On June 23, DoD will hold a four-hour “Industry Information Day” regarding the DFARS “Network Penetration and Contracting for Cloud Services” rule. Contractors and other entities have until June 12 to register. In anticipation of that public meeting, we thought it would be helpful to summarize relatively recent regulatory developments regarding government contractor cybersecurity.
In 2016 the FAR and DFARS Councils, as well as the National Archives and Records Administration (NARA), published new or revised regulations impacting (or potentially impacting) government contractor cybersecurity and information governance obligations throughout the supply chain.
In the immediate term, the most significant of these regulatory actions is the revised DFARS “Network Penetration and Contracting for Cloud Services” rule issued on October 21, 2016. Building upon predecessor versions, this detailed and nuanced rule specifies (among many other requirements) that defense contractors (and their supply chains) are to implement dozens of cybersecurity standards set forth in NIST SP 800-171 by December 31, 2017 for purposes of protecting controlled unclassified information (CUI) on non-federal information systems and to have “adequate security” in the interim. They are also to report to DoD within 72-hours of possible breaches.
Another rule is the May 2016 FAR provision entitled, “Basic Safeguarding of Contractor Information Systems." It applies to virtually all government contractors (whether or not they have a contract with the DFARS provision) and requires immediate implementation of a small subset of several of the more basic NIST SP 800-171 controls before December 2017.
NARA also issued a rule, “Controlled Unclassified Information” (CUI), in September 2016 as part of the government-wide effort to standardize methods for treatment of such information. On its face, the NARA rule’s scope is broader than the DFARS and FAR rules in that it (a) memorializes NARA’s overall system for the identification and marking of CUI, including cross-referencing the CUI Registry and (b) sets forth a series of physical and cyber safeguards for such information on a government-wide basis, including cross-referencing NIST SP 800-171 and various other standards for handling of controlled information.
At present, however, the NARA rule is only directly applicable to federal agencies themselves. Agencies are in the process of implementation given the large number of requirements at issue. In this regard, the CUI registry’s website itself notes: “Existing agency policy for all sensitive unclassified information remains in effect until your agency implements the CUI program. Direct any questions to your agency's CUI program office.” However, the rule calls for agencies to incorporate its elements by reference in contractual agreements with contractors or other private sector entities that need access to sensitive government information for purposes of supporting a federal program or for other reasons. The DFARS Network Penetration Rule, which is implemented through the DFARS 252.204-7008 and 252.204.7012, covers some but not all of the landscape of the NARA rule. A FAR rule that incorporates the NARA requirements for purposes of federal procurement has been anticipated (and is listed as an open FAR case with a report due in June) but has not yet been issued during the new Administration. On its face, the NARA rule – if implemented in industry in its entirety through a FAR provision -- has the potential to be extraordinarily wide reaching, including various provisions regarding marking and physical safeguarding. It also presents interesting questions as to the interplay between the rule and existing statutes and regulations that regulate various forms of CUI such as export-controlled information.
The interplay of the three rules above has been difficult for many companies to plan for and digest. However, for companies in the defense and homeland security space, two proposed rules issued at the end of last year and the beginning of this year – if implemented -- have the potential to present additional compliance challenges.
For instance, in October 2016, DoD issued a proposed rule titled “Withholding of Unclassified Technical Data and Technology from Public Disclosure,” that would purport to temporarily revoke contractor to DoD-origin export controlled information if DoD receives “substantial and credible information” of potential contractor violations of US export control law. Moreover, the rule calls for DoD to refer potential export control violations to law enforcement. It also sets forth a marking protocol that is not necessarily consistent with the NARA CUI rule or existing practice among many regulated defense contractors under export control regulations. A final or interim rule was expected in May 2017 but as of this writing has not been issued.
In the context of cybersecurity, the proposed rule begs the question as to whether a report of a cyberbreach involving export-controlled information under the DFARS Network Penetration rule could lead to a revocation of the right to access DoD export-controlled information or law enforcement referrals. (If the contractor had adequate security (and by December 2017 had implemented NIST 800-171), it would likely take the position that a hacking incident is not an "export", but instead a “theft”). Moreover, how would the proposed rule, if adapted, interact with other established voluntary disclosure regimes for potential export control violations?
As to Department of Homeland Security (DHS) contractors, the plot thickened in January 2017 when DHS issued its own proposed revision to the Homeland Security Acquisition Regulation (HSAR) titled, “Safeguarding Unclassified Controlled Information.” Unlike the emerging norm established by DoD and adopted by NARA, the DHS proposed rule does not specifically recognize NIST 800-171 as the baseline cyber standard and it also introduces several categories of CUI that are not part of the NARA CUI registry. Therefore, if adopted in its present form, the DHS rule has the potential to create an additional regulatory hurdle for companies that work with multiple agencies, as well as significant cost burden.
How all of these rules play out for the remainder of 2017 is anyone’s guess. However, DoD’s Industry Day on June 23, may supply a good opportunity to discuss these topics and others.