The US Department of Defense (DOD) earlier today issued a second interim rule, effective immediately, that gives affected contractors until December 31, 2017, to implement fully compliant cyber security controls.
The cyber security requirements, contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) No. 800-171, were part of a prior interim rule issued in August 2015. Sometimes referred to as the Network Penetration Rule, DOD's first interim rule had required immediate compliance with NIST SP 800-171 at both the prime and subcontract levels. Although DOD's second interim rule gives contractors additional time to implement the requirements of NIST SP 800-171, the rule as revised still imposes certain near-term burdens on affected contractors and subcontractors.
Since being issued in November 2013, the predecessor Defense Federal Acquisition Regulation Supplement (DFARS) clause, § 252.204-7012, applied only to unclassified controlled technical information (UCTI). In August 2015, DOD in an interim rule changed the clause—now titled "Safeguarding Covered Defense Information and Cyber Incident Reporting"—and significantly expanded both the security control and reporting obligations to all "covered defense information." This expanded definition of the categories of information subject to protection and reporting, coupled with the clause's broad subcontract flow-down requirement, meant that the August 2015 clause likely would apply to virtually all DOD contractors at the prime and subcontract levels. The August 2015 interim rule also replaced the previously required security controls, drawn from NIST SP 800-53, with the NIST SP 800-171 security controls. The second interim rule, issued earlier today, makes two key modifications to the August 2015 interim rule: (1) the rule grants affected contractors until December 31, 2017, to implement the required controls, and (2) the rule clarifies the subcontract flow-down requirements.
First, in response to vocal concerns from industry during a recent December 14, 2015, Industry Day regarding the feasibility of immediate compliance with the NIST SP 800-171 security requirements, DOD has revised DFARS § 252.204-7012 to require contractors to implement the SP 800-171 security requirements "as soon as practical, but no later than December 31, 2017." DFARS 252.204-7012(b)(1)(ii)(A). The fact that DOD has solicited and then responded to these concerns is a welcome development and similar to the teamwork and collaboration that has accompanied the development of the NIST Framework for Improving Critical Infrastructure Cybersecurity.
Second, today's interim rule provides the much sought-after confirmation from DOD that the clause must only be flowed down to certain subcontractors. Specifically, the second interim rule revises the DFARS § 252.204-7012(m) flow-down requirements to mandate inclusion of the clause in subcontracts where the subcontractor will be providing "operationally critical support" and/or where subcontract performance "will involve a covered contractor information systems." The second interim rule also confirms that the clause must be flowed down without alteration, and confirms that reporting must occur directly to DOD. These later revisions may be viewed as more constraining on subcontract administrators, though the overall clarification may enable prime contractors to narrow their imposition of such requirements on subcontractors.
Finally, while today's interim rule provides some respite to affected contractors, a number of near-term compliance issues continue to exist for contractors. Most notably, DOD did not change the rapid reporting requirement that exists in the DFARS rule for cyber incidents, thereby requiring contractors to continue to report cyber incidents notwithstanding their compliance with NIST 800-171. The revised clause also requires contractors to notify the DOD's chief information officer within 30 days of contract award of any NIST SP 800-171 security requirements that are not implemented at the time of award. According to the interim rule, DOD intends to use this information to monitor industry's implementation of these requirements in advance of the December 31, 2017, deadline for compliance. The revised rule also does not eliminate a contractor's ability, pursuant to DFARS 252.204-7008, to propose alternate but equally effective security measures to satisfy a particular security requirement. However, the second interim rule does eliminate the requirement that such alternate controls be approved prior to contract award. Finally, contractors subject to the prior requirements of the DFARS UCTI clause, issued in November 2013, will not find any guidance or other relief in this rule from the requirements of that clause.
On balance, the second interim rule contains positive developments for affected government contractors and industry generally on a very important compliance issue. Comments on the interim rule are due by February 29, 2016. Contractors still seeking clarity on the interim rule, as revised, should consider submitting comments. Dentons lawyers will continue monitoring key developments in this area, and also will be presenting on this topic on behalf of the Public Contracting Institute (PCI) on January 5, 2016. For additional information about this topic or to register for the PCI presentation, please contact the authors of this advisory or the Dentons lawyer with whom you work.