This clause is now required in contracts that involve contractor support for government activities related to safeguarding covered defense information and cyber incident reporting (for example, providing forensic analysis services or damage assessment services). It imposes nondisclosure obligations on such contractors and provides that a contractor’s breach of its nondisclosure obligations may be subject to criminal, civil, administrative, and contractual actions brought by the government or by the affected contractor reporting party.
Under the interim rule, expanded clause DFARS 252.204-7012 informs contractors that the government will protect against the unauthorized use or release of attributional/proprietary information obtained from the contractor. The rule, however, does not provide detail on the safeguards the government will use to protect this information. Given the recent high-profile breaches of government information systems containing sensitive contractor personnel data at the Office of Personnel and Management (OPM), contractors may have legitimate concerns with how DoD will protect a contractor’s cyber incident report information.
Additionally, the interim rule modifies DFARS 252.204-7012 to permit DoD to release certain contractor information in a number of circumstances, including “to entities with missions that may be affected by such information,” “for national security purposes,” and to those “entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents.” The previous UCTI rule had limited the government’s use of contractor information to “authorized persons for purposes and activities consistent with [the UCTI] clause.” This rule thus broadens the scope of entities that may become privy to a contractor’s proprietary information.
In light of these changes to the DFARS cybersecurity requirements, all DoD contractors and subcontractors should review and update their security breach detection, response, and incident reporting plans. As previously mentioned, this interim rule became effective immediately on August 26, 2015. Comments on this rule are due by October 26, 2015.