The Department of Defense’s proposed revision to the Defense Acquisition Regulations System (DFARS) relating to cyber security and cyber incident reporting could have significant adverse effects on companies engaged in DOD contracting or subcontracting. Once this interim rule is fully applicable to DOD activities (and particularly if it is extended to other branches of the federal government), it could substantially increase the costs of DOD contracting, limit the number of smaller entities that can qualify to perform government contracting, and significantly increase the risk of disclosure of sensitive corporate information.
In summary, this “interim rule” imposes on DOD contractors and subcontractors a contractual duty to provide “adequate security” from “unauthorized access and disclosure” for a broad array of unclassified information, including controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation or policy (protections for classified information continued to be provided for under the National Industrial Security Operating Manual (NISPOM)). The interim rule also requires DOD contractors and subcontractors to report directly to the appropriate DOD office a “cyber incident” (defined as “actions taken through the use of computer networks that result in a compromise or and actual or potentially adverse effect on an information system and/or information residing therein”) or “malicious software.” Furthermore, it requires contractors and subcontractors to make available to the government “media (or access to covered contractor information systems and equipment)” upon request. The interim rule also contains new provisions relating to the acquisition of cloud computing services by DOD.
This rule is significant for a number of reasons:
- Immediate Effect: The interim rule is effective immediately and its provisions will be included in all DOD proposals and contracts from the date of publication of the interim rule (August 26, 2015). DOD justified the immediate effectiveness because “urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment.”
- Change in Standard: While the previous version of this DFARS clause did set forth baseline security standards, the interim rule adopts the substantially expanded framework for security recently set forth by the National Institute of Standards and Technology (NIST) in its Final Guidelines for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST 800-171). Although the new NIST guidelines are “specifically tailored for use in protecting sensitive information residing in contractor information systems” and, therefore, may be easier to implement than the earlier standards, contractors must review the new guidelines and make appropriate changes to ensure compliance. These requirements may impose onerous burdens on smaller contractors and subcontractors; for example, the interim rule recognizes that smaller companies covered by the interim rule “will likely” be required to employ “an information technology expert to provide information describing the cyber incident or at least to determine what information has been affected . . . .”
- Broad Reach: The interim rule applies to all contractors and subcontractors with “covered defense information transiting their information systems.” DOD estimates the interim rule may apply to ten thousand contractors, including providers of commercial items. DOD admits that while fewer than half of those contractors are small businesses, the interim rule may have a “significant economic impact on a substantial number of small entities.” Among other things, DOD points out that some contractors and subcontractors “will likely require an information technology expert to provide information [to describe] the cyber incident or at least to determine what information was affected, to be noted in the [cyber incident] report,” should they be subject to an incident that requires reporting under the interim rule.
- Substantial Data Covered: The “covered defense information” to be safeguarded is extremely broad, including “export control” information, including “information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.” (Since this category is in addition to items identified in ITAR, Export Administration Regulations, and export license applications, and does not refer to classified information, it is unclear how a contractor would know what is meant to be covered.)
- Quick Turnaround: Cyber incident reports must be made within 72 hours of discovery, both directly to DOD and up through the chain of subcontractors to the prime contractor. The filing of a cyber incident report will be considered “in the context of an overall assessment of a contractor’s compliance with the requirement” to safeguard protected information, although a “cyber incident that is reported … shall not, by itself, be interpreted as evidence that a contractor or subcontractor has failed to provide adequate information safeguards for covered defense information.”
- Potential Disclosure of Proprietary Information: Cyber incident reports or other information required to be provided to DOD under this interim rule may include a contractor’s proprietary information, including personal identifying information. Although DOD states “the government shall protect against the unauthorized use or release” of such information, that may be of little solace to affected contractors in light of the government’s apparent inability to protect unclassified data systems from attack by foreign entities.
- New Cloud Computing Requirements: In addition to the cybersecurity requirements described above, the interim rule also implements new policies and procedures regarding the use of cloud computing and imposes new requirements on contractors who wish to utilize cloud computing services. Under the interim rule, contractors may only utilize cloud-based service providers approved by the Defense Information Systems Agency (DISA) and such contractors must comply with the protocols outlined in DISA’s Cloud Computing Security Requirements Guide.
While this interim rule took immediate effect on August 26, 2015, DOD will receive public comments on the interim rule before it is published in its final form. The period for public comment is scheduled to close on October 26, 2015. Comments may be submitted in writing by various means set forth in the interim rule.