Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors. Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts. The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors). Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.
The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate. Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors. First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls. Second, they must report various cyber incidents to the DoD within 72 hours of their discovery. These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application.
The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI). CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule. But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.” Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes. To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Another notable point of expansion would affect subcontractors. Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD. Subcontractors do not report directly to the DoD under the current rule. The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.
Other key provisions of the DFARS Safeguarding Clause, however, would remain same. For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items. The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule. The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.” Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident. That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.
The Interim Rule likely does not come as a surprise to many. Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement. The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate. The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities. Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).
Comments on the Interim Rule, which separately addresses cloud computer services, are due in 60 days on or before October 26, 2015.