In the last two months, the federal government has issued a number of cybersecurity-related regulations that are or will be directly or indirectly applicable to a wide range of federal contractors and subcontractors. More rules (including a blanket FAR provision) are expected, but the three rules below present an interrelated set of requirements and standards that federal contractors and their supply chain should understand. We note that these are complicated and interrelated rules, and our discussion below is simply a high-level treatment of key issues rather than a comprehensive assessment of the nuances of each rule. Contractors are encouraged to read these rules in their entirety.
NARA’s Agency-Wide Rule on Controlled Unclassified Information (CUI)
On September 14, the National Archives and Records Administration (NARA) issued a final rule regarding controlled unclassified information (CUI). The rule is effective November 14, 2016. In general terms, the rule applies only to federal agencies, but states it is important to protect CUI in non-federal information systems and calls for agencies to implement their own procedures and agreements to apply the rule’s requirements to contractors and other non-federal entities such as grantees, universities, state and local governments.
The NARA rule implements Executive Order 13556, Controlled Unclassified Information, and is part of the government’s effort to create a unified system for the treatment and identification of CUI that relates to government programs, i.e., to rein in and centrally organize the patchwork of categories and rules that have grown up over the years regarding sensitive but unclassified information. The rule cross-references NARA’s formal “CUI registry” and says that it will be the clearinghouse for categorization of such information. To the extent that a category of CUI information is subject to specific pre-existing legal or regulatory controls, then it will be known as “CUI Specific” and the pre-existing rules regarding its treatment will continue to apply. To the extent that categories of information exist which are not subject to pre-existing rules, they will be known as “CUI Basic” and baseline procedures specified in various NIST standards incorporated by reference in the rule will be applicable.
Several sections of the rule and preamble respond to both public and agency comments requesting further explanation on issues or otherwise discuss how the different levels of CUI interact, the basis for CUI controls, the levels of control agencies may impose within the agency and outside the agency, the rules governing written agreements and information sharing, how to treat legacy information, destruction options, controls on dissemination, and reporting of mishandling.
The final rule identifies four categories of information provided by or developed for the government:
- Classified Information: Information required by Executive Order 13526, “Classified National Security Information,” or predecessor or successor orders, or the Atomic Energy Act of 1954, to be marked with a classification designation to protect it from unauthorized disclosure.
- CUI Basic: Information created or possessed by or for the government where a law, regulation, or policy requires or permits safeguarding or dissemination controls. CUI Basic is CUI for which no particular controls are specified. This rule states that it gathers a majority of CUI under one set of consistent requirements, referred to as CUI Basic and standardizes how agencies comply throughout the executive branch. The rule also points out that this structure, the CUI Registry, NIST standards, and oversight functions by the CUI EA, are designed to restrain broad application of controls on information. The rule’s uniform handling controls for CUI Basic require protection at no less than a “moderate” confidentiality standard under the Federal Information Systems Modernization Act (FISMA). CUI Basic documents can be marked simply as “CUI” or “Controlled.”
- CUI Specified: Information where applicable law, regulation, or policy provides specific handling controls that differ from the controls that apply to CUI Basic. The final rule provides that those specified controls are to be followed for CUI Specific and that applicable special markings should continue to be used on, for example, export controlled, critical infrastructure, proprietary information or source selection information, to name just a few of the several dozen categories/subcategories of information listed on the registry which have are subject to CUI Specific controls. The CUI registry will dictate the particular markings, and non-standard markings will not be allowed, though significantly, the CUI registry currently contains the word “placeholder” next to many of the categories listed and it appears that final markings have not been determined.
- Uncontrolled Unclassified Information: Information that is neither classified nor CUI. Even though this information is not controlled or classified, it must still be handled as required by FISMA, which is the legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats.
