In a move that highlights the changing winds of federal cybersecurity policy, the Department of Defense (“DoD”) has issued an interim Rule (“Rule”) that imposes new security and reporting requirements on federal contractors, and new requirements for DoD cloud computing contracts.
The Rule requires federal contractors to report cyber incidents that result in an actual or potentially “adverse affect” on covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support. CDI includes “controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation or Government-wide,” but does not include classified information which is governed by a separate rule. The Rule also imposes restrictions on cloud computing contracts, including that data covered by the contracts be maintained within the 50 states.
This Rule comes in the wake of high profile security breaches of information maintained on federal systems. The Rule, at Defense Federal Acquisition Regulation Supplement (DFARS)-2015-0039 and issued on Aug. 27, 2015, is effective immediately without the normal public comment period due to the urgency of protecting CDI. The Rule revises the DFARS to implement two key provisions of the National Defense Authorization Acts for Fiscal Years 2013 and 2015. Specifically, the Rule implements the provision of the 2013 Act that requires cleared defense contractors to report breaches of networks and covered information systems and to allow DoD personnel to access those networks to assess the impact of the reported security breach.
The Rule also implements the provision of the 2015 Act requiring a contractor designated as operationally critical to report each cyber incident that occurs on that contractor’s network. Finally, the Rule implements policies formulated by DoD’s Chief Information Officer (“Updated Guidance on the Acquisition and Use of Cloud Computing Services,” Dec. 15, 2014 and “Cloud Computing Security Requirements Guide,” Jan.13, 2015) for procurement of cloud computer services from federal contractors. Here, the express objective of the Rule is to ensure uniform application of these policies throughout DoD when contracting for cloud services.
The Rule also increases cyber security requirements for federal contractors who maintain DoD information in their system networks. The new provisions of the Rule significantly expand the safeguarding and reporting requirements associated with the protection of CDI.
The rule changes the table of security controls contractors were previously required to utilize from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 to NIST SP 800-171. NIST SP 800-171 , entitled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” is a publication specifically tailored for use in protecting CDI.
As referenced above, the Rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse affect on a covered contractor information system or CDI residing on that system, or on a contractor’s ability to provide operationally critical support. The Rule defines a “cyber incident” as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The term “compromise” means the disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.” The term “media” means physical devices or writing surfaces onto which CDI is recorded, stored or printed within a covered contractor information system.
DOD is working to establish a single reporting mechanism for DOD contractor reporting of cyber incidents on unclassified information systems. Cyber incidents involving classified information on classified contractor systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual.
Should a contractor discover a cyber incident that affects a covered contractor information system or CDI, or that affects the contractor’s ability to perform the requirements of the contract, the contractor must do the following:
- Conduct a thorough review of the contractor’s information systems for evidence of compromise of CDI;
- Rapidly report the incident (within 72 hours) to DoD at http://dibnet.dod.mil;
- Submit to DoD any malicious software associated with the incident;
- Preserve images of all known affected information systems for at least 90 days from the submission of the cyber incident report to allow DoD to request or decline the media;
- Upon request by DoD, provide access to information or equipment for the purpose of a forensic analysis; and
- If DoD elects to conduct a damage assessment, provide a damage assessment.
The best practices are outlined in NIST SP 800-171, and involve access control, network security awareness training, enabling audit logs, configuration management, incident response planning, risk assessments, and vulnerability testing. It is important to engage outside counsel to facilitate much of this pre-breach related work so that it is protected by the attorney-client privilege to the greatest extent possible. It is also important to engage outside counsel as part of the extended incident response team to manage any post-breach response and navigate the patchwork of consumer and regulatory notification statutes.
As referenced above, the Rule expands the protection and reporting to entire contractor systems (i.e.,‘‘covered contractor information system’’) as well as a new type of information ‘‘covered defense information’’ which includes controlled technical information as a subset. The definitions applicable to those terms are as follows:
Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
Covered contractor information system means an information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
Covered defense information means unclassified information that—
(i) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or
(ii) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and
(2) Falls in any of the following categories:
(i) Controlled technical information.
(ii) Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
(iii) Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations, and munitions list; license applications; and sensitive nuclear technology information.
(iv) Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information).
Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
Operationally critical support means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
Rapid(ly) report(ing) means within 72 hours of discovery of any cyber incident.
Federal contractors can anticipate that the Rule will become permanent in the same or substantially the same form. Further, although the Rule only pertains to the Defense Federal Acquisition Regulation Supplement (DFARS), federal contractors can anticipate that there is likely to be a broader application of the Rule that will also be reflected in the Federal Acquisition Regulations (FARS). With the increase in both frequency and sophistication of cyber-attacks, the Government will continue to focus upon the development of stronger regulations and protections for sensitive data. In adopting measures to ensure compliance with the new Rule, federal contractors can also implement best practices that will ensure an efficient and seamless transition to future regulations that are certain to come quickly in this new procurement environment.