In response to the recent executive orders and growing pressure from high profile government data breaches, the DoD approved and updated the interim rule for the Defense Federal Acquisition System in August and December 2015 – “Network Penetration Reporting and Contracting for Cloud Services” (DFARS Case 2013-D018). The interim rule has immediate effect. The rule will affect many government contractors whose services are associated with sensitive information.
The interim rule includes the following clauses:
- 204-7008, Compliance with Safeguarding Covered Defense Information Controls,
- 204-7009, Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information,
- 204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,
- 239-7009, Representation of Use of Cloud Computing, and
- 239-7010, Cloud Computing Services.
Under DFARS 252.704-7008, a contractor must make a representation when it submits its offer that it will “implement the security requirements specified by NIST SP 800-171. Though by no means does that mean the contractor has implemented all of the requirements under 800-171, it should be an indicator that the offeror is well on its way. A contractor can seek a deviation/waiver by explaining (in writing):
(A) Why a particular security requirement is not applicable; or
(B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.
The timeframe contemplated under DFARS 252.704-7008 contemplates that prior to award, the contractor will submit its request for deviation/waiver. An authorized representative of DoD’s Chief Information Officer will either accept or deny the request, and ensure that the language of the contract is updated accordingly (e.g., via a solicitation amendment). Therefore, submitting a request for a variance early is important and provides the best possible chance of having the deviation/waiver accepted prior to award.
The most significant change in the DFARS modification is the expansion of the type of information protected under the rule (DFARS 204.73 and DFARS 252.204-7012). Notably, “Safeguarding Unclassified Controlled Technical Information” (UCTI) (DFARS 252.204-7012) has been changed to “Safeguarding Covered Defense Information and Cyber Incident Reporting.” With the change, any DoD information that contractors have used while working with the government is now protected, including unclassified information provided to a contractor by or on behalf of the DoD in performance of a contract. The rule’s scope now includes information that is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance. Presumably Covered Defense Information (CDI) also includes UCTI, meaning that most contractors are subject to the DFARS Safeguarding Clause in the interim rule.
DFARS 252.204-7012 also requires the contractor to report, within 30 days of contract award, any security requirements under NIST SP 800-171 that the contractor has not implemented at the time of contract award, or any deviations (for alternative but equally effective security measures) that were approved in writing by an authorized representative of the DoD’s CIO (per the procedure set forth under 252.204-7008).
The contractor will also want to keep in mind the Class Deviation issued by DoD in October 2015. The Class Deviation grants contractors 9 months from the date of award to implement derived security requirements 3.5.3 “Use of multifactor authentication” for local and network access to privileged accounts and for network access to non-privileged accounts” under NIST SP 800-171.
CYBER INCIDENT REPORTING REQUIREMENTS
Requirements for reporting an incident have also expanded. Within 72 hours of discovery, contractors must report a cyber incident to http://dibnet.dod.mil. For at least 90 days after reporting an incident, contractors are obligated to preserve and protect images of all known affected information and systems in order to allow DoD to determine whether it will conduct a damage assessment. DoD must be given access to any additional information or equipment necessary to conduct a forensic analysis, and any malicious software discovered must be submitted to DoD.
Regardless of their place in the reporting chain, each subcontractor is obligated to rapidly report cyber incidents to DoD and its prime contractors within 72 hours.
Additionally, a new provision addressing third-party information protection states that if there is a reported cyber incident, it requires a contractor (the reporting contractor) or any recipient contractor (or subcontractor) involved in handling the cyber incident to not only protect the reported information, but also ensure that its employees are subject to nondisclosure obligations before they can access the reported information.
Due to the widespread use of cloud services, cloud computing requirements have been added in the supplemental. The Cloud Computing Services (DFARS 252.239-7010) provision stipulates that contractors are to inform the government if they intend to use cloud computing services, and instructs them on how to report a cloud security incident. Additionally, the interim rule also restricts all CDI to be held in cloud servers within the United States.