On October 21, 2016, the Department of Defense (DoD) issued a final rule following-up on the interim rules it had issued on August 26 and December 30, 2015, regarding safeguarding contractor networks and purchasing cloud computer services. The final DoD clauses are DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
While the final rule incorporates some significant changes from the interim rules, the requirement to report cyber incidents within 72 hours of their discovery is retained in the final rule. DoD also declined to change its position on small businesses, which are not excepted from the rule’s coverage. See our post on the interim rules: "DoD Grants Contractors a Reprieve: Cybersecurity Compliance is Delayed."
The final rule does, however, make several important changes from the interim rules:
- The final rule changes the definition of “covered defense information” to align it with the definition being used by the National Archives and Records Administration rule promulgated on September 14, 2016 (81 FR 63324). Importantly, DoD’s interim rules had placed the burden of identifying covered defense information on contractors. The final rule provides that covered defense information must be (1) marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract, or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. The final rule therefore assigns DoD the responsibility for marking or designating covered defense information.
- Another significant change made by the final rule is the exclusion from the requirements for contracts involving commercial-off-the-shelf (COTS) items.
- The final rule adds a more definitive standard for contractors using cloud service providers. External cloud service providers used in performance of the contract to store, process, or transmit any covered defense information meet security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program Moderate baseline and comply with the cyber incident reporting obligations.
- DoD responded to comments on the interim rules concerning flow down of DFARS clause 252.204-7012 to subcontractors. The final rule clarifies that subcontractor flowdown is only required when covered defense information is necessary for performance of the subcontract, and that the contractor may consult with the contracting officer if the contractor is uncertain if the clause should flow down. In addition, prime contractors must require their subcontractors to notify them (or the next higher-tier subcontractor) if the subcontractors make a request to DoD to vary from the NIST Special Publication 800-171 security requirements.
The final rule maintains December 31, 2017 as the deadline for complying with its requirements. While COTS contractors have received an exemption, the rule still applies to the vast majority of DoD contractors. Holland & Knight is prepared to counsel federal contractors regarding questions they may have about these new regulations.