Defense Department Issues Final Rule Modifying DFARS Provisions on System Security, Cyber Incident Reporting, Cloud Computing, and Network Penetration
November 2, 2016
By: Eric Whytsell
The DOD recently adopted as final, with changes, an interim rule implementing several provisions from the 2013 and 2015 National Defense Authorization Acts and the 2014 Intelligence Authorization Act. The final rule, which took effect on October 21, 2016, addresses contractor reporting on network penetration and provides guidance on the procurement of cloud services.
The final rule makes a number of significant changes from the interim rule that clarify or alter its application and requirements.
First, the definition of “covered defense information” in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is amended to clarify that information shall only be designated as covered defense information if it is “controlled technical information or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls and is (1) marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.” This change ensures that the DFARS definition is consistent with the National Archives and Record Administration’s definition of “Controlled Unclassified Information” published in the Federal Register on September 14, 2016. It also amends DFARS 252.204-7000, Disclosure of Information, to “clarify that fundamental research, by definition, must not involve any covered defense information.”
Next, the rule now expressly states that all covered contractor information systems must be protected in accordance with DFARS 252.204-7012. The rule amends the definition of “covered contractor information system” to clarify that it is an unclassified information system “owned or operated by or for a contractor and that processes, stores or transmits defense information.” It also amends DFARS 204.7304 to make clear that DFARS 252.204-7012 and 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, do not apply to solicitations and contracts “solely for the acquisition of commercially available off-the-shelf (COTS) items.” However, the guidance declined to state whether the changes to DFARS 252.204-7012 will apply to contracts below the Simplified Acquisition Threshold (SAT), or to contracts for the acquisition of Commercial Items, including COTS items (as opposed to those solely for COTS items), leaving that decision to the Director, Defense Procurement and Acquisition Policy.
Third, the rule further amends DFARS 252.204-7012 to offer contractors guidance on the process of requesting a variance or deviation from the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. Under the amended rule, a contractor can request such a variance when it believes its own security measures are as effective as those required by the NIST guidelines, even though they may not meet the NIST specifications. Such a request may be submitted before or after award. According to the guidance, when a contractor requests an alternative or exception to the security requirements in NIST SP 800-171, it must provide the contracting officer a written explanation for why it believes the security requirement does not apply or how its alternative proposed solution can meet the intent of the NIST standard. The contracting officer will then refer the proposal to the DoD CIO, who is responsible for determining whether the proposed solution will meet the DoD’s needs, or whether the exception is otherwise warranted. The DoD CIO notifies the contracting officer, who then passes the decision onto the contractor. The guidance states that the “timeframe for response” from the DoD CIO is typically five business days. If an authorized representative of the DoD Chief Information Officer (CIO) has adjudicated the contractor’s request for a variance from NIST SP 800–171 and determined the subject security requirement to be inapplicable or that an alternative, but equally effective, security measure exists, the contractor shall not be required to implement that specific NIST SP 800-171 security requirement.
The final rule also clarifies that DFARS 252.204-7012 need only be flowed down to subcontractors where covered defense information is necessary for performance of the subcontract, and that contractors may consult with the contracting officer, if necessary, when uncertain if the clause should flow down. Like prime contractors, subcontractors may request a variance from the NIST information security standards; to do so, a subcontractor should submit a request to the contracting officer, and must notify the prime contractor (or next higher-tier subcontractor) if it submits such a request.
Fifth, DFARS 252.204-7012 now requires contractors to ensure that external cloud service providers (CSPs) “used in performance of the contract to store, process, or transmit any covered defense Information” both (i) meet security requirements equivalent to those under the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (available at https://www.fedramp.gov/resources/documents/); and (ii) “comply with requirements in the clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
Finally, the final rule amended DFARS 239.7602-1(b) to establish two exceptions to the rule that contracting officers shall only award a contract to acquire cloud computing services from a CSP (at any tier) that has been granted provisional authorization by Defense Information Systems Agency, at the level appropriate to the requirement, to provide the relevant cloud computing services in accordance with the version of the Cloud Computing Security Requirements Guide in effect at the time the solicitation is issued or as authorized by the contracting officer. Under these exceptions, such provisional authorization is not required if: (i) the DoD Chief Information Officer waives the provisional authorization requirement; or (ii) the cloud computing service requirement is for a private, on-premises version that will be provided from U.S. Government facilities. Under this circumstance, the cloud service provider must still obtain a provisional authorization prior to operational use.
The rule is applicable to new contracts but existing contracts can be bilaterally modified to incorporate its terms. This modification can be initiated by either the government or the contractor. Significantly, all the requirements in the final rule are to be fully implemented by the end of 2017, but the commentary explains that the inclusion of the phrase “as soon as practical” in DFARS 252.204-7012 was intended “to encourage contractors to begin implementing the security requirements in NIST SP 800–171 prior to the December 31, 2017, deadline, but allows contractors to exercise their own judgment when planning.” Given this, to the extent a contractor anticipates its prime contracts being updated with the newer version of DFARS 252.204-7012, they should consider proactively engaging their relevant subcontractors before the new requirements are formally imposed in order to ensure full compliance by the deadline.
Carrie Willett and Eric Whytsell are responsible for the contents of this Article.
© 2016 Jackson Kelly PLLC