Government Contracts Monitor

DoD Gives Contractors More Time to Comply with Data Security Rules

January 11, 2016

By: Eric Whytsell

On December 30, 2015, the Department of Defense issued a new interim rule (80 FR 81472) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to give contractors additional time to implement security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This second interim rule amends DFARS 252.204–7008, Compliance with Safeguarding and Covered Defense Information Controls, and DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

The initial interim rule published in the Federal Register (80 FR 51739) on August 26, 2015 implemented section 941 of the National Defense Authorization Act (NDAA) for Fiscal Tear (FY) 2013, section 1632 of the NDAA for FY 2015, and DoD policies and procedures with regard to cloud computing. Unfortunately – and to the consternation of many government contractors – that first interim rule provided no grace period for achieving compliance with its revised requirements for the safeguarding of covered defense information and compliance with the security requirements in NIST SP 800–171, ‘‘Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,’’ which establishes requirements specifically tailored to protecting sensitive information residing in contractor information systems.

In an attempt to address contractors’ concerns regarding implementation of the first interim rule, DoD held a public meeting on Monday, December 14, 2015. Various topics concerning the first interim rule were discussed (presentation slides are here), including scope, applicability, training, subcontractor flowdown, and implementation issues. Industry representatives specifically expressed to DoD, both prior to and at the public meeting, the need for additional time to implement the security requirements specified by NIST SP 800–171. This dialog with industry resulted in DoD’s second interim rule, which among other things extends the deadline for compliance with NIST SP 800-171 for two years, to December 31, 2017.

The recent interim rule also, however, amended DFARS clause 252.204–7012 to require contractors to notify the DoD Chief Information Officer (CIO) of any NIST SP 800–171 security requirements that are not implemented at the time of contract award, within 30 days of contract award. The stated purpose of this requirement is to allow the DoD “to monitor [compliance] progress across the Defense industrial base, identify trends in the implementation of these requirements and, in particular, identify issues with industry implementation of specific requirements that may require clarification or adjustment,” as well as helping the Department to better assess the overall risk to DoD covered defense information on unclassified contractor systems and networks. In other words, contractors still need to be working on achieving compliance – and must essentially report to the DoD about their progress whenever they win a contract.

The newly issued rule makes a number of other changes, including:

Amending the subcontractor flowdown requirements in DFARS clauses 252.204–7009 and 252.204–7012 to require the clauses’ flow down, when applicable, without alteration except to identify the parties.
Further amending the subcontractor flow down requirement in DFARS clause 252.204–7012 to limit the required flow down to subcontractors whose efforts will involve covered defense information or where they will provide operationally critical support.
Removing from DFARS clause 252.204–7012 the requirement for DoD CIO acceptance of alternative but equally effective security measures prior to award.

Comments on the interim rule must be submitted in writing to the address shown below on or before February 29, 2016 to be considered in the formation of a final rule.

Attorneys