On 29 June 2011 DOD published a proposed rule1 that would amend the Defense Federal Acquisition Regulation Supplement (DFARS) to update the basic and heightened security requirements for government contractors with access to unclassified nonpublic DOD and/or export controlled information located on or channeling through their computer and information systems. This proposed rule would create significant new obligations for government contractors dealing with unclassified export-controlled information, and should be reviewed carefully. Comments on the proposed rule must be submitted to DOD no later than 29 August 2011.
The proposed rule amends Parts 204 and 252 of the DFARS by adding subpart 204.74 Safeguarding Unclassified DOD Information, section 252.204-70XX Basic Safeguarding of Unclassified DOD Information, and section 252.204-70YY Enhanced Safeguarding of Unclassified DOD Information. Subpart 204.74 requires certain security measures to be included in all government contracts and solicitations involving unclassified nonpublic government information, regardless of the size and scope of the contract.2 Section 252.204-70XX sets forth "basic" security guidelines, which are anticipated not to be overly burdensome for most contractors.3 Section 252.204-70YY, imposes enhanced protections on certain types of more sensitive government information, including information controlled under the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR), and requires contractors to report security breaches and institute safeguards that meet National Institute of Standards and Technology (NIST) standards.4
The proposed basic and enhanced protection requirements have met resistance from some contractors because of the potential expense of implementing the requirements. While the basic protection requirements mainly require contractors to change some of their practices with limited cost, the enhanced safeguards provisions are likely to affect many small businesses that do not have sophisticated security programs in place. For instance, in the proposed rule, DOD estimates that more than 75 percent of the approximate 64,400 small businesses will need to fulfill enhanced security requirements.5 The strict reporting requirements of the Enhanced Safeguarding provision are also potentially problematic for contractors who are concerned with keeping information on their systems confidential. If proposed rule 252.204-70YY is finalized, any information provided to DOD in a cyber incident report may be used and shared by the government for law enforcement, national security, and other purposes.6 Contractors subject to the Enhanced Safeguarding provision are also cautioned to obtain permission before disclosing third party information to the government in the course of reporting a cyber incident, as the contractor may be held liable to the third party if the information is subject to a nondisclosure agreement.7
An overview of the proposed rule and potential gaps in the new regulatory framework are discussed below.
Safeguarding unclassified DOD information 204.74
This subpart states that new protections will apply to all contracts and subcontracts under which contractors and subcontractors will be using, storing, or transmitting unclassified nonpublic DOD information.8 These new protections will not apply to any voice information, and they are not intended to cancel or replace any existing security measures.9 Either a Basic Safeguarding or Enhanced Safeguarding provision, depending on the sensitivity of the unclassified information, will be included in solicitations and contracts when the activity to be performed might require a contractor or subcontractor to have nonpublic unclassified DoD information "resident on or transiting through its unclassified information systems."10 Contractors are responsible for placing these provisions in all subcontracts that fit the above criteria.11
Basic safeguarding provision 252.204-70XX
This proposed rule sets forth several "basic" protection measures that apply to all unclassified and nonpublic information that the government gives to a contractor or its subcontractors, or is used or created by contractors in the course of providing support to the government.12 Among the many proposed basic safeguards, contractors are instructed to:
- only access unclassified government information on secure, nonpublic computers;
- refrain from posting unclassified government information on public websites that can be accessed without a password;
- use secure pathways when sending electronic communications like email and texts;
- protect information with at least one "physical or electronic barrier," such as keeping computers in locked drawers, or password protecting information;
- install and regularly update software programs such as anti-virus and anti-spyware; and
- scrub all government information from any physical devices or recording utilities before releasing the equipment.13
Enhanced safeguarding provision 252.204-70YY
In addition to the basic safeguards mentioned above, the second proposed section of Part 252 imposes an even stricter set of security provisions on certain contracts. These enhanced measures are required for contractors utilizing sensitive information such as Critical Program Information, personally identifiable information, or information that is subject to export controls under the International Traffic in Arms Regulations and Export Administration Regulations.14 Among the proposed enhanced safeguards, contractors are required to:
- implement an information security program that complies with or meets the NIST security standards, or explain why the NIST requirements do not apply;
- use DOD approved identity credentials, which will only allow DOD-authorized contractors and subcontractors to access DOD information systems;
- report any security breaches, otherwise known as "cyber incidents," within 72 hours in order to assess the damage and prevent further harm.15
Under the proposed reporting requirements, contractors must formally notify DOD whenever it is possible that an unauthorized user has accessed, copied, removed, or manipulated DOD information from either their system or their subcontractor's system.16 The proposed rule lists a series of steps that the contractor must take to report the incident, including submitting an analysis and images of the data, computers, servers, etc. that were accessed, and cooperating with the DOD Damage Assessment Management Office in the investigative process.17 The DOD notes that by reporting a cyber incident the contractor is not automatically assumed to be in breach of the 252.204-70YY requirements. However, DOD reserves the right to consider the incident when determining if the contractor is in compliance.18
The proposed rule provides significant detail on the Basic and Enhanced Safeguarding requirements, but several outstanding issues will require clarification, including:
- Can DOD perform special audits for compliance with these new security requirements?
- Would a failure to comply or implement the required security measures constitute breach of contract, and thereby increase risk of terminations for default?
- The proposed regulation does not define "information subject to EAR". Given that very low level technology may be subject to the EAR, this rule could potentially impose burdensome new requirements on all DOD contractors with access to low level EAR 99 technology.