Data breaches and associated events, which have become commonplace in this era of heightened cyber activity, significantly impact government and defense-related operations. As a result, the potential risk of exposure and vulnerability to cyberattack of government information in the hands of contractors is substantial. Recognizing the need to protect information provided to a contractor by or on behalf of the Department of Defense (DoD) in connection with the performance of a contract and to minimize vulnerabilities and the impact of cyberattacks against defense contractors, the DoD has implemented new corresponding interim rules on August 26, 2015, with subsequent revisions and updates on December 30, 2015. At issue for many contractors is the level of effort that is required to become compliant with these new interim rules related to the safeguarding of certain government information and the reporting of incidents surrounding attacks on contractor information systems where government information resides.
In August 2015, the DoD issued an interim rule that imposes certain obligations on defense contractors and subcontractors regarding the protection of unclassified covered defense informationa name and the reporting of cyber incidents on an information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits unclassified covered defense information. More specifically, the regulations at DFARS 204.7302 and the clause at DFARS 252.204-7012 require contractors to “. . . provide adequate security to safeguard covered defense information on their unclassified information systems [that support the performance of work under a contract] from unauthorized access and disclosure.” The adequacy of security at a minimum should include “the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The regulations also require contractors to report cyber incidents affecting a covered contractor information system or the covered defense information residing therein.
The DoD published an interim rule revising the August 2015 interim rule. The revisions primarily provide contractors, among other things, an extended timeline in which to comply with the requirements of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (the “NIST Requirements”). For contractors to employ “adequate security,” they must implement security controls based on the NIST publication, and do so by December 31, 2017. Additionally, the regulations require contractors to report areas of noncompliance of the NIST Requirements within 30 days of contract award. Where contractors request a variance from the NIST Requirements, the DoD CIO will adjudicate such requests and any variance should be incorporated in the resultant contract. The updated rule also requires contractors to report cyber incidents within 72 hours of their occurrence. Finally, the December 2015 revisions require that the safeguarding provisions of DFARS 252.204-7012 be flowed down to subcontractors without modification.
The NIST Requirements impose guidelines to protect controlled unclassified information which resides on contractor information systems. To be in compliance with NIST SP 800-171 contractors must meet fourteen families of security for safeguarding unclassified covered defense information. These family of requirements evolve from standards outlined in the Federal Information Processing Standards Publication 200 and NIST SP 800-53. Together these standards represent the basic requirements for safeguarding controlled unclassified information residing on contractor information systems. These family of requirements include the following:
While the DoD has directed contractors to implement the NIST Requirements as soon as practical but not later than December 31, 2017, it has not established guidelines for contractor implementation. Similarly, NIST neither requires any particular technological solution, nor does it require contractors to purchase (or refrain from purchasing) any particular hardware or software, or overhaul their existing systems in order for contractors to implement the NIST Requirements. However, NIST does, within the context of its 800-171 requirements, guide contractors to adequately protect information “using the systems they already have in place, rather than trying to use government-specific approaches.” (See the NIST SP 800-171, page vi.) In short, NIST guidelines attempt to overlap with contractors’ existing security processes and also give contractors flexibility to implement alternative but equally effective security measures to satisfy a given requirement.
Large contractors likely have robust security systems already in place. This means that such contractors likely do not need to make any drastic changes, as they are already more inclined to being compliant with the NIST Requirements. However, for smaller contractors, there is a higher degree of likelihood that they will need to make more significant changes to their existing systems to be compliant. To comply with the NIST Requirements, all contractors—regardless of size—must thoughtfully read through the guidelines and determine what their existing system is and how it measures up to the requirements outlined in NIST SP 800-171. As contractors seek to implement the NIST Requirements as a means of eliminating or minimizing the risk resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of information maintained on behalf of the government by contractors, it is strongly advised by NIST that contractors review the listing of security controls outlined in Appendix E of NIST SP 800-171 titled “Tailoring Criteria, Listing of Moderate Security Control Baseline and Tailoring Actions” to ensure their security implementation provides sufficient protection against a range of cyberattacks (See the NIST SP 800-171 Cautionary Note, page v.).
The regulations seem to indicate a shift in the DOD’s priorities to be more conscientious of the protections necessary to safeguard against cyberattack. As part of their assessment, contractors should determine whether their security systems measure up to the NIST Requirements and adjust accordingly so as to become compliant over the next year and a half by the December 31, 2017, final deadline. Notwithstanding the extension of time allotted by the December interim rule for contractors to comply with the NIST Requirements, contractors should, as one commentator indicated, “be wary of slowing down NIST 800-171 implementation.” While there is minimal guidance in implementing the NIST standards, contractors should, as a practical matter, assess the adequacy of their programs for safeguarding their information systems. Discussion continues among industry and government stakeholders about implementation of the NIST Requirements. For example, the Aerospace Industry Association (AIA) is currently engaged with National Archive Record Administration (NARA), NIST and the Defense Procurement Acquisition Policy office (DPAP) to establish suggested approaches that may assist contractors in becoming compliant with the NIST Requirements. Given the current state of cyber activity, the protection of sensitive federal information while residing on contractor information systems is of paramount importance to national security.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.