DoD Issues Further Revisions to Contractor Cybersecurity Rules—Aside a Flurry of Other New Rules
After little more than a year of discussion and revisions, the Department of Defense (DoD) has implemented a final cybersecurity rule in the Defense Federal Acquisition Supplement (DFARS) aimed at protecting "covered defense information" or "CDI" in contractor's information systems. Background on the rule as it has developed is available here, here, and here. The rule contains two basic components:
First, the rule requires contractors to ensure there is "adequate security" on contractor-owned or controlled systems that store, transmit, or process CDI ("covered contractor information systems"). For most contractors (generally those who are not providing IT services to the government or operating a system on the government's behalf), this "adequate security" requirement is satisfied by compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, subject to a variances process.
Second, the rule requires contractors to report any cyber incidents that may have affected covered contractor information systems.
The final rule alters and clarifies the existing scope of the rule in several important ways, as detailed below, but does not answer many of the serious concerns that industry and other stakeholders have voiced about the rule and its various security mandates and disclosure provisions.
In addition, DoD's near simultaneous release of an export control policy aimed primarily at components of the Department itself, but that covers contractors, along with the recent release of cybersecurity related rules targeting the Defense Industrial Base (DIB), non-DoD federal contractors, and any contractors with "controlled unclassified information" or "CUI" on their systems raise a host of questions about how to manage, harmonize, and comply with what has become a dizzying array of overlapping, but distinct, federal rules governing information security.
The following is a summary of several key changes to the DFARS cybersecurity requirements contained in the new final rule:
- Commercial Off the Shelf ("COTS") procurements exempted. The DFARS requirements—and in particular solicitation provision 252.204-7008 and contract clause 252.204-7012 (which is the primary operative clause incorporating the requirements) are no longer prescribed for commercially available off-the-shelf or "COTS" items. They do still apply to other FAR part 12 commercial item solicitations.
- CDI harmonized with the CUI registry. The definition of CDI has been changed to harmonize it with other rules and regulations protecting CUI. CDI is now defined as:
unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at [https://www.archives.gov/cui/registry/category-marking-list],1 that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is—
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
- While this harmonization does eliminate the untethered "other" category from the prior definition of CDI (which, read broadly, was nearly unlimited), this harmonization does not resolve some of the most controversial aspects of the prior definition of CDI.
For example, there has been concern in the industry over whether virtually any technical information—even commercially available technical information—falls into the definition of CDI because the prior rule included an enumerated category of information subject to "export control," which contractors pointed out could be interpreted very broadly. The new reference to the CUI Registry and removal of the reference to "export control" in the definition of CDI does not resolve this issue, because the CUI Registry itself contains an enumerated "export control" category which broadly includes:
Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.
Thus, this category appears to include even "EAR99" technology (as classified under the Export Administration Regulations, 15 C.F.R. parts 730-774) because such technology, while minimally controlled, is restricted for export to certain countries.
In fact, the preamble to the final DFARS rule recognizes this issue, noting that it received questions on the scope of "export control" under the CDI definition and even a suggestion that "DoD exclude items from its definition of 'covered defense information' that are subject to minimal export controls." But, DoD balked at this suggestion and stands by the broad category of export control described above. Accordingly, the definition of CDI relating to EAR99 technology is sweeping, and limited only by whether information is marked and/or "[c]ollected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract."
- Fundamental research. On the other hand, the new rule now makes clear that contracts "appropriately scoped as fundamental research" will not contain CDI or, consequently, lead to the imposition of the adequate security or cyber incident reporting requirements on contractors involved only in performing fundamental research. The DFARS is being separately modified to ensure that it is clear that no CDI is involved when DoD makes a determination that a contract involves only fundamental research.
