On October 4, 2016, the Department of Defense (DoD) issued a final rule (81 Fed. Reg. 68,312) implementing mandatory cyber incident reporting requirements for prime contractors and subcontractors who have agreements with the DoD. The rule finalizes—with changes—an interim rule (80 Fed. Reg. 59,581) that the DoD issued on October 2, 2015, which requires DoD contractors and subcontractors to report to the Pentagon cyber incidents that result in actual or potentially adverse effects on a covered contractor information system, covered defense information (CDI) contained therein, or on a contractor’s ability to provide operationally critical support. The final rule’s reporting requirements apply not only to contracts with DoD and Defense Industrial Base (DIB) companies, but also to grants, cooperative agreements and other transaction agreements as well as technology investment agreements. As it stands now, the Defense Federal Acquisition Regulation Supplement (DFARS) rule and clauses at 252.204-7012 and 252.239-7009 apply only to procurement contracts. The final rule expands the DFARS requirement to report cyber incidents beyond procurement contracts, so companies should be aware of enhanced compliance obligations.
This final rule also expands the eligibility criteria for participation in the voluntary DIB Cyber Security information sharing program. The program enables eligible DIB participants to receive government-furnished information and cyber threat information from other DIB participants, which gives them greater insight into adversarial activities and helps participants improve their cyber security programs. This collaboration will serve to enhance the overall security of the contracting environment. Furthermore, the program offers access to government classified cyber threat information and technical assistance from the DoD Cyber Crime Center. The rule is not retroactive, and therefore, language in current procurement contracts will take precedence over requirements in the final rule.
The final rule became effective November 3, 2016.
On October 21, 2016, the DoD issued the second cyber security reporting rule (81 Fed. Reg. 72,986), finalizing, with changes, two interim rules published on August 26, 2015 (80 Fed. Reg. 51,739) and December 30, 2015 (80 Fed. Reg. 81,472) to implement section 941 of the National Defense Authorization Act (NDAA) for FY 2013 and section 1632 of the NDAA for FY 2015, respectively. The final rule requires prime contractors and subcontractors to report penetrations of their networks, safeguard CDI, and ensure that external cloud service providers comply with adequate security measures. Prime contractors and subcontractors will be required to report cyber attack data breaches within 72 hours of the incident.
This final rule includes at least four important updates:
- The definition of CDI is now aligned with the definition of “controlled unclassified information” (CUI), which was set out recently by the National Archives and Records Administration. Interestingly, not all CDI must be marked or identified in the contract in order to trigger application of the rule. Rather, the government has an affirmative obligation to mark or otherwise identify all CDI provided to the contractor in the contract. In turn, the contractor must protect CDI that it is developing throughout contract performance.
- Contractors may now submit, post-award, requests to deviate from compliance requirements. The interim rule had required exemption requests to be submitted prior to an award. Also, contracts that are solely for the acquisition of commercially available off-the-shelf items are exempted in the final rule.
- DoD clarified the security standards applicable to external cloud service providers that store, process, or transmit any CDI. In particular, such cloud service providers must meet the requirements equivalent to those established by the government in the FedRAMP Moderate baseline.
- The final rule clarifies that DFARS 252.204-7012 is a required flow down for subcontractors that provide operationally critical support, or where subcontract performance involves CDI.
Despite resolving some industry concerns, the rule has raised new worries regarding increased compliance burdens. For example, the change that is likely to have the greatest impact on defense contractors, as noted above, is the alignment of the definition of CDI with the definition of CUI, set out recently by the National Archives and Records Administration. Although this change makes the definition clearer in some senses, it also greatly broadens the types of information covered under the rule. The CUI definition contains 23 categories—and 82 subcategories—of information that contractors must now identify and protect in accordance with DoD standards, thereby enhancing the difficulty of compliance.
The final rule became effective on October 21, 2016, but a grace period for implementation is in place until December 31, 2017, at which time contractors will be required to implement full security measures. Contractors are encouraged to implement adequate safeguards as soon as possible.