The Department of Defense (DOD) is imposing cybersecurity requirements throughout its far-reaching contractor network even as the White House and the Congress fail to agree on broader cybersecurity regulations or legislation. On November 18, 2013, DOD published a final regulation and a proposed regulation amending the Defense Federal Acquisition Regulations System (DFARS) to safeguard unclassified controlled technical information and reduce supply chain risk. The final rule requires contractors to implement adequate security measures to protect controlled technical information residing on or transiting through contractor unclassified information systems. DOD also issued an interim rule launching a pilot program establishing supply chain risk as an evaluative factor in contractor assessments and providing for contractor exclusion based on unacceptable supply chain risk.
Final Rule – Safeguarding Unclassified Controlled Technical Information
The final rule, 48 CFR Parts 204, 212, and 252, available at http://www.gpo.gov/fdsys/pkg/FR-2013-11-18/pdf/2013-27313.pdf, regarding safeguarding unclassified controlled technical information, although considerably narrowed from the proposed rule published in 2011, requires contractors to implement adequate security measures and to report cyber incidents involving controlled technical information. Adequate security is defined as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” Controlled technical information includes “technical data, computer software, and any other technical information covered by DOD Directive 5230.24,” which is available at http://www.dtic.mil/whs/directives/corres/pdf/523025p.pdf.
The rule requires contractors to implement an information security system that complies with the National Institute of Standards and Technology (NIST) security controls, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. If the contractor believes that the NIST controls are not applicable, the contractor must submit a written explanation to the contracting officer explaining how an alternative control system will be used to achieve equivalent protection.
Contractors must report any “cyber incidents” to DOD within 72 hours of discovery. Cyber incidents subject to the reporting requirement include “possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through Contractor’s or its subcontractors’ unclassified information systems.” Following a cyber incident, the contractor must investigate the incident and preserve any relevant data for at least 90 days. DOD may elect to conduct a damage assessment following the incident.
The rule further provides that a properly reported cyber incident “shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for unclassified controlled technical information,” however, the contracting officer will consider the cyber incident “in the context of an overall assessment of the contractor’s compliance.” Accordingly, compliance with the required NIST security controls will not be a safe harbor, and contractors may wish to consider the value of implementing additional security controls over and above the baseline NIST requirements.
Interim Rule – Supply Chain Risk Reduction
The interim rule relating to supply chain risk implements section 806 of the National Defense Authorization Act for Fiscal Year 2011 (establishing requirements for agency action based on supply chain risk in procurements of national security systems). Section 806 defines supply chain risk as “the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.” The interim rule is designed to protect against the “malicious insertion of software or code or an unwanted function designed to downgrade DOD’s sensitive systems.”
Under the interim rule, DOD must consider supply chain risk when evaluating contractors involved in the development or delivery of information technology for National Security Systems (NSS). DOD may exclude contractors who fail to meet qualification standards or achieve an acceptable supply chain risk rating. DOD may also withhold consent for a contractor to subcontract with a particular source or may direct a contractor to exclude a particular source from consideration for a subcontract.
While the interim rule relies on qualification standards, the rule itself does not define the criteria to be used when evaluating supply chain risk; nor does it provide specific risk management requirements. The lack of specificity in the rule means contractors will, at least initially, have considerable latitude when designing and implementing risk management systems, but there is no guarantee a contractor’s system will be deemed sufficient. Furthermore, if a contractor is excluded due to unacceptable supply chain risk, the head of a covered agency may limit “the disclosure of information relating to the basis” for exclusion. In other words, a contractor may be excluded without ever being told why.
There are several important limitations on the use of section 806 exclusionary authority under the interim rule. Exclusionary authority may only be exercised where the supply chain risk involves “the procurement of NSS or of covered items of supply used within NSS.” A covered item is “an item of information technology that is purchased for inclusion in a [NSS], and the loss of integrity of which could result in a supply chain risk for a [NSS].” The decision to exclude a contractor may only be made by the “head of a covered agency,” meaning the Secretary of Defense or the Secretaries of the military departments with delegation limited to officials at or above the agency’s service acquisition executive level. Before a contractor may be excluded, the Under Secretary of Defense for Intelligence must conduct a risk assessment finding significant supply chain risk to a particular NSS, and the head of a covered agency must obtain a joint recommendation in favor of exclusion from the Under Secretary of Defense for Acquisition, Technology, and Logistics and the Chief Information Officer of the DOD. The head of a covered agency must also make a written determination that the use of section 806 authority is “necessary to protect national security by reducing supply chain risk” and that less intrusive measures are not reasonably available.
The period for public comment on the interim rule is scheduled to close on Friday, January 17, 2014.