In 2007, a preeminent American defense contractor first reported cyber attacks emanating from China. Four years later, upon a visit by then Secretary of Defense Robert Gates, the Chinese Air Force revealed a fighter jet unnervingly similar to the one manufactured by the hacked American contractor. More recently, the FBI reported in July 2015 that hackers accessed the personnel files and security clearances of over 22 million federal employees and contractors.
Accordingly, the Department of Defense (DOD) moved to strengthen the Defense Federal Acquisition Regulation Supplement (DFARS) concerning cybersecurity. The interim rule alters the contractual duties of government contractors and subcontractors in a significant manner. Thus, every government contractor and subcontractor ought to consider the following 5 highlights of the interim rule.
- Seriousness. The regulation is effective immediately. The DOD invoked “urgent and compelling reasons” to impose the change without the typical comment period. The comment period before final form remains open until October 26, 2015, however.
- Scope. First, the interim rule requires “adequate security” from “unauthorized access and disclosure,” an imposition yet undetermined in breadth. Second, the addition compels contractors to report to the DOD any cyber incident “adverse or potentially adverse” to the contractor’s information technology (IT) systems. The scope of what defines “adverse or potentially adverse” is unknown. Once a contractor or subcontractor reports an incident, the company must make all affected “media” available to government inspection. This includes physical devices such as laptops and cell phones as well as paper archives.
The DOD did clarify that the rule includes contracts for commercial items. Likewise, it covers non-confidential and proprietary information. Regulations applicable to confidential data remain unchanged.
- Speed. The new regulation requires contractors and subcontractors to report cyber incidents within 72 hours of the attack. The contractors owe their report to the DOD while the subcontractor must account to the prime contractor and to the DOD. Fortunately, though, the DOD will not consider such reporting, by itself, as evidence that a company has failed the rule’s security requirements.
- Savings? The DFARS modifications are similar in language and intent to those of another federal agency, one created specifically for IT security. As such, the interim rule is “tailored for use in protecting sensitive information residing in contractor information systems,” which could indicate potential savings for certain companies. Other companies, however, especially those without IT departments or IT experts, could experience increased costs. The DOD even admits that some 10,000 small businesses will require the help of IT experts to decipher cyber incidents, to determine the information affected, and to author the government report.
- Service impact. Many contractors and subcontractors are moving their IT services to cloud computing. The interim rule applies to cloud computing, too. In fact, it compels companies to monitor their cloud to confirm the appropriate “administrative, technical, and physical safeguards.”
The broad nature of these DOD security requirements necessitates a precise and professional approach for government contractors.