On November 18, 2013, the Department of Defense (DoD) issued a final rule, effective the same day, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to impose requirements for safeguarding unclassified controlled technical information residing on contractor information technology systems and databases.
In short, the rule requires implementation of certain security standards if a contractor has access to or stores specified types of controlled technical information on its computer networks, mandates self-reporting by contractors to DoD within 72 hours of a “cyber incident,” mandates maintenance of certain evidence for 90 days if a contractor or subcontractor’s network containing controlled technical information is subject to a cyber incident, and requires a flow down throughout the supply chain to all subcontractors. The rule has potentially significant implications for a large percentage of US defense contractors, whether located in the United States or abroad.
While this rule has a considerable regulatory history (see discussion below), it nonetheless leaves open a number of questions regarding scope and implementation, some of which we identify and discuss in this advisory.
Background to the New Rule
DoD published a proposed rule on June 29, 2011 to implement adequate security measures to safeguard unclassified DoD information residing on contractor information systems from unauthorized access and disclosure, and to prescribe reporting to DoD with regard to certain cyber intrusion events that affect DoD information resident on or transiting through contractor unclassified information systems. The proposed rule covered a wide range of proprietary information, but only required enhanced controls and cyber-intrusion reporting for a subset of covered information, such as certain export-controlled information. The proposed rule was preceded by a 2010 advanced notice of proposed rulemaking. DoD received numerous comments in response to both the proposed rule and the ANPRM.
As a result of these comments, DoD limited the scope of the final rule to reduce the categories of information covered. Thus, the final rule requires safeguarding and reporting for only unclassified “controlled technical information,” defined to mean information with a “military or space application” that is technical data, computer software, and any other technical information covered by DoD Directive 5230.24, Distribution Statements on Technical Documents or (according to the preamble) DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. These directives – which are not models of clarity – generally deal with sensitive information that is subject to marking or release restrictions under US government programs.
The rule is also consistent with two parallel efforts within DoD and other agencies. The first effort, most recently exemplified by an October 2013 memo issued by Secretary of Defense Hagel, is to develop heightened standards with respect to the safeguarding of sensitive but unclassified information. The second effort, exemplified by Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (2013), is to improve the Nation’s cybersecurity posture within the Defense Industrial Base and other critical infrastructure sectors. Executive Order 13636 calls for, among other things, a Cybersecurity Framework to be issued by the National Institute of Standards and Technology (NIST) and directs a government-wide review of acquisition regulations to determine “the feasibility, security benefits, and relative merits of incorporating [the Framework’s] security standards into acquisition planning and contract administration.” It further instructs agencies with regulatory authority over critical infrastructure sectors to determine “whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure.” Based on the direction set forth in the executive order and the example at issue here, it is foreseeable that other agencies will look to incorporate cybersecurity requirements into their existing regulatory regimes, or into their agency-specific FAR supplements.
Key Elements of the New Rule
In some respects the final rule represents a rollback of the preliminary rule in that the categories of information covered are distinctly narrower, e.g., it does not cover all proprietary information, nor voice or other types of non-technical information. However, under the final rule (as implemented by a contract clause), it appears that a contractor that has access to controlled technical information and is subject to the cyber security contract clause will have three requirements to observe: (1) adopting and implementing certain NIST information technology security standards; (2) mandatory reporting of cyber security incidents to DoD; and (3) flowing these requirements to subcontractors and perhaps reporting their cyber incidents to DoD. We discuss each of these requirements and identify certain compliance issues associated with each. Note that while the rule is effective immediately, the preamble indicates that DoD does not intend for current contracts to be modified to include the clause.
- IT Security Safeguards
As noted above, if a contractor enters into a government contract containing the new cyber security clause, it is required to implement certain NIST information systems security procedures in its project, enterprise, or company-wide unclassified information technology system to ensure that any unclassified controlled technical information transiting through its system is safeguarded. Drawn from NIST Special Publication 800-53, Revision 4, the standards specified by the rule cover fourteen areas of information security. These include: access control; awareness and training; accountability; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; program management; risk assessment; system and communications protection; and system and information integrity. A contractor can propose alternative methods for achieving protection equivalent to that sought with the NIST standards, or otherwise explain that the standards are not applicable, but any such alternative or explanation must be accepted and approved by the Contracting Officer.
It would appear that a contractor that is subject to the cyber security contract clause will need to implement the required NIST standards for any IT infrastructure system on which controlled technical information may reside or transit. This is because a contractor’s unclassified IT system only needs to contain a minimal amount of controlled technical information in order to be covered. For example, simply receiving one controlled US Government-origin drawing suggests that the contractor's IT system is covered.
Furthermore, the contours of the definition of “controlled technical information” are not immediately obvious, and language in the rule suggests potentially differing and expansive views could be adopted within DoD and the contracting community. The rule refers to DoD Directives 5230.24 and 5230.25, and refers to “military or space” technology. The rule does not reference other regulatory regimes that control the dissemination of technical data, such as the types of information controlled under the Department of State International Traffic in Arms Regulations (ITAR), the Department of Energy Assistance to Foreign Atomic Energy Activities, and the Department of Commerce Export Administration Regulations (EAR). However, the expansive language of the new rule indicates to contractors that certain technical data subject to ITAR controls would be covered. It is possible that the definition could encompass certain other export-controlled technical data under the EAR that relate to space-related items covered in those regulations (e.g., space-qualified electronic components). Recent changes under the Export Control Reform initiative, such as the new "series 600" ECCNs under the EAR, may also need to be factored into how contractors interpret and apply the new rule.
