An interim rule recently released by the Department of Defense (DoD) imposes extensive new obligations on government contractors with regard to safeguarding data, reporting cyber incidents and using cloud-based computing services. The interim rule, which was published on August 26, expands both the scope of data that contractors must protect and the universe of contractors to which the new requirements apply, in addition to imposing other new and increased duties on contractors. Key elements of the interim rule are discussed below.
The interim rule, DARS-2015-0039 (available here), amends the Defense Federal Acquisition Regulation Supplement (DFARS) to implement and expand upon two sections of the National Defense Authorization Act (NDAA): Section 941 of the NDAA for fiscal year 2013 and Section 1632 of the NDAA for fiscal year 2015. It also implements and expands upon DoD policies concerning cloud computing security requirements. It applies to prime contracts, subcontracts and commercial item contracts (see revised DFARS 212.301).Safeguarding “covered defense information”
Under the previous iteration of DFARS 252.204-7012 (the “Safeguarding Clause”), which DOD published on November 18, 2013, a contractor’s duty to safeguard information and to report breaches extended to “unclassified controlled technical information” (UCTI), which the DFARS defines as scientific or technical information, with a military or space application, “to be marked” by DoD with distribution statements. Now, under the revised and renamed DFARS 252.204-7012, a contractor’s duty extends to all “covered defense information” (CDI), a much broader universe of data than UCTI. The interim rule defines CDI as unclassified information, provided to the contractor by or on behalf of DoD for performance of the contract, that fits into any of the following categories:
The third and fourth categories of CDI are extremely broad, and no doubt raise questions about how contractors should determine whether they possess CDI. Specifically with regard to export-controlled information, the interim rule contains what appears to be a vague “catch-all” provision that would require contractors to be able to identify other information, outside of that which is covered by the EAR, ITAR or Munitions List, that could “adversely affect” U.S. interests if exported. For example, information submitted in a license application is not necessarily export controlled. Moreover, the third category of CDI uses terminology that does not match basic export control concepts. It includes “information that is identified in export administration regulations,” which probably refers to items that are listed on the Commerce Control List. But then it also refers to “dual use items.” This term is informally used to describe items that fall under the EAR, including some items that are “only” subject EAR99. Items that fall under EAR99, including technical data, are generally not export-controlled. As a result, if read literally, the third category of the CDI definition (“Export Control”) could include unclassified information that is actually not export controlled. The scope of “sensitive nuclear technology information” is also not clear.
The interim rule also redefines what constitutes providing “adequate security” for CDI on contractor information systems, including by replacing the previously operative security control requirements (National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53) with the recently issued NIST SP 800-171 requirements. A corresponding new provision, DFARS 252.204-7008, permits a contractor to seek, through written submission, DoD’s approval of deviations from the NIST 800-171 controls. Per this new provision, such approval must be obtained from the DoD’s Chief Information Officer, in writing, before the contract is awarded.
The newly amended DFARS 252.204-7012 also imposes a duty on subcontractors to report cyber breaches directly to DoD, in addition to reporting them to their prime contractors as previously required. Additionally, the interim rule expands what qualifies as a reportable incident. DFARS 252.204-7012, as amended, provides that a reportable incident can be: (a) an incident that affects a system that processes, stores or transmits CDI (previously UCTI); (b) an incident that affects the CDI itself; or (c) an incident that affects the contractor’s ability to provide “operationally critical support,” which is defined at DFARS 204.7301 as “supplies or services designated by the [g]overnment as critical for airlift, sealift, intermodal transportation services or logistical support that is essential to the mobilization, deployment or sustainment of the [a]rmed [f]orces in a contingency operation.” As such, in addition to expanding the type of information that must be safeguarded, the interim rule also expands the type of cyber incidents that must be reported. The timeframe for reporting an incident—within 72 hours of discovery—remains unchanged.
The interim rule also sets out enhanced requirements for contractors seeking to use cloud computing services in their performance of DoD contracts. Adopting DoD policies on cloud computing issued in late 2014 and early 2015, the interim rule sets out of a number of new requirements for contractors, including the following:
The interim rule also amends the obligations of DoD in acquiring cloud computing services from service providers:
Citing recent high profile breaches and the increased vulnerability of DoD information, DoD published and implemented the interim rule on the same day (August 26, 2015) without the usual prefatory public comment period. Comments responding to the interim rule are due by October 26, 2015.
In the meantime, and once the rule is finalized (likely in the same or substantially same form in which it exists now), contractors should anticipate encountering these new requirements in DoD contracts. To that end, contractors should develop and implement procedures and plans for meeting their heightened obligations. This is no doubt an onerous task, particularly as concerns the more than a few portions of the interim rule that are opaque. Efforts made now, however, are an investment for the future. As cyber attacks continue to grow in size, means and sophistication, the increased obligations on contractors that have arisen as a result are highly unlikely to be reduced any time soon.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.