As indicated, on November 14, the NARA rule will apply only directly to agencies themselves. There is accompanying guidance and a timetable on the NARA website for the process by which agencies will develop the appropriate mechanisms for compliance and oversight, training, etc. – many of these requirements (including the implementation of agency-specific policies), take effect within 180 days of November 14, though some have a longer threshold. The CUI registry currently notes that existing agency policies continue to apply until such time as each agency implements the NARA CUI rule. Among other challenges, there will be a significant burden on agencies to remark large quantities of pre-existing CUI, particularly when disseminated externally.
In due course, the rule will be indirectly applied to non-federal entities. To this end, the rule calls for agreements between non-federal entities and the government to incorporate by reference the elements of the rule. With respect to procurement contractors, the rule is expected to be implemented through an upcoming FAR clause. Moreover, as applied to defense contractors, some aspects of the final rule are effectively already implemented as a result of the DFARS Network Penetration Rule discussed below which calls for contractor implementation of NIST 800-171 standards and 72-hour reporting of breaches. It is possible that some agencies may implement specific requirements sooner.
When applied to contractors, the rule will pose a number of interesting questions, e.g.:
- How will contractors handle the marking requirements, including dealing with legacy information?
- How effectively will contractors be able to flow down these requirements?
- Will there be a mechanism for reporting compromises of CUI, or violations of CUI policies/protocols and how will the reporting mechanism interact with specific reporting mechanisms that may already exist for categories of information that are CUI specific (e.g., export controls)?
- Will there be any penalties for improper handling of CUI except those otherwise contained in the CUI specific regulatory regimes themselves?
Defense Industrial Base (DIB) Cyber-Reporting
On October 3, 2016 DoD issued a final cybersecurity rule applicable to DIB contractors and grantees. This rules follows on DoD’s interim final rule of October 2015 on the same topic. The rule is effective on November 2, 2016.
The rule has two elements. First, the rule implements mandatory cyber incident reporting requirements for entities that have agreements with DoD including, but not limited to, contracts and grants, and their subcontractors. In addition, the rule modifies eligibility criteria to permit greater participation in the DoD DIB voluntary program cyber sharing program.
As to the cyber incident reporting requirements, there are several key points. First, the rule provides the basis for DoD to require reporting in agreements between it and DIB companies. That means companies that have grants or other agreements with DoD would appear to be subject to this rule. As applied to procurement contracts, the DIB rule tracks some elements of the DFARS Network Penetration Rule, discussed below and therefore in our view the DIB rule’s requirements are, as a practical matter, implemented more specifically through the DFARS Network Penetration Rule. Therefore, the DIB rule may have a greater effect on non-procurement relationships because it provides an explicit basis for DoD to apply these requirements, whereas in the context of procurement contracts, DoD already has the DFARS Network Penetration Rule at its disposal. The second key point is that the definition of “covered defense information” has been changed to incorporate all categories of information on NARA’s CUI registry referenced above. When the final DIB rule was first issued, it included a different definition of covered defense information than contained in the DFARS Network Penetration Rule discussed below; however, a conforming DFARS rule was promptly issued on October 21, 2016, effective immediately.
As indicated above, this final rule also addresses and expands the eligibility criteria for the current voluntary DIB information sharing program. Participants in this program receive threat information from the DoD’s Cybercrime Center.
Note that cyber incident reporting involving classified information on classified contractor systems will continue to be in accordance with the National Industrial Security Program Operating Manual (DoD–M 5220.22).
DFARS Network Penetration Rule
On October 21, 2016, the DAR Council issued the final DFARS Network Penetration Rule, following on the interim rules of August and December 2015 discussed in previous Steptoe advisories and blog posts. The rule involves changes in the key contract clause, but also includes changes to – or creation of -- several other DFARS provisions, including 252.204-7008, which more clearly puts contractors on notice of the rule’s security and reporting requirements.
The final rule, effective October 21, retains most of the key elements of the prior interim rules, including contractor implementation of NIST SP 800-171, standards for protecting CUI on non-federal information systems, and mandatory contractor and subcontractor reporting within 72-hours of breaches to systems containing “covered defense information.” Some highlights of the changes or refinements in the final rule include:
- Conforms the wide-ranging definition of “covered defense information” to the NARA rule discussed above; and
- Includes a carve-out for COTS contracts, but not for commercial items contracts.
