A few days ago, on August 26, DoD issued new interim rules amending the Defense Federal Acquisition Regulations (DFARS) with respect to “network penetration reporting and contracting for cloud services.” The new rules, which are now effective, revise several broadly applicable definitions applicable to numerous parts of the DFARS, expand the incident reporting requirements applicable to contractors, and impose security requirements applicable to cloud computing. DoD contractors need to understand these important new rules, which are summarized here, so that they can perform necessary compliance planning and make any necessary disclosures.
Parts of two National Defense Appropriation Acts, section 941 of the FY 2013 NDAA and section 1623 of the FY 2015 NDAA, imposed requirements that had to be implemented by changes to the DFARS. DoD seeks to address those requirements with its interim rules, which become effective immediately (though comments will be accepted for 60 days).
New Definitions. Three regulatory definitions are added to the DFARS that expand and clarify contractors’ security obligations.
First, “compromise” of a system is defined as a “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”
Second, a “cyber incident” means “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing” within that system.
And third, “media” is defined as “physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.”
The interim rules’ use of phrases like “may have occurred” and “potentially adverse” in the definitions of “compromise” and “cyber incident” (as emphasized above) should give contractors pause with respect to the degree of certainty to which one will be expected to investigate and understand whether a system has been compromised—or a cyber incident has occurred. It is not clear what is required for those thresholds to be satisfied, and contractors will be reasonably concerned that agencies’ after-the-fact judgments about what should have been reported may be more expansive than contractors’ real-time assessments.
Enhanced Reporting Obligations. The DFARS clause included in the interim rules implements statutory requirements that cleared defense contractors must report penetrations of networks and information systems—and that they must provide DoD personnel with access to equipment and information to assess the impact of such penetrations. Specifically, the rules require contractors and subcontractors to report any cyber incident that results in an actually or potentially adverse effect on:
- “a covered contractor information system”; or
- “covered defense information residing” within a covered contractor system; or
- the “contractor’s ability to provide operationally critical support.”
Each phrase used to describe these obligations is defined in the first part of the new contract clause, DFARS 252.204-7012(a), and must be carefully analyzed by a contractor in understanding its reporting obligations. When a contractor discovers a “cyber incident” raising these issues, it must “[c]onduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts.” The contractor also must “analyz[e] covered contractor information system(s)” and information systems on its networks that may have been accessed, analyze the extent of the intrusion, and “[r]apidly report cyber incidents to DoD.”
Notably, DFARS clause 252.204-7009 is included in the interim rule, limiting the use and disclosure of contractor and subcontractor information that is provided in response to actual or potential cyber incidents. This provision provides some protection to contractors being forced to disclose information about their systems.
Cloud Computing. DoD’s interim rule also imposes a series of new requirements regarding how DoD can acquire cloud-based computing services. “Generally, the DoD shall acquire cloud computing services using commercial terms and conditions that are consistent with Federal law, and the agency’s needs” (subject to the restrictions imposed by the rule). A company wishing to provide cloud-based services to DoD must obtain at least a “provisional authorization by Defense Information Systems Agency, at a level appropriate to the requirement” it is seeking to satisfy.
One cloud-related restriction important to service provides is the new DFARS 239.7602-2, which (for “all Government data that is not physically located on DoD premises”) requires storage of DoD data within the United States or outlying areas. Contracting officers can permit storage outside the United States, though they must do so via written notification to the contractor. The interim rule also imposes a series of new security requirements related to cloud-based data storage.
DoD’s interim rule also has cloud-based rules that will be of interest to contractors that are not cloud services providers. For instance, DFARS 252.239-7009 requires contractors providing various types of services to make representations about whether they “anticipate that cloud computing services will be used in the performance of any contract or subcontract resulting from this solicitation.” This certification will need to be carefully considered before submission of a proposal.
* * *
Cyber security is an increasing concern not just for DoD and other parts of the Government, but for all companies and individuals. DoD’s new interim rules provide important additional requirements—and compliance obligations—with which Government contractors must familiarize themselves.