At the end of 2015, the US Department of Defense (DoD) issued a second interim rule, effective immediately, modifying cyber security control requirements it issued earlier in 2015. In particular, this second interim rule (1) grants affected contractors additional time to implement fully compliant cyber security controls, and (2) clarifies certain subcontractor flowdown requirements.
On August 15, 2015, DoD issued an initial interim rule expanding cyber safeguarding requirements by imposing on DoD contractors and subcontractors a contractual duty to provide “adequate security” from “unauthorized access and disclosure” for a broad array of unclassified information. Prior to that interim rule, the Defense Federal Acquisition System Regulation Supplement (DFARS) generally extended cyber security requirements only to unclassified controlled technical information, whereas the August interim rule amended the DFARS to expand both controls and reporting obligations to a much larger class of information. The August interim rule also established reporting requirements for a “cyber incident” (defined as “actions taken through the use of computer networks that result in a compromise or and actual or potentially adverse effect on an information system and/or information residing therein”) or “malicious software,” as well as access requirements and new provisions relating to the acquisition of cloud computing services by DoD.
While the August interim rule required contractors and subcontractors to immediately implement the required cyber security controls, it also gave affected parties an opportunity to comment on the interim rule. The just-issued second interim rule now gives affected contractors another year, until December 31, 2017, to implement fully compliant cyber security controls, although it also imposes certain near-term requirements. In particular, effective immediately, within 30 days of any contract award, contractors must notify the DoD Chief Information Officer (DoD CIO) of any cyber security requirements that it has not yet implemented. It is understood that this notification does not require any corresponding approval, but rather is intended as an assessment tool for DoD to gauge industry-wide progress toward full implementation of the new requirements. This modification is accompanied by the removal of a clause in the August interim rule requiring the DoD CIO to accept alternative but equally effective security measures prior to contract award, although such alternatives still may be considered.
The second interim rule also makes clear that the relevant DFARS provision need only be flowed down to certain subcontractors, namely those whose work involves “covered contractor information systems” and/or those who will provide “operationally critical support.” This clarification should ease the impact of the requirements on most mass marketers, which, for example, as GSA-schedule subcontractors, might otherwise find themselves required to comply with onerous cyber security and reporting requirements even though they only provide unmodified commercial off-the-shelf equipment to the U.S. Government.
We previously noted that the requirements of the August interim rule could substantially increase the costs of DoD contracting, resulting in fewer small entities that can afford to qualify to perform government contracting, and significantly increase the risk of disclosure of PII and other sensitive corporate information if that data is required to be transferred from protected corporate databases to potentially more vulnerable government facilities. (See our earlier alert: New Department of Defense Cyber Security Regulation: Is the Cure Worse than the Disease.) In the second interim rule, DoD notes that it identified no significant alternatives that would minimize the economic impact of the rule’s requirements on small businesses, although it invites comments specifically addressing the expected economic impact of the rule’s requirements on small businesses.
DoD issued the second interim rule following a public meeting that took place on December 14, 2015, at which industry representatives expressed a need for further time to implement the security requirements set forth under the August interim rule. DoD’s willingness to address this industry concern by issuing the second interim rule is encouraging. While this second interim rule took immediate effect on December 30, 2015, DoD will receive public comments on the interim rule before it is published in its final form. The period for public comment is scheduled to close on February 29, 2016. Comments may be submitted in writing by various means set forth in the interim rule, including by email to firstname.lastname@example.org with “DFARS Case 2013–D018” in the subject line of the message.