- Flowdown limited. Flowdown of the clause to subcontractors has been slightly modified by the new rules. Flowdown is now required for subcontracts for operationally critical support,2 or for which subcontract performance will involve "covered defense information," instead of "a covered contractor information system." In practice, it is likely that flowdown will be required in most cases where subcontractors are doing any work of substance under a covered contract, as the definition of CDI remains broad, unless such CDI will not be shared with or used by the subcontractor. DoD does note that because fundamental research will not contain CDI, "the clause will not flow down to subcontractors that are exclusively performing fundamental research."
- Procedures to vary from NIST SP 800-171. The DFARS clause now contains a bit more substance regarding how contractors are to go about seeking a variance from an element of NIST SP 800-171 on the basis either that it is "not applicable" or is replaced by an equally-effective alternative. The new rule also indicates that once a variance is approved by DoD CIO, such variance can be relied on by the contractor for more than one contract:
1. The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO.
2. DoD CIO will adjudicate request to vary.
3. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place.
4. If the DoD CIO has previously adjudicated the contractor's requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract.
- There remains little indication of how variances will be adjudicated in practice, but given the wide interest in seeking variances, contractors would likely benefit from seeking such variances sooner rather than later, as the December 31, 2017 deadline for full compliance with NIST SP 800-171 approaches.
- Limits on the use of Cloud Service Providers. Contractors who intend to use Cloud Service Providers or "CSPs" to store, process, or transmit CDI in performance of the contract must "require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/)" and ensure that the CSP meets all of the cyber incident reporting and preservation requirements contained in the DFARS clause.
- Clarification on the 30-day notification requirement. Since the rule was updated at the end of 2015 to postpone to December 31, 2017 the requirement that contractors be in full compliance with NIST SP 800-171 (where applicable), DoD has required contractors to report within 30 days of contract award what elements of NIST SP 800-171 are not implemented at the time of award. The new rule clarifies that: (1) the requirement to make this 30-day notification will end on September 30, 2017, in preparation for the full implementation of the rule; and (2) the notification needs to be nothing more than a list of what elements of NIST SP 800-171 are not implemented. DoD provides the following bare-bones example of what such a notification might look like:
NIST SP 800-171 security requirement 3.1.1
- Limits on cyber incident reports as evidence of noncompliance. Finally, DoD has added language to the rule to indicate that a cyber incident report alone, without more, should not be interpreted as evidence that a contractor has failed to provide adequate security on a covered contractor information system:
A cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security on their covered contractor information systems, or has otherwise failed to meet the requirements of the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. When a cyber incident is reported, the contracting officer shall consult with the DoD component Chief Information Officer/cyber security office prior to assessing contractor compliance . . . The contracting officer shall consider such cyber incidents in the context of an overall assessment of a contractor's compliance with the requirements of the clause at 252.204-7012.
- While this language is somewhat helpful, it does not fully dispel the notion that reporting a cyber incident may possibly result in a finding of noncompliance with the safeguarding clause. For example, if reporting a cyber incident leads to a review and assessment of the contractor's compliance, and if a finding of noncompliance with the safeguarding clause is not based solely on the cyber incident report, then DoD has complied with its assurances—and yet if the contractor had not filed a cyber incident report, it perhaps would not have received a finding of noncompliance.
* * *
Given the recent flurry of new regulations governing cybersecurity and controls on CUI and other federal information, contractors, other industry stakeholders, and federal agencies themselves have only begun to digest and sort out how this vast new regulatory landscape will function. DoD's CDI rules under the DFARS are the most complex and fully developed rules in this domain, and defense contractors would do well to comprehend this final rule and incorporate it into their IT and contracting practices as quickly as possible. Of course, this does not mean that defense contractors should ignore or neglect other requirements that may govern their possession, use, or transfer of CUI and other federal information, as the DFARS rule does not supplant these other authorities. Regardless, defense contractors have until the end of next year under the DFARS rule to reach full compliance (or adjudicated variances) with NIST SP 800-171 where applicable. Thus, the next twelve months is a crucial period to assess covered systems and make whatever changes (or apply for variances) that are necessary to meet DoD's December 31, 2017, deadline.
''Operationally critical support'' means supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.