After collecting feedback from industry representatives, the Department of Defense ("DOD") recently revised the Defense Federal Acquisition Regulations Supplement ("DFARS") interim rule on required cybersecurity measures for defense contractors (the "December 30 Interim Rule"). As published in August 2015, the revised DFARS clause 252.204-7012 required contractors to provide "Adequate Security" for Covered Defense Information ("CDI") by implementing the security requirements of the National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." We discussed the August interim rule and related government requirements in depth in our earlier Commentary, including practical issues contractors face in implementation. After publishing that rule, the DOD issued a class deviation allowing contractors up to nine months for implementation of security requirements. The December 30 Interim Rule gives contractors additional time to implement the requirements of NIST SP 800-171 and incorporates a number of changes that will affect contractors' cybersecurity compliance policies.
The revised interim rule phases in the requirement to comply with NIST SP 800-171 over the next two years. The revised rule requires implementation of NIST SP 800-171 by December 31, 2017. Along with this enlargement of implementation time, however, the revisions require contractors to notify the DOD of any security requirements that are not implemented at the time of the contract award. This notification, which must be made within 30 days of the contract award, is intended to assist the DOD in monitoring progress and identifying trends in the implementation of the requirements across the defense industrial base, including identification of specific requirements that may require clarification or adjustment.
Approval of Alternative But Equally Effective Security Measures
The August 2015 interim rule provided that contractors could implement alternative but equally effective security measures in lieu of compliance with the NIST SP 800-171. Utilization of such alternative measures required notice to and acceptance by the DOD prior to the award of the contract. The December 30 Interim Rule provides for two procedures applicable to alternative measures. First, a contractor must identify any alternative measures that deviate from NIST SP 800-171 as part of its non-implementation notice given within 30 days of contract award pursuant to DFARS 252.204-7012, as described above. These alternative measures do not appear to require pre-award approval. If a contractor plans to deviate from NIST SP 800-171 on a permanent basis, however, it must, pursuant to DFARS 252.204-7008, submit its plan and justification to the DOD for pre-award adjudication by the DOD Chief Information Officer.
Scope of Flow Down
The revised rule also tailored the flow-down requirements for DFARS clause 252.204-7012. Under the revisions, contractors are required to flow down only to those subcontractors and suppliers where the subcontractors' or suppliers' efforts will include CDI or operationally critical support. Although this provides some common sense relief to contractors, given the broad scope of information requiring protection as CDI, the practical effect may be marginal for all but the most routine acquisitions of commercial items or services.
Flow Down Without Alteration
The August 2015 interim rule mandated flow down of DFARS clause 252.204-7012 and the related DFARS clause 252.204-7009, "Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information." The December 30 Interim Rule clarifies that these flow downs must be made without alteration, except to identify the parties.
The DOD's response to industry's concerns about the August 2015 iteration of the cybersecurity rule is a welcome development. Defense contractors should continue to work with the DOD regarding these new requirements to address practical issues and complications as they arise.