On August 26, 2015, the Department of Defense (“DoD”) issued an interim rule, effective immediately, that revises network security requirements applicable to DoD contractors and introduces new cloud computing provision that reflect current DoD policy. The interim rule, which implements sections of the FY13 and FY15 National Defense Authorization Acts, comes on the heels of the massive breach of Office of Personnel Management systems that compromised the personal data of more than 21 million federal employees. The new and revised requirements apply to cyber incidents on unclassified information systems – breaches of classified systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual. The interim rule also implements DoD policies and procedures applicable to the procurement of contracting for cloud computing services.
The rule includes five contract clauses relevant to contractors and subcontractors providing cloud computing to DoD or who are handling controlled unclassified DoD information on their systems. All five apply to commercial item contracts.
First, DFARS 252.204-7008, “Compliance With Safeguarding Covered Defense Information Controls,” requires that offerors provide an explanation of any intended deviations from the National Institute of Standards and Technology security requirements applicable to protecting controlled unclassified information on non-federal systems and authorizes a representative of the DoD Chief Information Officer to approve or disapprove the requested deviation.
Second, DFARS 252.204-7009, “Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information,” puts in place protections for information reported to the government and subsequently provided to contractors for the purpose of obtaining advice or technical assistance.
Third, DFARS 252.204-7012, renamed “Safeguarding Covered Defense Information and Cyber Incident Reporting,” expands safeguarding and reporting requirements. The clause, which must be flowed down to subcontractors at all levels, establishes minimum “adequate security” standards for covered defense information on covered contractor information systems, and mandates that contractors and subcontractors at any tier that have covered defense information on unclassified systems investigate and rapidly report “cyber incidents.” “Cyber incidents” are defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The clause further provides that cyber incident reports “shall be treated as information created by or for DoD.” Contractors also must discover and isolate malicious software in connection with a reported cyber incident “in accordance with instructions provided by the contracting officer”; preserve all affected information systems for at least 90 days to allow DoD to request the media; provide DoD access to “additional information or equipment that is necessary to conduct a forensic analysis”; and other potentially onerous obligations.
Finally, the proposed rule introduces two cloud computing provisions, DFARS 252.239-7009, “Representation of Cloud Computing” and DFARS 252.239-7010, “Cloud Computing Services.” The first requires that an offeror represent whether it anticipates the use of cloud computing services in the performance of the contract or any subcontract. The second imposes certain cloud computing requirements, restrictions on the use of government data and reporting obligations, among other requirements.
These new provisions, particularly the revised reporting requirement, raise a number of questions and challenges. For example, by reporting a cyber incident a contractor may be providing the government with evidence that it failed to adequately safeguard covered defense information. Also, reporting may require the contractor or subcontractor to disclose proprietary information not typically disclosed outside of the company, even to the government. While the new provisions include protections for contractor information, those protections may be little comfort to an affected contractor. Contractors also may be faced with overlapping disclosure obligations, as data breaches that are reportable to DoD may also trigger state level reporting requirements.
Perhaps the most important question raised by the new provisions relate to the cost and impact of a cyber incident. DFARS 252.204-7012 requires far more than reporting. It mandates that a contractor investigate in accordance with a contracting officer’s instructions, preserve systems for up to 90 days to allow DoD to determine whether it wishes to take possession of media and provide information and equipment to support a forensic analysis if such analysis is deemed necessary. While some of these obligations already existed, the expansion of these requirements will likely pose a challenge for commercial contractors, both in terms of the cost and the impact on commercial operations. And it is an open question as to whether corporate entities in possession of covered DoD information have the capability or capacity to deter and detect cyber attacks increasingly orchestrated and conducted by nation states.
Ultimately, the interim rule is a positive step toward the development of safeguards necessary to protect our government’s sensitive information from cyber attacks. But the formalization of these requirements will force DoD and the contracting community to address a number of challenging questions about the burdens these requirements will impose on the contracting community and the sufficiency of contractual obligations to address threats posed by other nations.
Comments are due or before October 26, 2015.