The Department of Defense recently adopted as final, with a number of significant changes, an interim rule implementing several provisions from the 2013 and 2015 National Defense Authorization Acts and the 2014 Intelligence Authorization Act. The final rule, which took effect on October 21, 2016, addresses contractor reporting on network penetration (hacking) and provides guidance on the procurement of cloud services.
First, the definition of “covered defense information” in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is amended to clarify that information shall only be designated as covered defense information if it is “controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls and is (1) marked or otherwise identified in the contract and provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or is (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
Next, the rule now expressly states that all covered contractor information systems must be protected in accordance with DFARS 252.204-7012. The rule amends the definition of “covered contractor information system” to clarify that it is an unclassified information system “owned or operated by or for a contractor and that processes, stores or transmits defense information.”
Third, the rule further amends DFARS 252.204-7012 to offer contractors guidance on the process of requesting a variance or deviation from the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. Under the amended rule, a contractor can request such a variance when it believes its own security measures are as effective as those required by the NIST guidelines.
The final rule also clarifies that DFARS 252.204-7012 need only be flowed down to subcontractors where covered defense information is necessary for performance of the subcontract.
Fifth, DFARS 252.204-7012 now requires contractors to ensure that external cloud service providers (CSPs) “used in performance of the contract to store, process, or transmit any covered defense Information” both (i) meet security requirements equivalent to those under the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (available at https://www.fedramp.gov/resources/documents/); and (ii) “comply with requirements in the clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
The rule is applicable to new contracts but existing contracts can be bilaterally modified to incorporate its terms. Given this, to the extent a contractor anticipates its prime contracts being updated with the newer version of DFARS 252.204-7012, they should consider proactively engaging their relevant subcontractors before the new requirements are formally imposed in order to ensure full compliance by the deadline of the end of 2017.
Contractors should consult their legal advisors or contact the PTAC to fully understand this new rule.