However, there is a continued lack of clarity regarding export controlled information, apart from a discussion in the preamble noting that export controlled information unrelated to a US DoD program is not “covered defense information.”
The rule recognizes that compliance down the supply chain, particularly with international contractors, may be difficult. In addition, DFARS clause 252.204–7012 was amended to clarify that subcontractor flowdown is only necessary when covered defense information is necessary for performance of the subcontract, and that the contractor may consult with the contracting officer, if necessary, when uncertain if the clause should be flowed down. The final rule also requires prime contractors to require their subcontractors to notify the prime contractor (or the next higher-tier subcontractor), when submitting requests to vary from a NIST SP 800–171 security requirement to the contracting officer.
Also, the final rule provides additional clarification on the security standards applicable to cloud-computing services and capabilities. Cloud Service Providers (CSPs), when storing or transmitting covered defense information, should meet the Federal Risk and Authorization Management Program (FedRAMP) standard for “moderate” compliance, as well as the rule’s cyber incident reporting requirements. This reporting obligation includes any incidents involving a shared infrastructure. Contractors should note that this may necessitate revisions to CSP agreements. Significantly, the rule does not change the full implementation time period for SP 800-171, which is December 2017 (but see the FAR rule on Basic Safeguarding of Contractor Information Systems issued in May 2016, which currently requires contractors to implement a small subset of NIST SP 800-171’s controls rather than waiting until December 2017). However, even if contractors have until December 2017 to implement the remainder of NIST SP 800-171’s controls, they are reminded that they are required to provide “adequate” security in the interim. The preamble also notes that while DFARS 252.204-7012 is not structured to facilitate the use of the contractor's compliance with NIST SP 800-171 as a factor in the evaluation/source selection process, agencies may elect to make NIST compliance an evaluation in source selection decisions prior to the end of December 2017. However, it further states that this determination would be outside the scope of the rule and needs to be appropriately addressed on an individual solicitation basis.
The reporting aspects of the interim rule remain basically in place, and present interesting questions for contractors, including:
- For commercial companies, is pre-existing information (i.e., information that was “born commercially” outside the context of any federal government program), that happens to be utilized at some juncture for a defense contract, but is not provided to DoD in the course of performance, considered “covered defense information”?
- What is the threshold for reporting, e.g., taken to an extreme, could the fact that an anti-virus program flagged and quarantined a single piece of potential malware that has not been opened/executed be reportable?
The final rule also raises interesting questions regarding potential parallel self-reporting regimes, which we have identified in our previous advisories on the DFARS network penetration rule. For instance, if there is an exfiltration that could involve export controlled information and it is reported to DoD, will contractors need to consider whether to report to the export control agencies in parallel or potentially lose their voluntary disclosure rights or protections under reporting regimes specifically applicable to export controlled information even though the information was “stolen” rather than “exported”? Interestingly, DoD issued a proposed rule on October 31, 2016, (which is the topic of a separate advisory we anticipate issuing shortly) which – if implemented in an interim or final rule – would require DoD to revoke a contractor’s access to DoD export controlled information when there is “credible information” of a violation of export control law. Similar multi-agency reporting issues could conceivably arise with respect to other categories of information falling within “covered defense information.” The international supply chain will present particular challenges, given DoD’s apparent wide-ranging retention and access requirements which may conflict with foreign privacy laws or result in concern regarding protection of subcontractor proprietary information.
Forthcoming FAR Clause
As indicated above, the FAR council is expected to issue a rule in the next few months that implements the NARA rule for purposes of federal agency procurements. Although the details are presumably still being refined, it is reasonable to anticipate that the FAR rule will include specific elements of the NARA framework, plus elements of the DFARS network penetration rule. We will continue to monitor future developments in this area.