On November 18, 2013, the Department of Defense (DoD) published a Final Ruleamending the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for safeguarding unclassified controlled technical information. This rule has been in development for over two years with DoD originally publishing a rule-making Notice on March 3, 2010, and a Proposed Rule on June 29, 2011. The Proposed Rule would have created two categories of security protections: “Basic” and “Enhanced.” We summarized the Proposed Rule in a Client Alert in July 2011 here. After receiving extensive industry comments, DoD amended the Proposed Rule to limit the categories of covered information and require only one level of security protection. However, there are still some uncertainties in the Final Rule, such as the lack of a safe harbor for contractors that adopt stringent security measures.
DoD issued a statement on November 19 stating that the Final Rule is “one of many significant follow-on actions to Secretary Hagel’s Oct. 10 memo directing actions to protect DoD unclassified controlled technical information from cyber intrusions and minimize the consequences associated with loss of this information.” Hagel’s October memorandum explained that such data was of increasing concern to the Pentagon because it could give adversaries “extraordinary insight into the United States’ defense and industrial capabilities” and allow them to more quickly develop similar capabilities of their own.
Development of the Rule
The 2010 Notice proposed changes to the DFARS that would require contractors and subcontractors to provide “adequate security” to safeguard “DoD information” on their unclassified information systems from unauthorized access and disclosure. The notice created two levels of security for DoD information:
Basic: Applies to any DoD information on a contractor’s unclassified information systems.
Enhanced: Applies to DoD information on a contractor’s unclassified information systems that is: (1) designated as Critical Program Information; (2) subject to ITAR and EAR regulations; (3) designated for withholding from public release under DoD FOIA; (4) bears current or prior designations indicating controlled access and dissemination (e.g.,For Official Use Only, Sensitive But Unclassified, Limited Distribution, Proprietary, Originator Controlled, Law Enforcement Sensitive); (5) technical data, computer software, and any other technical information covered by DoD Directive 5230.24 (Distribution Statements on Technical Documents) and DoD Directive 5230.25 (Withholding of Unclassified Technical Data from Public Disclosure); or (6) personally identifiable information.
DoD published the Proposed Rule in June 2011. The Proposed Rule would have amended Parts 204 and 252 of the DFARS by adding subpart 204.74 Safeguarding Unclassified DOD Information, section 252.204-70XX Basic Safeguarding of Unclassified DOD Information, and section 252.204-70YY Enhanced Safeguarding of Unclassified DOD Information. Subpart 204.74 would require certain security measures to be included in all Government contracts and solicitations involving unclassified nonpublic Government information, regardless of the size and scope of the contract. The Proposed Rule contained “Basic” security guidelines, as well as “Enhanced” protections for the types of more sensitive Government information described above. The Proposed Rule also required reporting on certain cyber intrusion events that affect DoD information resident on or transiting through contractor unclassified information systems.
Changes from the 2011 Proposed Rule
After receiving 49 comments on the Proposed Rule, DoD has significantly reduced the categories of information covered. The Final Rule only applies to the safeguarding of “unclassified controlled technical information” a term that includes technical data, computer software, and any other technical information covered by DoD Directive 5230.24 Distribution Statements on Technical Documents and DoD Directive 5230.25 Withholding of Unclassified Technical Data from Public Disclosure. Moreover, the onus is on DoD to ensure that such information is properly marked with a distribution statement per DoD Instruction 5230.24.
In addition, the following significant changes were made to the Final Rule:
New definitions are included for “controlled technical information”, “cyber incident” and “technical information.” The following definitions are no longer included:
- “authentication,” “clearing information,” “critical program information,” “cyber,” “data,” “DoD information,” “government information,” “incident,” “information,” “information system,” “intrusion,” “non-public information,” “safeguarding,” “threat,” and “voice”.
While the 2011 Proposed Rule would have included section 252.204-70XX Basic Safeguarding of Unclassified DOD Information, and section 252.204-70YY, Enhanced Safeguarding of Unclassified DOD Information, the final rule only uses onecontract clause.
- DFARS 204.7303 (Contract Clause) now prescribes only one clause, 252.204-7012,Safeguarding of Unclassified Controlled Technical Information. This contract clause largely tracks the text of the “Enhanced” safeguarding clause. The clause is mandatory for all contracts and solicitations, including for commercial items, and must flow down to all subcontractor tiers.
