Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.  The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors).  Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.

The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”

Another notable point of expansion would affect subcontractors.  Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD.  Subcontractors do not report directly to the DoD under the current rule.  The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.

Other key provisions of the DFARS Safeguarding Clause, however, would remain same.  For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items.  The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule.  The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.”  Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident.  That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.

The Interim Rule likely does not come as a surprise to many.  Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement.  The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate.  The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities.  Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).  

Comments on the Interim Rule, which separately addresses cloud computer services, are due in 60 days on or before October 26, 2015.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Maida Oringher Lerner Maida Oringher Lerner

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber…

Maida Lerner is senior counsel in Crowell & Moring’s Washington, D.C. office and a part of the firm’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups. Maida counsels a broad group of clients in a variety of sectors on cyber and physical security compliance and risk management, homeland security, and administrative matters, including trade associations and companies in the pipeline, transportation, government contracts, education, health care, and manufacturing sectors.