On August 25, 2015, the Department of Defense (“DoD”) issued interim rule DARS-2015-0039, which amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement a network penetration reporting requirement for contractors. Additionally, this rule implements DoD policy on the purchase of cloud computing services.
The interim rule requires that all DoD cloud contractors and subcontractors “report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.” Previously, contractors were required to report cyber incidents that affected “controlled technical information” but were not required to report other cyber events. The new definition of covered defense information includes a wider range of data types, including unclassified information that is “(i) provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract,” among other categories of information.
The interim rule revises the DFARS to implement two sections of the National Defense Authorization Act (“NDAA”), section 941 of the NDAA for FY 2013 and section 1632 of the NDAA for FY 2015. Section 941 of the NDAA for FY 2013 requires cleared defense contractors to report penetrations of networks and information systems and allows DoD personnel access to equipment and information to assess the impact of reported penetrations. Section 1632 of the NDAA for FY 2015 requires that a contractor designated as operationally critical must report each time a cyber incident occurs on that contractor’s network or information systems. The interim rule defines the term “cyber incident” to mean “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein” and defines the term “compromise” to mean “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”
The interim rule further requires “DoD and its contractors and subcontractors [to] provide adequate security to safeguard covered defense information on their unclassified information systems from unauthorized access and disclosure” and requires contractors and subcontractors to submit to DoD: (i) A cyber incident report; (ii) Malicious software, if detected and isolated; and (iii) Media (or access to covered contractor information systems and equipment) upon request.” It also imposes a “rapid reporting” requirement requiring a report be issued to DoD “within 72 hours of discovery of any cyber incident.”
In addition, the rule implements DoD policies and procedures for use when contracting for cloud computing services. The DoD Chief Information Officer (CIO) issued a memo on December 15, 2014, entitled ‘‘Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services’’ to clarify DoD guidance when acquiring commercial cloud services. The DoD CIO also released a Cloud Computing Security Requirements Guide (“SRG”) Version 1, Release 1 on January 13, 2015, for cloud service providers to comply with when providing the DoD with cloud services. The interim rule implements these new policies developed within the DoD CIO memo and the SRG to ensure that the process for contracting for cloud services is uniformly applied across the DoD.
DoD has made the interim rule effective immediately, without waiting for the completion of the public comment period based on a determination that “urgent and compelling reasons exist to promulgate this interim rule without prior opportunity for public comment.” Specifically, DoD cited the “urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors” as the basis for this determination. Despite its immediate effectiveness, interested persons are still permitted to submit comments until October 26, 2015, via the Regulations.gov website, via email to email@example.com, or by fax or mail.
The DoD states that “[t]he combination of the [network penetration reporting requirements] as well as the cloud computing policy will serve to increase the cyber security requirements placed on DoD information in contractor systems and will help the DoD to mitigate the risks related to compromised information as well as gather information for future improvements in cyber security policy.”
The implementation of this rule comes in response to recent incidents targeting the government, including the breaches of the Office of Personnel Management systems earlier this year. The DoD explained that “[r]ecent high-profile breaches of Federal information show the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts. Failure to implement this rule may cause harm to the Government through the compromise of covered defense information or other Government data, or the loss of operationally critical support capabilities, which could directly impact national security.”
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.