On August 26, 2015, the U.S. Department of Defense (“DoD”) published an interim rule entitled Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013–D018) (the “Interim Rule”), that streamlines the obligations for contractors to report network penetrations and establishes DoD requirements for contracting with cloud computing service providers. The Interim Rule amends the information security contracting framework set forth in the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement section 941 of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2013 and section 1632 of the NDAA for FY 2015, both of which impose cyber incident reporting obligations on contractors.
The Interim Rule requires DoD contractors and subcontractors to report cyber incidents that result in a compromise or have an actual or potentially adverse effect on a covered contractor information system or the covered defense information residing therein. Covered defense information includes controlled technical information, export controlled information, critical information and other information requiring protection by law, regulation or government-wide policy. Pursuant to the Interim Rule, contractors and subcontractors will be contractually obligated to report such cyber incidents to the DoD within 72 hours of discovery.
The Interim Rule also revises DFARS to implement policies and procedures for the acquisition of cloud computing services. Among the cloud computing policies and procedures added to DFARS, the Interim Rule requires that cloud computing service providers be contractually obligated to maintain all government data that is not physically located on DoD premises within the U.S. or outlying areas, unless otherwise authorized in writing by the contracting officer.
In addition, the Interim Rule revises the DFARS solicitation provisions and contract clauses related to safeguarding covered defense information. Notably, the Interim Rule replaces the table of security controls based on the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800–53 in DoD solicitations and contracts with NIST SP 800–171, entitled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. This document is specifically tailored for use in protecting sensitive information residing in contractor information systems.