- The previously proposed “Basic” safeguarding clause is removed. Instead, the proposed controls will be implemented through Federal Acquisition Regulation (FAR) case 2011-020 (Basic Safeguarding of Contractor Information Systems).
- Many comments were concerned about the requirement in the Proposed Rule to report cyber incidents within 72 hours of detection. The Final Rule retains the 72 hour window, but now lists 13 basic items of information “as much…as can be obtained” that must be submitted within 72 hours. Contractors must retain incident information for 90 days to allow DoD to request more information or decline to pursue further. 
Related Proposed FAR Rule on “Basic” Safeguarding
A Proposed Rule published August 24, 2012, (the “FAR Proposed Rule”) as FAR Case 2011-020, would add a new FAR Subpart 4.17 and associated contract clause requiring “basic safeguarding” for contractor information systems where information provided by or generated for the Government will reside on or transit through those systems. The FAR Proposed Rule defines “basic protection measures” as “first-level information technology security measures used to deter unauthorized disclosure, loss, or compromise.” The FAR Proposed Rule would impose the safeguarding requirements through a new contract clause, FAR 52.204-XX, Basic Safeguarding of Contractor Information Systems, prescribed for all solicitations and contracts above the simplified acquisition threshold when the prime contractor or any subcontractor at any tier “may have” information provided by or generated for the Government residing on or transiting through its information systems. 
In addition to FAR Case 2011-020, other overlapping examples of federal cybersecurity-related initiatives under development that would apply to DoD contractors include:
- DFARS Case 2013-D018 – Requires reports to DoD on Penetrations of Networks and Information Systems, as mandated by Section 941 of the Fiscal Year 2013 National Defense Authorization Act which requires certain contractors to report to DoD cyber intrusions of their covered networks and information systems and allows DoD access to covered networks and information systems so that DoD can study the penetration and ascertain if DoD information may have been exfiltrated. This DFARS case is currently in the draft interim rule stage.
- DFARS Case 2012-D050 – Supply Chain Risk. This rulemaking is a result of Section 806 of the Fiscal Year 2012 National Defense Authorization Act and requires the risk evaluation of information technology contractors’ supply chains on national security systems. This DFARS case is currently in the interim rule stage.
- FAR Case 2012-028 – Contractor Access to Protected Information. This rulemaking addresses contractor access to protected information provided by the Government, generated for the Government, or provided by a third party and marked by the provider to indicate that protection is required. This FAR case is currently in the draft proposed rule stage.
While DoD’s narrowing of the Final Rule has largely been applauded by industry, there are several issues that raise concerns. First, the Final Rule’s definition of “adequate security” provides no objective standard that the contractor can meet. Given the evolving nature of cybersecurity threats, new security technology and processes are constantly being developed. Contractors will always examine the trade-off between the potential losses from cyber events and the significant costs of adding security measures. Cybersecurity incidents are often difficult to prevent, even if a contractor maintains a high standard of security. Yet the Government has declined to adopt a “safe harbor” for contractors that adhere to high standards of security. Specifically, DFARS 204.7302(b)(2) states that ‘‘A cyber incident that is properly reported by the contractor shall not, by itself, be interpreted under this clause as evidence that the contractor has failed to provide adequate information safeguards . . .’’ The Federal Register notice states that the Government does not intend to provide any safe harbor assurances.
Second, a subcontractor could find themselves subject to both the “Basic” safeguarding (FAR Proposed Rule) and DoD’s “Enhanced” safeguarding (Final Rule). Many subcontractors perform work for more than one prime contractor, making it possible that a subcontractor will face different security standard requirements as well as conflicting interpretations of those requirements. It is also unclear how these rules interact regarding whether a party has any affirmative responsibility for reviewing or approving a subcontractor’s level of security. For example, the Final Rule “requires that prime contractors report when unclassified controlled technical information has potentially been compromised regardless of whether the incident occurred on a prime contractor’s information system or on a subcontractor’s information system.”
Finally, and perhaps most importantly, while the type of information covered by the security requirements was narrowed, DoD expanded the application of the requirements by making clear that an internet service provider or cloud service provider would be considered a subcontractor under this rule. Specifically, the preamble states that “[a]n Internet Service Provider (ISP) or cloud service provider constitutes a subcontractor in this context. The contractor is responsible for ensuring that the subcontractor complies with the requirements of this rule within the scope of this rule.”