We previously reported on the new rules implemented by the Department of Defense (DoD) requiring government contractors and subcontractors to report cybersecurity breaches of their (and their subcontractors’) information technology systems not only for unclassified controlled technical information (UCTI), but for all types of what DoD now calls “covered defense information,” a term that includes UCTI plus other categories of non-classified information that requires special handling, such as export control data and operations security information.
The new rule expanded the types of cyber incidents that must be reported and the types of defense information that must be protected by DoD contractors and subcontractors. Just six weeks after issuing the new rule, however, DoD apparently recognized that at least one part of the rule was not practicable because, on October 8, 2015, DoD issued a class deviation giving covered contractors an additional nine months to satisfy the requirement for “multifactor authentication for local and network access” found in NIST Special Publication 800-171.
While welcoming that limited relief, contractors continued to complain that they needed additional time to come into compliance with other aspects of the new rules. On December 30, 2015, DoD acknowledged those concerns and issued a second interim rule, amending both DFARS 252.204-7008, Compliance with Safeguarding and Covered Defense Information Controls, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, to provide contractors with some additional breathing room beyond the nine months provided by the October 8 class deviation. Most significantly, the revised rule gives contractors until December 31, 2017 to fully implement all NIST SP 800-171 controls on covered contractor information systems.
In addition, the subcontractor flowdown requirement in DFARS 252.204-7012 was amended to limit the flowdown to only those subcontractors that will house covered defense information or will provide “operationally critical support.” Further, the portion of the same DFAR clause that previously required DoD Chief Information Officer (CIO) acceptance of alternative but equally effective security measures prior to contract award has been rescinded. While contractors are still required to inform the DoD CIO of any NIST SP 800-171 security measures not implemented at the time of award, this information is not for approval purposes, but is merely an assessment tool for the DoD to use to measure industry-wide progress towards compliance. That said, failure to notify DoD of any gaps could have significant consequences for contractors, particularly in the event of a cyber breach. Thus, while contractors have additional time for full implementation of security standards, immediate assessment of compliance is still necessary.
The new rule is available here: https://www.federalregister.gov/articles/2015/12/30/2015-32869/defense-federal-acquisition-regulation-supplement-network-penetration-reporting-and-contracting-for?utm_campaign=email+a+friend&utm_medium=email&utm_source=federalregister.gov