On June 4, 2015, the Office of Personnel Management announced that personally identifiable information for 4 million current and retired U.S. Government employees had been breached. China was suspected of having facilitated the breach.
Two weeks later, after the number of data breach victims had risen to 14 million, the National Institute of Standards and Technology (NIST) published its new Guidelines for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171.
We published our summary of the new NIST SP 800-171 Guidelines shortly thereafter, which happened to be about two weeks after OPM’s July 2015 announcement that the number of data breach victims had grown to 21.5 million current and retired Government employees, contractors, and applicants.
Less than a month later, the U.S. Defense Department surprised its industrial base of approximately 10,000 contractors when it published, without prior notice, its new cyber security regulations. The new “Network Penetration Reporting and Contracting for Cloud Services” regulations required contractors to immediately report cyber incidents and data breaches and implement the NIST SP 800-171 Guidelines to protect covered defense information in their information systems. The Defense Department stated that the new regulations were being issued without prior notice and to be implemented immediately because of the urgent need to protect our national security.
“A determination has been made under the authority of the Secretary of Defense that urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment. This action is necessary because of the urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors.
Recent high-profile breaches of Federal information show the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts. Failure to implement this rule may cause harm to the Government through the compromise of covered defense information or other Government data, or the loss of operationally critical support capabilities, which could directly impact national security.”
We published several blog posts explaining the new cyber security regulations, new key terms under the regulations, and providing checklists to comply with the duties and obligations of the Network Penetration Reporting regulations and complying with the requirements for Contracting for Cloud Services regulations. We also provided the Defense Department’s answers to 43 frequently asked questions on the new regulations, released in November 2015.
Without a doubt, contractors were caught by surprise. The Defense Department’s imposition of the new regulations effective upon publication provided contractors with no time to assess deficiencies, procure expert guidance and advice, implement new procedures and processes, and achieve compliance.
Many contractors complained. Early requests by industry to hold a public meeting to educate industry on the regulations were denied, just as requests to extend the comment period were rejected.
When the Defense Department finally held a public meeting on the new regulations on December 14, 2015, 85 industry representatives registered for and attended the meeting to express their concern that contractors needed reasonable and appropriate time to fully comply with the new regulations.
But how much time is needed to achieve compliance? The American Bar Association Section of Public Contract Law submitted comments to the new regulations asking for a transition period of “at least one year to implement any security controls not required by the prior [Unclassified Controlled Technical Information] rule and to implement any future changes to NIST SP 800-171.” In contrast, the Council of Defense and Space Industry Associations asked that the Defense Department to phase in “implementation of the interim clause requirements by the end of calendar year 2017.”
Calmer-heads eventually prevailed. On December 30, 2015, the Defense Department announced that contractors would have two years, until December 31, 2017, to implement the security requirements specified by NIST SP 800-171.
There is some speculation that the Defense Department’s two-year extension may have been influenced by the September 2015 announcement of an agreement between the U.S. and China that neither government would support nor conduct cyber-related theft of intellectual property. While contractors are still required to report cyber incidents and data breaches, China’s agreement may have signaled to the Defense Department that it could afford to give contractors the additional time they requested and needed to comply with the new regulations. However, even after the announcement, there were continued reports of Chinese hacking aimed at stealing U.S. intellectual property.