The US Department of Defense (DoD) issued a rule on Friday, October 21, 2016, finalizing its information security and cyber incident reporting requirements. The rule, Network Penetration Reporting and Contracting for Cloud Services, 81 Fed. Reg. 72,986, finalized with changes the interim rule issued on August 26, 2015, which mandated that both prime contractors and subcontractors safeguard covered defense information (CDI), report on network penetrations and require adequate security from external cloud computing services. As we previously wrote, the DoD’s interim rule significantly expanded contractors’ obligations through a new clause titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Under the clause, the scope of information requiring protection expanded beyond unclassified controlled technical information (UCTI) to all DoD contractors at prime and subcontract levels dealing with CDI—a much broader category of protectable information than the predecessor UCTI. The interim rule mandated use of the security controls outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171 and required that contractors rapidly report cyber incidents to the DoD.
The final rule retains much of the interim rule’s core requirements for safeguarding CDI and reporting cyber incidents. Nevertheless, the final rule contains several significant amendments worth highlighting.
- First, the final rule relies on a modified definition of CDI. The interim rule provided that CDI consists of “controlled technical information, critical information (operations security), export control, and any other information, marked or otherwise identified in the contract, that require safeguarding and dissemination controls ...” That language is gone. CDI now is defined to mean unclassified controlled technical information or other information that requires safeguarding or dissemination controls as described in the National Archives and Records Administration’s (NARA) registry for Controlled Unclassified Information (the CUI Registry). As we wrote last month, the CUI Registry is a website created by the NARA that acts as a central repository of all categories and subcategories of CUI. Importantly, “critical information (operations security)” is not listed on the CUI Registry. This means it can no longer, in and of itself, be designated as CDI. In addition, CDI may either be marked or otherwise identified in the contract and provided to the contractor by or on behalf of DoD, or it may be collected, developed, received, transmitted, used or stored by a contractor in performance of the contract. The rule does not require that all CDI be marked or identified in the contract in order to trigger application of the rule. The revised definition clarifies that there is an affirmative requirement for government to mark or otherwise identify all CDI provided to the contractor in the contract. The definition imposes a shared obligation on contractors, however, “to recognize and protect [CDI] that the contractor is developing during contract performance.”
- Second, the final rule permits contractors to submit deviation requests from security requirements post-award. This is in contrast to the interim rule, which required that any such requests be submitted prior to award. This provision gives contractors additional time to identify gaps and implement compensating controls should they discover a deficiency post-award.
- Third, the final rule clarifies the security standards applicable to external cloud service providers. The final rule amends DFARS 252.204-7010, Cloud Computing Services, to clarify that, when using an external cloud service provider to store, process, or transmit any CDI, the cloud service provider must meet the requirements equivalent to those established by the government in the FedRAMP Moderate baseline. DFARS 252.204-7012 also includes this requirement. A contractor must require and ensure that the cloud service provider “meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/)[.]” The cloud service provider must also comply with cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
- Lastly, the final rule expands and clarifies the role of subcontractors in protecting CDI. The final rule amends DFARS 252.204-7012 to clarify that flow-down of the clause is required for subcontracts for operationally critical support or where subcontract performance involves CDI. If a subcontractor “does not agree to comply with the terms of 252.204-7012,” then CDI cannot be on that subcontractor’s information system and a contractor has no discretion to provide for an exception. If CDI protections are required, however, subcontractors must notify the DoD CIO of any security requirements that the subcontractor has not implemented at the time of award. Whether the prime contractor must receive that notice “is a matter to be addressed between the prime and the subcontractor.” The final rule clarifies that subcontractors are required to rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil. As part of their reporting obligations, subcontractors will provide the incident report number, which DoD automatically assigns, to the prime contractor (or next higher-tier subcontractor) as soon as practicable.
The scope of cybersecurity requirements in the final rule will likely affect nearly every aspect of DoD contractors’ information systems. Contractors with current DoD contracts have likely taken steps toward compliance since the interim rule’s introduction a little over a year ago. Under the final rule, contractors who wish to qualify for DoD awards must comply with all of the rule’s requirements by the end of 2017, which may be a significantly and costly compliance task. We will continue to monitor this continually developing area for additional changes that may impact contractors’ obligations to safeguard CDI.