DoD Amends its DFARS Safeguarding and Cyber Incident Reporting Requirements with a Second Interim Rule
The new interim rule gives contractors significantly more time to implement all of the requirements of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. DoD issued this new interim rule without the prior opportunity for public comment “to provide immediate relief from the requirement to have NIST 800-171 security requirements implemented at the time of contract award.”
Highlights of the new interim rule
Specifically, the interim rule amends the data safeguarding requirements of the Defense Federal Acqusition Regulation Supplement (DFARS) as follows:
- Contractors are directed to implement 800-171 standards “as soon as practical, but not later than December 31, 2017.” Also the interim rule has revised DFARS 252.204-7008(c)(1)) to include a statement that an offeror “represents that it will implement” the 800-171 security requirements not later than December 31, 2017.
- Contractors must notify the DoD Chief Information Officer (CIO), within 30 days of award, of any 800-171 security requirement that has not been implemented at the time of contract award. Absent that notice, it appears that DoD will presume contractors are meeting all of the 800-171 security requirements.
- Contractors are no longer required to have a written approval from the DoD CIO prior to contract award authorizing any “alternative but equally effective” security measures. The interim rule states that an “authorized representative of the DoD CIO” will “adjudicate” offeror requests to vary from the 800-171 requirements, prior to contract award, and any accepted variance “shall be incorporated into the resulting contract.” Revised DFARS 252.204-7008(c)(2)(ii).
- The new interim rule amends the DFARS flow down requirements as follows:
- Previously, covered DoD contractors were required to flow down the substance of the safeguarding clause (DFARS 252.204-7012) to all of their subcontractors. Now, the exact phrasing of the clause must be flowed down “without alteration,” except as needed to identify the contracting parties subject to the clause. However, the flow down of DFARS 252.204-7012 is now limited only to subcontracts, “or similar contractual instruments,” for 1) operationally critical support or 2) that involve a covered contractor information system
- Similarly, DFARS 252.204-7009 is amended so that the exact clause must be flowed down without modification, except as needed to identify the contracting parties subject to the clause.
- DoD subcontractors should expect that DoD prime contractors may flow down the relevant clauses out of an abundance of caution if there is any uncertainty as to whether a subcontractor will come across a covered information system or “covered defense information” during subcontract performance.
- The new interim rule reiterates that, when the safeguarding clause is flowed down (DFARS 252.204-7012), the prime contractor must also require subcontractors to “rapidly report cyber incidents directly to DoD at http://dibnet.dod.mil and the prime Contractor. This includes providing the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable.” Revised DFARS 252.204-7012 (m)(2).
Contractors Should be Wary of Slowing Down NIST 800-171 Implementation
While contractors will welcome the additional time to complete and implement the required 800-171 procedures, contractors will want to diligently continue their gap assessment and implementation activity with respect to compliance with 800-171. Various other government-wide cybersecurity efforts are expected to enforce 800-171 compliance on contractors handling Controlled Unclassified Information (CUI) in 2016. Other initiatives include:
- On May 8, 2015, NARA issued a proposed rule on agencies’ safeguarding, marking, and disposal of CUI. 80 Fed. Reg. 26,501 (May 8, 2015), available here. The NARA rule, which is expected to be final in early 2016, will require all federal agencies and contractors handling CUI for an agency to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program. NARA states in the rule that the CUI Program is in the middle of a three part implementation plan to: 1) finalize the NARA proposed CUI rule in 32 CFR § 2002; 2) finalize NIST 800-171 (which was completed in June 2015); and 3) release a single FAR rule on CUI. When the NARA rule is finalized, contractors handling CUI should anticipate that their customer agencies may require compliance with NIST 800-171 standards.
- On August 11, OMB issued “proposed guidance” on “Improving Cybersecurity Protections in Federal Acquisitions.” The guidance is intended to “take major steps toward implementing strengthened cybersecurity protections in federal acquisitions[,] thus mitigating the risks of potential incidents.” The OMB Guidance specifically directs agencies to require their contractors that handle CUI to meet the requirements of NIST 800-171.
The DFARS interim rule applies to DoD “covered defense information,” which DoD has acknowledged in its most recent FAQs and at its most recent industry meeting is an agency-specific category of CUI. However, as the federal government continues to move ahead this year with implementing CUI requirements government-wide under the initiatives above, contractors that are working with CUI or anticipate doing so in the future should continue to examine their existing information systems and review them against the 800-171 security standards. Attorneys at Hogan Lovells will be addressing this rule and other cybersecurity developments at this year’s West Government Contracts Year-in-Review Conference February 16-19, 2016. For additional information about this topic, please contact the authors of this posting or the Hogan Lovells attorney with whom you work.