*This is the first post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense (“DoD”) on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides an introduction to the new DoD cyber security regulations.
The DoD decided to implement the new cyber security regulations, and make them effective immediately upon issuance on August 26, 2015, following the aftermath of the Office of Personnel Management’s data breaches that impacted personally identifiable information for over 21.5 million government employees and contractors. Specifically, DoD stated that it implemented the new regulations because of the urgent need to protect covered defense information, understand the full scope of cyber-attacks against defense contractors, and reduce the vulnerability of cloud computing attacks.
The network penetration reporting implementing regulations are at DFARS 252.204-7012, and are entitled Safeguarding Covered Defense Information and Cyber Incident Reporting. These regulations require, among other things, that prime contractors and their subs employ “adequate security” commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of, information. This requires that contractors implement the security controls based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, entitled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. (You can read our summary of the NIST SP 800-171 guidelines here.) Contractors are obligated to rapidly report (within 72 hours of discovery) any cyber incident that affects the covered contractor’s information system, covered defense information, or the contractor’s ability to provide operationally critical support. In addition, the reporting obligations require that contractors isolate and capture, if possible, an image of the malicious software (e.g., worm, virus, etc.) and provide access to covered contractor information systems and other information if requested by DoD. As DoD explained, a contractor will likely require the assistance of a technology expert to meet these new data security and reporting obligations.
The contracting for cloud services regulations are at DFARS 252.239-7010, and are entitled Cloud Computing Services. These regulations are applicable when a contractor uses cloud computing to provide information technology services in the performance of a contract. These regulations provide standard contract language for DoD’s acquisition of cloud computing services, including access, security, and reporting requirements, and require that contractors implement and maintain administrative, technical, and physical safeguards and controls commensurate with the security level and services required with the Cloud Computing Security Requirements Guide (SRG). In addition, the cloud computing service must have been granted provisional authorization by the Defense Information Systems Agency, the service must be located within the 50 states or outlying areas, and the contractor providing the cloud computing services must be able to coordinate with the designated government official in the event of “spillage” of information being stored. (“Spillage” means a security incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited or authorized for the appropriate security level.) The contractor must also agree to support and cooperate with DoD inspections, audits, and investigations, including the ability to conduct system-wide searches for litigation, eDiscovery, and records management purposes.