On Monday, November 18, 2013, the Department of Defense (DOD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to add a new subpart and contract clause (DFARS 252.204-7012) associated with safeguarding unclassified controlled technical information. (DFARS Case 2011-D039). The new rule requires that contractors with “controlled technical information” resident on or passing through their information systems use a minimum set of protective measures and security controls to safeguard the data. In addition, contractors will be required to notify the DOD of any cybersecurity intrusions or incidents that have an effect on controlled technical information or that allow unauthorized access to the information system on which the unclassified controlled technical information is stored. The rule further mandates these requirements also be flowed down to the contractor’s subcontractors and vendors, even in the commercial setting.
Background and Differences from Proposed Rule
The final rule is a slimmed-down version of the proposed rule issued by the DOD in June 2011. The proposed rule addressed requirements to safeguard all unclassified DOD information resident on or transitioning through contractor information systems and set up two sets of standards: (1) basic safeguarding standards applicable to all contractors with unclassified DOD information on their systems and (2) enhanced safeguarding standards applicable to contractors with unclassified information on their information systems that was considered more sensitive. The more sensitive data was proposed to include “Critical Program Information,” “Critical Information,” information subject to export controls, information exempt from the Freedom of Information Act, information bearing any controlled access or dissemination designation, personally identifiable information, or controlled technical information marked with DOD designations limiting access to and dissemination of the information.
The final rule issued on Monday focuses only on what had been termed the “enhanced” safeguarding standards. (The basic safeguarding standards will be developed further through FAR case 2011-20, which will apply to all companies, not only DOD contractors). The safeguarding standards in the final rule apply only to contractors with “controlled technical information” (defined below) resident on or transitioning through their information systems. They do not apply to the broader categories of sensitive information in the proposed rule – e.g., Critical Information or information exempt from FOIA. The final rule also clarified a number of items left open in the proposed rule including the method for notification of any cybersecurity incident and the time a contractor will be required to preserve information concerning those incidents.
Required Security Controls
All contractors with controlled technical information are required to implement certain security safeguards. Controlled technical information is unclassified technical data or computer software (as those terms are defined in DFARS 252.227-7013) marked by the DOD with a legend controlling the use, release, or dissemination of the information pursuant to DOD Instruction 5230.24, Distribution Statements on Technical Data. These legends include, for example, “Distribution authorized to U.S. Government agencies only…”, “Distribution authorized to the Department of Defense and U.S. DOD contractors only,” or legends marking the documents as export-controlled.
The required security controls are included in the National Institute of Standards and Technology (NIST) Special Publication 800-53. A table provided in the final rule’s contract clause specifies the controls to be used. The contractor must either implement these controls or explain in writing to the Contracting Officer how the required security control is not applicable or how an alternative control achieves the same protection.
For most large government contractors, the security controls will not be difficult to meet. In fact, many defense contractors already have implemented these controls (or equal or superior alternates). Commercial suppliers and smaller defense contractors and vendors, however, may have to implement new security controls to meet these requirements. Indeed, the final rule expressly requires inclusion of the new clause in solicitations and contracts for commercial items under DFARS 212.301(f). This may well be burdensome, as well as a business incentive for commercial vendors, if controlled technical information is stored on or transitioning through their information systems.
Required Disclosure of Cybersecurity Incidents
In addition to security controls, the new contract clause requires contractors to report cybersecurity incidents that either affect the unclassified controlled technical information, through exfiltration, manipulation or other loss or compromise or that allow unauthorized access to the controlled technical information, whether or not the technical information has actually been affected. Such incidents must be reported within 72 hours to the DOD via the Defense Industrial Base Cybersecurity Information Assurance Program website, http://dibnet.dod.mil/. The report is to include information identifying the contractor and any relevant subcontractor, the contract affected, the date and location of the incident, the type of compromise, the technical information compromised and any additional relevant information.
The contractor is further required to review its unclassified network for evidence of additional cyber incidents, review the data accessed or affected, and preserve and protect images of the known affected information systems for at least 90 days to allow DOD the opportunity to request the information.
Following a cybersecurity incident report, the DOD may investigate the incident and choose to conduct a damage assessment, with which the contractor must cooperate to the extent it is legally able to do so. The new clause specifically provides that the government will protect the information reported or provided to the DOD and will use and disclose the information only for purposes of investigating the incident.
Guidance from DOD’s Discussion and Analysis of the New Rule
In addition to explaining its rationale for limiting the scope of the final rule, the DOD’s discussion and analysis of the rule provided additional guidance, most notably:
- An Internet service provider or cloud service provider will constitute a subcontractor if a contractor’s information technology infrastructure is outsourced. Thus, the contractor is responsible for ensuring that the Internet service provider or cloud vendor complies with the security controls and disclosure requirements of the new rule;
- With respect to audits or reviews, the contract administration office is responsible for ensuring that a contractor has a process for meeting the safeguarding standards and that reviews will be conducted at the discretion of the contracting officer in accordance with the terms of the contract;
- In many cases, costs associated with implementation will be allowable and chargeable to indirect cost pools, though the government does not intend to pay directly for the operating costs associated with the rule;
- The DOD does not intend to provide any safe harbor for cyber incidents, although it noted the rule provides that a “cyber incident that is properly reported by the contractor shall not, by itself, be interpreted under this clause as evidence that the contractor has failed to provide adequate information safeguards …”; and
- The DOD estimates, based on voluntary reporting by defense companies to the Defense Cyber Crime Center, that on average companies will be required to disclose five reports per year, with each response taking approximately 3.5 hours.
With this new rule, the DOD has taken a modest step toward mandating specific security controls to safeguard sensitive DOD information. Although implementation of the security controls will not likely be burdensome for many defense contractors, the requirement to report each cybersecurity incident that involves the information systems on which controlled technical information is stored may be a surprise to those companies not already used to sharing this information voluntarily.
In addition, the mandated security controls may be difficult for smaller subcontractors and vendors to implement, especially in the commercial-item marketplace. As a result, prime contractors should ensure that the new contract clause is flowed down and that these issues are raised and addressed early in the subcontracting and ordering process whenever a subcontractor or vendor will be required to store controlled technical information on its information system.