On November 19, 2013, the Pentagon adopted new rules intended to protect data on unclassified networks, which will likely place a significant burden on defense contractors. The amendment to the Defense Federal Acquisition Supplement requires defense contractors to incorporate "established" information security standards across their unclassified networks and to report "cyber-intrusion incidents" that result in the loss of controlled technical information.
The amendment applies to all new Department of Defense ("DOD") contracts involving non-classified, "technical information." The Pentagon’s definition of "technical information" broadly includes the research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code. Going well beyond the protection of confidential or proprietary information, the breadth of the rule also covers the acquisition or sale of routine commercial items. As a result, all purchases of commercially available, "off-the-shelf" products involving the sharing of technical information fall within the purview of the newly enhanced security requirements.
Aside from adopting a broad definition of "technical information," the new policy places a significant burden on contractors to report cyber incidents involving "covered data." Contractors will now be required to report—within 72 hours—the specific details of any incident involving the actual or potential compromise of covered data. In addition to reporting all incidents to the Defense Industrial Base Cybersecurity Information Assurance Program, contractors must retain all impacted data for 90 days to facilitate the DOD’s damages assessment. The self-reporting requirement should not, however, be misconstrued as a safe harbor. Directly rejecting the notion of a safe harbor, the new rules merely state that the reporting of a cyber incident "shall not, by itself, be interpreted under this clause as evidence that the contractor has failed to provide adequate information safeguards."
It is estimated the new security requirements will directly impact over 6,555 contractors. But this is only the tip of the proverbial iceberg. The obligation to protect technical information covers all networks in which the data resides or passes through. This means that companies who transmit or receive "technical information" from a covered contractor will be directly or indirectly obligated to ensure the security of the networks through which the technical information will be transmitted or stored. The DOD guidance on this point is very clear; it states that all contractors who receive covered information are obligated to ensure that each recipient of that information has a system with enhanced safeguards. For example, contractors will be obligated to confirm: (1) their subcontractors or suppliers who receive technical information are authorized to receive the information; (2) the information is transmitted to the subcontractor/supplier using appropriate security controls; and (3) the subcontractor/supplier safeguards the information in accordance with the new requirements.
Impacting the bottom line of many companies, the DOD’s adoption of the new requirements does not include an obligation for the Pentagon to share in the increased costs associated with the new procedures. Responding to questions on this point, the DOD offered its assessment that, while there will be costs associated with implementing the new procedures, "the costs are reasonable." This assurance may provide little comfort in light of the DOD’s statement that "[t]he Government does not intend to directly pay for the operating costs associated with the rule."
The new security standards will impact future and ongoing procurements. Contractors should expect to see security compliance language incorporated in mandatory evaluation criteria in future acquisitions, and contractors without compliant systems may become ineligible to bid. The standards will also appear in future certifications. Audits by the DCAA or the DCMA may also begin to include spot checks for security compliance. Last, corporate compliance programs should also be modified to account for this new requirement.
The full text of the final amendments to the Defense Federal Acquisition Regulation Supplement, including DOD comments, can be found here.