Department of Defense Issues Final Rule on Network Penetration Reporting and Contracting for Cloud Services

Last week, the Department of Defense adopted as final, with several changes, its interim rule amending the DFARS on “Network Penetration Reporting and Contracting for Cloud Services.”  The changes went into effect immediately, as of October 21, 2016.

Among the changes in the final rule, DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, was amended to:

• Specify that contractors are obligated to implement information protection requirements on all covered contractor information systems;
• Provide additional guidance on requests to vary from National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organziations”;
• Clarify that contractors are not required to implement any security requirement if an authorized DoD representative agrees that it is non applicable or has an alternative but equally effective security measure;
• Require contractors to ensure that external cloud service providers (“CSPs”) used in performance of the contract to store, process, or transmit covered defense information meet the security requirements in the Government’s Federal Risk and Authorization Management Program (“FedRAMP”) Moderate baseline, as well as comply with other security and reporting requirements in the clause;
• Clarify that subcontractor flowdown is only necessary when covered defense information is necessary for the performance of the subcontract;
• Clarify that the prime contract shall require its subcontractors to notify the prime when submitting requests to vary from NIST SP 800-171 security requirements to the Contracting Officer.

In addition, the final rule also effectuated other changes to existing DoD regulations regarding the safeguarding of classified information within industry:

• The definition of “covered defense information” was amended to clarify that, in order to be covered defense information, the information must be controlled technical information or information in the Controlled Unclassified Information (“CUI”) registry. This change aligns the DFARS rule with the final rule recently issued by the National Archives and Record Administration last month, which reinforced the importance of the CUI registry as the exclusive means of designating CUI throughout the executive branch.
• The definition of “covered contractor information system” was amended to clarify that it is an unclassified information system that is owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information.
• DFARS 204.7304 was amended to specify that and the associated contract clauses at DFARS 252.204-7008 (Compliance with Safeguarding Covered Defense Information Controls) and 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), are not prescribed for use in solicitations or contracts solely for the acquisition of commercially available off-the-shelf or “COTS” items.
• DFARS 239.7602-1 was amended to provide for two exceptions in which a Contracting Officer may award a contract to acquire cloud services from a cloud service provider that has not been granted a provisional authorization by the Defense Information System Agency.
• DFARS clause 252.204-7000 was amended to clarify that “fundamental research” must not involve any covered defense information.

Along with the final rules issued by NARA and the FAR Council within the last five months, last week’s final rule issued by DoD establishes that the safeguarding of contractor information and information systems, and the reporting of cyber incidents, remain issues of paramount importance to federal agencies.  Because these rules have broad application, are complex, and impose significant compliance and reporting obligations, studying these rules and understanding their implications are critical for just about all federal contractors, including small business contractors.

In all likelihood, these rules constitute the first step in a series of coordinated regulatory actions being taken or planned to strengthen the protection of information systems.  Contractors should expect to see additional rules and regulations, including clarification of cyber incident reporting requirements within the present FAR clause (at FAR 52.204-21), within the coming months.