On August 25, 2015, the U.S. Department of Defense (DoD) issued interim rule DARS-2015-0039 (Rule), which impacts and relates to the security and reporting of cyber-attacks that affect cloud computing services contracted for by the DoD. While the Rule only impacts the DoD-specific Defense Federal Acquisition Regulation Supplement (DFARS) and not the overall Federal Acquisition Regulation (FAR), the FAR Council often adopts the DoD’s regulatory guidance. Therefore, it is likely that we soon will see a larger, broader expansion and adoption of this DFARS Rule.

In Force & Effect

The Rule implements certain portions of the National Defense Authorization Acts for FY 2013 and 2015 (Statute), which both mandate that contractors report network penetrations. While comments on the Rule are due within 60 days, the Rule is in force and effect now, and it is likely that the vast majority of the Rule will become permanent in the same or a very similar format.

Discussion

The Rule requires that all DoD cloud contractors and subcontractors (which term does not appear to establish how far removed from the prime contract the Rule reaches except to say that certain of the new provisions must flow down to subcontracts) “report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.” While there is no omnibus reporting procedure or DoD report repository yet, DoD is working on those at present. Currently, the only “official” repository is for DoD cyber incidents relating to classified information on classified contractor systems, which must follow the terms of the National Industrial Security Program Operating Manual (NISPOM).

The Rule expands on the DoD Chief Information Officer’s Cloud Computing Security Requirements Guide, issued on January 13, 2015 (Guide), which discusses the compliance refinements that cloud service providers must meet to provide such services to DoD. In an effort to create a uniform policy, the Rule combines the two Statute sections and the Guide to assist DoD and contractors in mitigating risks such as those recently seen in various heavily reported cyber-attacks on a number of agencies.

In revising the existing DFARS, the Rule mandates that cleared defense contractors “…report penetrations of networks and information systems and allow[] DoD personnel access to equipment and information to assess the impact of reported penetrations.”

Through expansion and modification of existing and new DFARS regulations and clauses, the Rule seeks to increase and expand the safeguarding and reporting requirements and policies associated with the protection of covered defense information (CDI), which consists of, among other things, “controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation, or Government-wide policy.”

Defined Terms

To gain contractual enforceability, the Rule has both modified an existing DFARS clause and added several new clauses. It has also added some key definitions including, without limitation:

  • Compromise. A “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”
  • Cyber incident. “[A]ctions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”
  • Media. Defined in general as any form of physical devices or writing surfaces such as disks, chips, etc. “onto which [CDI] is recorded, stored, or printed within a covered contractor information system.”
  • Covered defense information. Defined as “unclassified information that:
    • Is –
      • Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or
      • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and
    • Falls in any of the following categories:
      • Controlled technical information.
      • Critical information (operations security)….
      • Export control….; [or]
      • Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Govermentwide policies (e.g., privacy, proprietary business information).”[1]

Major Revisions & New Regulations

  • DFARS 252.204-7012 is now titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This revised clause expands the safeguarding requirements associated with CDI and mandates reporting of cyber incidents relating to CDI, as well as “any cyber incident that may affect the ability to provide operationally critical support.” This requirement is excessively broad and its terminology imprecise and undefined, leaving enforcement and interpretation solely to the authority and discretion of agency personnel. What this means for contractors handling any data that could reasonably be interpreted as falling within CDI is that they should be prepared and have the necessary systems in place to meet not only the protection, but the detection, identification and reporting requirements. This particular clause, as currently written, warrants further analysis and refinement by DoD. Clearer definitions, standards and mandates are key to successful implementation and compliance with the provision. In its current form, the significant breadth and lack of particularity and definition forces one to conclude that exposure and liability for service providers and their subcontractors and vendors are significant.

    Interestingly, the Rule adopts the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171, stating that the publication “…greatly increases the protections of Government information in contractor information systems, while simultaneously reducing the burden placed on the contactor by eliminating Federal-centric processes and requirements…” set forth in its predecessor document. While the latter is true, the former is not necessarily accurate. As previously reported, NIST issued SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” which represents a good start to gaining more definition and control of cyber-attacks and protected information, but is still written with very broad brush strokes, and also necessitates further refinement and definition. As with that publication, the Rule provides a better direction than its predecessor, but it still is vague, not well defined and places a significant burden on contractors.

  • The Rule adds new DFARS clause 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” which is to be inserted in solicitations to verify that DFARS 252.204-7012 (discussed above) requirements are included in contracts and that offerors are notified of thereof. This provision also creates a process for explaining how different security measures/systems can be equally up to the task and address other shortcomings in one’s systems and/or address a contractual requirement. This is generally a positive and beneficial turn. Now it appears that offerors to solicitations can seek to meet government cybersecurity measures through some degree of flexibility and/or variation, in lieu of being forced to use one system, product or methodology.
  • Another new DFARS clause, 252.204-7009, “Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information,” calls for some degree of protection relating to cyber incident reports. It also avoids the presumption that a report is a de facto admission of fault by the contractor. This is positive, as oftentimes a report of a cyber incident gains public and press exposure, resulting in a proverbial storm of backlash, lawsuits and an inability to control the outcomes and “panic” that may ensue. Clause 252.239-7010, “Cloud Computing Services,” is also added to provide a standard contractual provision for DoD acquisition of cloud computing services. This provision is one of the keys to understanding this new regime, as it discusses the reporting, security and access requirements and procedures that contractors will (and may not) be held to.
  • DFARS subpart 239.76 now implements cloud computing services acquisition policies, and DFARS clause 252.239-7009, “Representation of Use of Cloud Computing,” calls for each offeror to identify its intention to use cloud computing services, or not, in the performance of the subject contract. Some directives in this subpart include:
    • Absent authorization, cloud service providers must now maintain all government data within the United States if it is not physically located on a DoD property.
    • Failure to protect the data and/or report an incident, may subject the provider to criminal, civil, administrative and contractual penalties and damages.

While the Rule is interim, it has been made effective upon issuance without the typical public comment period. Per the determination, this is necessary due to the urgent need to protect (perhaps the better wording would be “better protect”) CDI. Interestingly, the determination also identifies the desire to “…gain awareness of the full scope of cyber incidents being committed against defense contractors.” While this obviously is an excellent goal and desire, many would argue it is something that should have been mandated years ago, as the cloud has been utilized by private and public entities alike for quite some time.

Another concern is that the Rule appears to intertwine the NISPOM, which covers classified data and procedures, with the NIST guidance, which addresses unclassified personal government data. This extends to the definitions and procedures in the Rule, which will likely result in an inability for some providers to comply with the heightened requirements if they are not cleared contractors. This will need to be addressed in the near term, and industry should provide comments to address this inconsistency.

While some protection was afforded by the existing regulatory regime, the Rule is a good start to fortifying and heightening not only the protections, but the awareness of cyber incidents.

Conclusion

The Rule is a good next step in addressing hacking and cyber-attacks, but it is only a step on what undoubtedly will be a long road. As the sophistication of cyber incidents increases and the importance and security of government-protected data gains ever heightened stance, it is key that the government continue to develop stronger regulations and protections. As evidenced by recent incidents, the Rule is a reaction to a long-known issue. The problem is that until the government (and, to a lesser extent, its providers/vendors) becomes truly proactive and places strong protections, systems and policies in place, it will be next to impossible for contractors and service providers to accurately report and protect CDI and other government data.