In a move that highlights the changing winds of federal cybersecurity policy, the Department of Defense (“DoD”) has issued an interim Rule (“Rule”) that imposes new security and reporting requirements on federal contractors, and new requirements for DoD cloud computing contracts.
The Rule requires federal contractors to report cyber incidents that result in an actual or potentially “adverse affect” on covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support. CDI includes “controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation or Government-wide,” but does not include classified information which is governed by a separate rule. The Rule also imposes restrictions on cloud computing contracts, including that data covered by the contracts be maintained within the 50 states.
This Rule comes in the wake of high profile security breaches of information maintained on federal systems. The Rule, at Defense Federal Acquisition Regulation Supplement (DFARS)-2015-0039 and issued on Aug. 27, 2015, is effective immediately without the normal public comment period due to the urgency of protecting CDI. The Rule revises the DFARS to implement two key provisions of the National Defense Authorization Acts for Fiscal Years 2013 and 2015. Specifically, the Rule implements the provision of the 2013 Act that requires cleared defense contractors to report breaches of networks and covered information systems and to allow DoD personnel to access those networks to assess the impact of the reported security breach.
The Rule also implements the provision of the 2015 Act requiring a contractor designated as operationally critical to report each cyber incident that occurs on that contractor’s network. Finally, the Rule implements policies formulated by DoD’s Chief Information Officer (“Updated Guidance on the Acquisition and Use of Cloud Computing Services,” Dec. 15, 2014 and “Cloud Computing Security Requirements Guide,” Jan.13, 2015) for procurement of cloud computer services from federal contractors. Here, the express objective of the Rule is to ensure uniform application of these policies throughout DoD when contracting for cloud services.
The Rule also increases cyber security requirements for federal contractors who maintain DoD information in their system networks. The new provisions of the Rule significantly expand the safeguarding and reporting requirements associated with the protection of CDI.
The rule changes the table of security controls contractors were previously required to utilize from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 to NIST SP 800-171. NIST SP 800-171 , entitled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” is a publication specifically tailored for use in protecting CDI.
As referenced above, the Rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse affect on a covered contractor information system or CDI residing on that system, or on a contractor’s ability to provide operationally critical support. The Rule defines a “cyber incident” as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The term “compromise” means the disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.” The term “media” means physical devices or writing surfaces onto which CDI is recorded, stored or printed within a covered contractor information system.
DOD is working to establish a single reporting mechanism for DOD contractor reporting of cyber incidents on unclassified information systems. Cyber incidents involving classified information on classified contractor systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual.
Should a contractor discover a cyber incident that affects a covered contractor information system or CDI, or that affects the contractor’s ability to perform the requirements of the contract, the contractor must do the following:
- Conduct a thorough review of the contractor’s information systems for evidence of compromise of CDI;
- Rapidly report the incident (within 72 hours) to DoD at http://dibnet.dod.mil;
- Submit to DoD any malicious software associated with the incident;
- Preserve images of all known affected information systems for at least 90 days from the submission of the cyber incident report to allow DoD to request or decline the media;
- Upon request by DoD, provide access to information or equipment for the purpose of a forensic analysis; and
- If DoD elects to conduct a damage assessment, provide a damage assessment.