On December 30, 2015, the Department of Defense (“DoD”) issued a second interim rule (80 F. R. 81472) that extends the deadline by which federal contractors must implement the new cybersecurity requirements previously issued by the agency. This extension pushes back the compliance deadline to December 31, 2017.
The second interim rule builds upon the first interim rule previously issued by the DoD on August 26, 2015. As we previously reported, the first rule required federal contractors and subcontractors to implement the cybersecurity requirements contained in NIST Special Publication 800-171 entitled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Additionally, contractors were required to report cyber incidents that resulted in an actual or potential effect on a covered contractor information system. The reports were required to be made within 72 hours of discovery of the cyber incident.
Since the issuance of the first interim rule, industry representatives have voiced concerns about the scope of the rule, training required to comply with it and numerous other issues. As a result of those concerns, the DoD held a public meeting on December 14, 2015. Based on input received at that meeting, the DoD issued the second interim rule delaying the effective date for contractors to comply with NIST SP 800-171.
The second interim rule also amends DFAR Section 252.204-7012 (b)(1)(ii)(A) by requiring contractors to notify the DoD within 30 days after contract award of “any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or alternate but equally effective security measures…accepted in writing by an authorized representative of the DoD CIO.” If this amendment carries over into the final rule, contractors will be required to explain how they do not comply with the NIST requirements.
Comments on the second interim rule must be submitted in writing on or before February 29, 2016.