Today, DoD issued an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement sections of the FY 2013 and 2015 Defense Authorization Acts that require contractor reporting on network penetrations. Additionally, the rule implements DoD policy on cloud computing services. The rule is effective immediately; comments are due on or before October 26, 2015.
The rule expands on and revises a 2013 DFARS provision regarding reporting of cyber incidents involving unclassified controlled technical information and implementation of NIST standards for protection of information. Today’s interim rule is broader and encompasses “covered defense information” which includes unclassified controlled technical information as well as export controlled information, critical information (operations security) and any other information marked or otherwise identified in a defense contract that requires safeguarding or dissemination controls. The new rule’s implementing DFARS clauses contain flowdowns, and unlike the 2013 rule, pursuant to the clause subcontractors are obligated to report both to the prime contractor and to DoD. There is a separate DFARS clause to specify that any USG support contractors that deal with cyber reports will be limited in their use or disclosure of third party information. The cloud computing portion of the rule contains a representation to allow offerors to represent their intention to utilize cloud computing services in performance of a contract or not. The cloud computing portion also contains a new clause that specifies access, security or reporting requirements. Notably, the rule states that contractors shall maintain within the US or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location.
We anticipate a further posting regarding this rule shortly.