DoD interim rule expands contractors' duties relating to cybersecurity and cloud computing



September 30, 2015

Government Contracts Alert

Author(s): Emily Crandall Harlan, Alexandra Lopez-Casero

An interim rule recently released by the Department of Defense (DoD) imposes extensive new obligations on government contractors with regard to safeguarding data, reporting cyber incidents and using cloud-based computing services. The interim rule, which was published on August 26, expands both the scope of data that contractors must protect and the universe of contractors to which the new requirements apply, in addition to imposing other new and increased duties on contractors. Key elements of the interim rule are discussed below.

The interim rule, DARS-2015-0039 (available here), amends the Defense Federal Acquisition Regulation Supplement (DFARS) to implement and expand upon two sections of the National Defense Authorization Act (NDAA): Section 941 of the NDAA for fiscal year 2013 and Section 1632 of the NDAA for fiscal year 2015. It also implements and expands upon DoD policies concerning cloud computing security requirements. It applies to prime contracts, subcontracts and commercial item contracts (see revised DFARS 212.301).Safeguarding “covered defense information”

Under the previous iteration of DFARS 252.204-7012 (the “Safeguarding Clause”), which DOD published on November 18, 2013, a contractor’s duty to safeguard information and to report breaches extended to “unclassified controlled technical information” (UCTI), which the DFARS defines as scientific or technical information, with a military or space application, “to be marked” by DoD with distribution statements. Now, under the revised and renamed DFARS 252.204-7012, a contractor’s duty extends to all “covered defense information” (CDI), a much broader universe of data than UCTI. The interim rule defines CDI as unclassified information, provided to the contractor by or on behalf of DoD for performance of the contract, that fits into any of the following categories:

  • Controlled technical information (i.e., UCTI but with a loosened marking requirement);
  • Critical information (operations security), meaning information specifically relating to facts identified through the Operations Security process (a term not defined in the interim rule);
    • “Export control,” including information concerning items identified in the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations, including the United States Munitions List; information concerning “dual use items”; license applications; and “sensitive nuclear technology information”; as well as
    • other information “whose export could reasonably be expected to adversely affect the United States' national security and nonproliferation objectives”; and
  • “Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations[] and [g]overnmentwide policies (e.g., privacy, proprietary business information).”

The third and fourth categories of CDI are extremely broad, and no doubt raise questions about how contractors should determine whether they possess CDI. Specifically with regard to export-controlled information, the interim rule contains what appears to be a vague “catch-all” provision that would require contractors to be able to identify other information, outside of that which is covered by the EAR, ITAR or Munitions List, that could “adversely affect” U.S. interests if exported. For example, information submitted in a license application is not necessarily export controlled. Moreover, the third category of CDI uses terminology that does not match basic export control concepts. It includes “information that is identified in export administration regulations,” which probably refers to items that are listed on the Commerce Control List. But then it also refers to “dual use items.” This term is informally used to describe items that fall under the EAR, including some items that are “only” subject EAR99. Items that fall under EAR99, including technical data, are generally not export-controlled. As a result, if read literally, the third category of the CDI definition (“Export Control”) could include unclassified information that is actually not export controlled.  The scope of “sensitive nuclear technology information” is also not clear.

The interim rule also redefines what constitutes providing “adequate security” for CDI on contractor information systems, including by replacing the previously operative security control requirements (National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53) with the recently issued NIST SP 800-171 requirements. A corresponding new provision, DFARS 252.204-7008, permits a contractor to seek, through written submission, DoD’s approval of deviations from the NIST 800-171 controls. Per this new provision, such approval must be obtained from the DoD’s Chief Information Officer, in writing, before the contract is awarded.

Expanded cyber incident reporting requirements

The newly amended DFARS 252.204-7012 also imposes a duty on subcontractors to report cyber breaches directly to DoD, in addition to reporting them to their prime contractors as previously required. Additionally, the interim rule expands what qualifies as a reportable incident. DFARS 252.204-7012, as amended, provides that a reportable incident can be: (a) an incident that affects a system that processes, stores or transmits CDI (previously UCTI); (b) an incident that affects the CDI itself; or (c) an incident that affects the contractor’s ability to provide “operationally critical support,” which is defined at DFARS 204.7301 as “supplies or services designated by the [g]overnment as critical for airlift, sealift, intermodal transportation services or logistical support that is essential to the mobilization, deployment or sustainment of the [a]rmed [f]orces in a contingency operation.”  As such, in addition to expanding the type of information that must be safeguarded, the interim rule also expands the type of cyber incidents that must be reported. The timeframe for reporting an incident—within 72 hours of discovery—remains unchanged.

Cloud computing

The interim rule also sets out enhanced requirements for contractors seeking to use cloud computing services in their performance of DoD contracts. Adopting DoD policies on cloud computing issued in late 2014 and early 2015, the interim rule sets out of a number of new requirements for contractors, including the following:

  • Contractors must indicate up front, as part of the offer, whether they anticipate using cloud computing services in the resulting contract or any subcontract. If the answer is no, but the contractor later wishes to use cloud computing services after the contract has been awarded, it may do so only after first obtaining the approval of the contracting officer (DFARS 252.239-7010);
  • Contractors must implement and maintain the controls set out in the Cloud Computing Security Requirements Guide (DFARS 252.239-7010);
  • Contractors must report all cyber incidents relating to cloud computing directly to DoD (DFARS 252.239-7010);
  • Contractors must provide DoD with access to all data, facilities and personnel involved in the contract. Additionally, contractors must promptly notify DoD upon receipt of any warrant, seizure or subpoena relating to government data (DFARS 252.239-7010);
  • Contractors must maintain all government data within the U.S. or within specifically defined outlying areas, absent express written authorization from the contracting officer to maintain it outside of these areas (DFARS 239.7602-2, 252.239-7010).

The interim rule also amends the obligations of DoD in acquiring cloud computing services from service providers:

  • In acquiring cloud computing services, DoD must use “commercial terms and conditions” so long as consistent with federal law, regulations and the agency’s needs (DFARS 239.7602-1);
  • DoD may acquire cloud service only from providers that have been provisionally authorized by the Defense Information Systems Agency to provide the services, in accordance with the Cloud Computing Security Requirements Guide (DFARS 239. 7602-1);
  • DoD must include specific information in a purchase request for cloud computing services, including, but not limited to: descriptions of the government data and government-related data at issue; limitations on accessing, using and disclosing the data; requirements to support and cooperate with inspections, audits and investigations; and requirements to work with the agency, in accordance with its procedures, in the event of any spillage.
  • These requirements apply to all DoD contracts and subcontracts for information technology services, including commercial item contracts.

Looking forward

Citing recent high profile breaches and the increased vulnerability of DoD information, DoD published and implemented the interim rule on the same day (August 26, 2015) without the usual prefatory public comment period. Comments responding to the interim rule are due by October 26, 2015.

In the meantime, and once the rule is finalized (likely in the same or substantially same form in which it exists now), contractors should anticipate encountering these new requirements in DoD contracts. To that end, contractors should develop and implement procedures and plans for meeting their heightened obligations. This is no doubt an onerous task, particularly as concerns the more than a few portions of the interim rule that are opaque. Efforts made now, however, are an investment for the future. As cyber attacks continue to grow in size, means and sophistication, the increased obligations on contractors that have arisen as a result are highly unlikely to be reduced any time soon.

The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

Back to top