Recent Updates to DFARS Cybersecurity Rule
- On Wednesday, November 18, 2015, DoD published a new DFARS Procedures, Guidance, and Information (PGI) section, and a Frequently asked Questions (FAQ) page on the rule.
- On December 14, 2015, DoD hosted an “Industry Implementation Information Day” to brief industry on the rule and address questions regarding its implementation. Slides from the presentation are available here.
- Although the public comment period for the interim rule already closed on Friday, November 20, 2015, the latest DFARS Open Case tracking document maintained by the DoD Defense Procurement and Acquisition Policy (DPAP) office indicates there is a second interim rule under DFARS Case 2013-D018 that will be published soon.
NOTE: See UPDATE below on the New Interim Rule published December 30, 2015.
New PGI and FAQ
Some key highlights from the new PGI and FAQ include:
- The PGI states that the “requiring activity” and the contracting officer will work together to identify when “covered defense information” will be required under a contract. The contracting office must ensure covered defense information is identified in the contract. The contracting office must use the Contract Data Requirements List (CDRL), when appropriate, to direct the contractor to apply the appropriate DoD Distribution Statement markings. PGI 204.7303-1.
- The PGI now includes a link to the FAQs, which presumably will be updated regularly (the DFARS rule, and the new PGI and FAQs are silent on updates). PGI 204.7303-2.
- The FAQs confirm that the new DFARS cybersecurity safeguarding clause, 252.204-7012, is not applied retroactively, but “that does not preclude a contracting officer from modifying an existing contract to add the clause in accordance with the terms of the contract.”
- DoD attempts to clarify the subcategory definitions of “covered defense information.”
- The FAQs provide more information on what DoD considers “operationally critical support” and state that the contract will identify when a contractor would provide “operationally critical support.”
- The FAQs state that the “catch-all” fourth subcategory of covered defense information is “information [that] will most likely continue to be required to be safeguarded under the emerging Federal [Controlled Unclassified Information (CUI)] policy.”
- However, the FAQs do not provide further clarity on the subcategories “export control” or “critical information (operations security).” See our previous comments and concerns on those definitional subcategories here.
- For marking Unclassified Controlled Technical Information (UCTI) the FAQs state that the controlling DoD office (as defined in DoDI 5230.24 Distribution Statements on Technical Documents, August 2014) will review all UCTI to verify that document Distribution Statements are valid. For contractor-developed UCTI, the DoD will use the CDRL DD Form 1423, Block 9, to direct specific Distribution Statement requirements, and the DoD controlling office will “ensure that the requiring activity validates the contractor's execution of the Government's distribution statement marking instructions prior to delivery and acceptance of the technical data products.”
- The FAQs include a long section specifically addressing the NIST SP 800-171 security requirements. Although DoD provided some relief from the multi-factor authentication standards when it issued DFARS Class Deviation 2016-0001 on Oct 8, 2015, which allows contractors up to nine (9) months to implement multi-factor authentication, the FAQs reflect very little additional flexibility in implementing the remaining 800-171 security standards. For example, the FAQs underscore that cryptography must be FIPS validated, not just FIPS approved. (Under DFARS 252.204–7008, contractors may propose to deviate from the NIST SP 800-171 security requirements by submitting a written explanation to the Contracting Officer before contract award explaining why a particular security requirement may not be applicable or how an alternative security measure can achieve equivalent protection. An authorized representative of the DoD CIO will provide an assessment of the proposed deviation to the contracting officer.)
December 14, 2015 Industry Meeting
On December 14, 2015, DoD hosted an “Industry Implementation Information Day” to brief the public on the implementation of the rule and to address questions regarding the rule’s implementation. Unlike most public meetings held in connection with a published rulemaking, the meeting was not open to public comment on a public docket. Rather, additional questions or comments are to be submitted via email at the following email address: email@example.com.
Some key highlights of the meeting included DoD personnel commenting on the following:
Clarification of Definitions
- DoD personnel clarified that the “catch-all” under the fourth subcategory of “covered defense information” (CDI) includes some Controlled Unclassified Information (CUI) but not all. Rather, DoD has limited the scope of CUI that it believes qualifies as CDI based on its own agency-needs. The National Archives and Records Administration (NARA) was designated as the government-wide CUI Executive Agent under Executive Order 13556, Controlled Unclassified Information, November 4, 2010, and is finalizing a CUI Registry for approved government-wide CUI categories and subcategories. Thus, DoD has indicated other government information considered CUI (e., on the final CUI Registry) may not necessarily fall under DoD’s catch-all requirements of this DFARS rule.
- DoD plans to insert the term “compromise” in DFARS 252.204-7012 to ensure the definition of “cyber incident” is consistent throughout DFARS clauses. DoD clarified that it will be using the definition of “compromise” found in Committee on National Security Systems Instruction (CNSSI) No. 4009:
Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred.
- DoD acknowledged this definition will require judgment on behalf of the contractor when determining whether there was an actual compromise, i.e., contractors will have to determine whether DoD information or a covered system was harmed or whether the incident was a mere nuisance.
- In expanding protection and reporting requirements to ‘‘covered contractor information systems,” a DoD representative stated that the rule contemplates that a “system” is where the CDI is located. Thus, if the CDI is on an enterprise system, the entire system must be protected. If the information is limited to one particular server, only that server must be protected.
When CDI Appears During Contract Performance
- DoD presenters stated that when CDI is not anticipated in the contract, but later becomes a part of the procurement, DoD anticipates that the contracting officer will work with the contractor for a bilateral modification with appropriate consideration, which will allow contractors to negotiate timing and price associated with becoming compliant with the interim rule. Accordingly, this will most likely require prime contractors to also work with their subcontractors to become compliant if a subcontractor system houses CDI. Thus, contractors should ensure that requirements are applied to teammates and subcontractors, as applicable.
- Under the interim rule, NIST SP 800-171 controls are deemed the baseline (e., contactors subject to this rule at a minimum must comply with NIST SP 800-171). Contracting officers may seek to impose additional security requirements as part of the contract negotiation process. Contractors should continue to review solicitations for any additional requirements and work with contracting officers to reach a mutual understanding of the full scope of controls required. Additionally, if contractors find that a contracting officer prescribes additional controls that conflict with NIST SP 800-171, it should escalate the matter to the appropriate authority to resolve any discrepancy.
- The cloud computing portion of the interim rule received little attention during the meeting. However, DoD reiterated that Cloud Service Providers (CSPs) are required to use the same processes for reporting cyber incidents as provided for in the safeguarding portion of the rule, including the use of the Defense Industrial Base (DIB) portal at http://dibnet.DoD.mil for reporting cyber incidents. Thus, CSPs should ensure they are knowledgeable of the interim rule’s overall requirements including how to use the DIB portal.
New Interim Rule?
While the public meeting was a welcome sign for industry, the fact that there is apparently a parallel rulemaking underway before public comments were even received on the first interim rule is concerning. The Open DFARS Cases list as of December 17, 2015 identifies a second interim rule under the same case number of the existing DFARS rule (DFARS Case 2013-D018). The Open DFARS Cases report says this second interim rule was submitted to the DAR Council 10/14/2015, cleared by OIRA 11/6/2015, and is currently being prepared for publication.
UPDATE – The new DFARS interim rule discussed above was published December 30, 2015. Among other changes, this second interim rule revises the DFARS to allow contractors up to December 31, 2017 to fully implement the NIST 800-171 requirements. See our blog post on the second interim rule here.