Another question is whether all “controlled technical information,” regardless of origin, is subject to the new contract clause. There is language in the rule and the underlying directives suggesting that apart from the information being related to military or space applications, the data may need to originate from or be delivered to DoD in order to be subject to the new rule. Various DoD responses to questions, as published in the Supplementary Information to the new rule, as well as the definition of “controlled technical information” suggests that documents bearing legends prescribed under DoD Instruction 5230.24 are all that is covered by this rule. This, too, is not clear.
- Mandatory Reporting to DoD
If there is a cyber incident affecting covered controlled technical information, the rule requires contractors to report to DoD, via an internet portal, within 72 hours. The exact scope of this reporting requirement is not clear. For example, the reporting requirement focuses on the occurrence of a “cyber incident” which is defined to suggest some type of deliberate use of a computer network or “hack” that has an adverse effect on a contractor IT system or the controlled information residing thereon. Yet, under the reporting requirement set forth at section 252.204-7012(d)(1)(xi), the type of information to be reported apparently can include an “inadvertent release.”
Moreover, the reporting requirement itself may extend beyond the occurrence of a “cyber incident” to include “any other activities . . . that allow unauthorized access to the Contractor's unclassified information system. . . .” See new 252.204-7012(d)(2)(ii). This would appear to be an aggressive reading of the new rule since (a) the reporting requirement appears to key off the occurrence of a “cyber incident” which is a defined term, and (b) the purpose of the rule was to address security requirements and reporting with regard to contractor unclassified IT systems.
This is a significant issue from the perspective of US export control regulations. For example, an IT “hacking” incident is not typically viewed as a per se violation, by the hacked contractor, of US export controls, particularly when a contractor has adequate security standards. Therefore, a contractor that is the victim of a cyber incident may not believe it is required or appropriate to file a report with US Government export control agencies, even though it may now be required to file a report with DoD. With the new rule, how contractors (and subcontractors) will approach their disclosure options for reporting external or internal cyber incidents as “export control” violations is now a more poignant question.
In this regard, it appears from the rule that the reports submitted to DoD will not be shared with other federal government agencies, but the rule is not entirely clear on this point. For instance it notes that nothing should stop the Government from engaging in its normal law enforcement or counterintelligence activities. Therefore, DoD may decide in some instances to share a report with a US Government export control or law enforcement authority. If so, it is possible that a contractor could lose voluntary disclosure credit with the Directorate of Defense Trade Controls (DDTC) if it does not self-disclose in parallel to DDTC.
Furthermore, if the DoD mandatory reporting obligation were to extend to more routine compromises of controlled technical data on an IT system (e.g., a contractor’s release of ITAR-controlled technical data to an unauthorized foreign national employee; or releasing data on an IT system to an unauthorized foreign contractor or licensee), then the question arises whether such incidents qualify for “voluntary disclosure” credit if reported in parallel or after the 72 hour report that would be required to DoD. And if a contractor or subcontractor decides not to report such incidents to DDTC or the Bureau of Industry and Security (BIS) (assuming no mandatory duty to report exists under their respective export control regimes), will the contractor (or subcontractor) experience reduced mitigation credit in the event that an export control agency were to learn of the incident and that it was previously reported to DoD?
The rule may also pose a challenge for large contractors because their unclassified corporate systems are so large (and presumably subject to potential compromise so frequently), that it may be difficult to comply with the 72-hour rule even if reporting is only at a high level. In addition, larger contractors may not always know what data was compromised or which contracts were affected.
- Subcontractor Flow Down Requirement
The contract clause contains a mandatory flow down to all tiers of subcontractors. Furthermore, the flow down requirement is applicable to commercial item procurements, making it broadly applicable throughout the government contract supply chain, to include entities that supply commercial items but otherwise have controlled technical information on their IT system.
The rule has potentially significant ramifications for the supply chain. Many large DoD contractors already may have systems in place to prevent and detect potential cyber intrusions and that already meet the specified NIST standards. It is less likely, however, that small and medium-sized subcontractors have such systems.
There is no separate definition of “subcontractor” in this rule or reference to any of the various other definitions of this term in the FAR; nor is it clear how broadly DoD will construe “subcontractor” for purposes of this rule. We note that the preamble to this new rule states that the requirements can apply to ISPs and cloud computer vendors. Those vendors, and other entities that deal with US Government contractors, might not consider themselves subcontractors or be subject to other FAR/DFARS flow downs. This is particularly true for “overhead” or “shared service” type vendors or suppliers. It is possible that primes will attempt further flow downs to these entities, and this could be an area of possible future controversy between primes and putative subs.
Note also that the mandatory cyber incident reporting requirements to the US Government appear to be from the subcontractor to the prime contractor and the prime contractor to the Government rather than from the subcontractor to the US Government. This would provide additional responsibilities on the prime contractor, and be another source of potential tension in the commercial relationship.
In sum, this rule presents some difficult questions for DoD contractors and subcontractors and is part of a rapidly evolving statutory and regulatory regime that affects government contractors.