Data protection and cybersecurity have been receiving ever-increasing attention within the U.S. federal government. Last October, the DoD issued two final rules that changed the U.S. Department of Defense (“DoD”) Federal Acquisition Regulations Supplement (“DFARS”) at 48 C.F.R. sections 204.73, Safeguarding Covered Defense Information; 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls; 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information; and 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.1 These provisions, in short, require DoD contractors to provide adequate security to safeguard “covered defense information” on its unclassified information systems that support the performance of work under a DoD contract, and to report cyber incidents – as defined in the regulations – that may affect such companies unclassified information systems and/or the covered defense information that may reside therein.
Covered Defense Information
Under the final DFARS regulations and contract clauses referenced above, DoD contractors, and subcontractors, who possess, store or transmit “covered defense information,” must (i) comply with the security requirements in U.S. National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations; (ii) address the safeguarding of “covered defense information”; (iii) report cyber incidents involving covered defense information; and (iv) report any cyber incident that may affect the ability to provide operationally critical support. For purposes of these regulations, “covered defense information” is defined as “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (“CUI”) Registry at archives.gov, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and is:
- Marked or otherwise identified in the contract, task order, or delivery order, and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
As DoD contractors may possess or obtain information that meets the DFARS’ definition of “covered defense information,” such companies DoD prime contracts likely now include DFARS clauses 252.204-7008, 252.204-7009, and 252.204-7012, and such companies must flow down these clauses in its subcontracts with subcontractors who will also have access to covered defense information.
Mandatory Compliance with NIST SP 800-171
Under the final DFARS regulations, and to the degree that a company’s information technology (“IT”) system collects, develops, receives, transmits or stores covered defense information, the company is required, at a minimum, to implement SP 800-171 as soon as practicable, but not later than December 31, 2017.2 Furthermore, the regulations require that for all contracts (and subcontracts) involving covered defense information that are awarded prior to October 1, 2017, the company notify the DoD Chief Information Officer within 30 days of the contract award of any security requirements specified by NIST SP 800-171 that have not been implemented at the time of contract award.3
Subcontractor “Flowdown” Requirements
The requirements of 252.204-7009 and 252.204-7012 include “flowdown” provisions mandating that DoD contractors subject to the rules incorporate these clauses into their subcontracts with subcontractors who either provide “operationally critical support” and/or are involved with covered defense information. The language must be included in applicable subcontracts “without alteration, except to identify the parties.”
Cyber Incident Reporting
DFARS 252.204-7012 requires cyber incident reporting when a contractor or subcontractor discovers that actions taken through the use of computer networks have resulted in a compromise or an actual or potentially adverse effect on a covered IT system and/or the covered defense information residing within that covered IT system. The regulation provides a detailed process for investigating and reporting the cyber incident to the DoD and the prime contractor (or next higher-tier subcontractor). In order to report cyber incidents, DoD contractors if they have not already done so, must obtain a DoD-approved medium assurance certificate.4
- DFARS final rule, 81 FR 72986, Oct. 21, 2016.
- NIST SP 800-171 was first published in June 2015 and is largely derived from Federal Information Processing Standard (FIPS) 200 and NIST SP 800-53, which was previously the DOD requirement. This change has been viewed favorably, as SP 800-171 consists of more tailored criteria than SP 800-53, and specifically focuses on the protection of confidential unclassified information in nonfederal information systems and organizations.
- To the degree that DoD contractors uses an external cloud service provider to store, process, or transmit any covered defense information in the performance of a contract and/or subcontract, the final regulations require the cloud service provider to meet security requirements equivalent to those established by the federal government for the Federal Risk and Authorization Management Program (“FEDRamp”) Moderate baseline.
- The webpage iase.disa.mil provides information on how to obtain this certificate.
Client Alert 2017-086