Contractors must act now to address the Department of Defense's (DoD's) interim rule on Network Penetration Reporting and Contracting for Cloud Services. The rule applies many new Defense Federal Acquisition Regulation Supplement (DFARS) clauses into all DoD contracts. The interim rule has immediate effect,1 so any government contractor, subcontractor, or supplier should take these five immediate steps to demonstrate compliance with the new requirements:
- Register with the DoD to obtain a mandatory Medium
Assurance Certificate.
Any contractor or subcontractor reporting a cyber incident under the DFARS must have a certificate in order to make its report.2 Act now to register for a certificate so you can rapidly report cyber incidents within the limited 72-hour window. - Identify and mark all Attributional/Proprietary
Information.
The DoD states in its interim rule that it will try to minimize the disclosure of any attributional/proprietary information included in a cyber incident report that could identify a contractor or its commercially sensitive information. Contractors and subcontractors should therefore identify and mark any such information now in order to prepare for a cyber incident disclosure. - Consider Employee Nondisclosure Agreements.
Support services contractors that assist agencies in managing and responding to cyber incident reports must prohibit their employees from disclosing any information included in the reports. These contractors should develop and enter into NDAs with their employees to prepare to perform cyber incident response-related services. - Flow down and incorporate the new DFARS clauses.
The new DFARS clauses must be incorporated into subcontracts, even commercial item subcontracts and small business subcontracts. Contractors should start incorporating the flow-down provisions into their subcontract templates and teaming agreements to prepare to demonstrate compliance with the new DFARS clauses. - Monitor existing contract and task orders.
Customers may modify existing contracts and task orders to incorporate the new DFARS clauses. Contractors and subcontractors should monitor all modifications to be sure of the new requirements that are being imposed upon them.
The new DFARS clauses are wide-reaching, and apply to commercial item contractors, small businesses, and their subcontractors. The analysis below gives details of the many areas of compliance that all contractors must demonstrate.
The DFARS interim rule addresses two high-level issues: 1) contractor safeguarding of covered defense information (CDI) and reporting of network penetrations, and 2) DoD policy for the purchasing of cloud computing services.
Safeguarding CDI and Reporting Network Penetrations
New Safeguarding and Reporting Clause
DoD has renamed DFARS 252.204-7012 to "Safeguarding Covered
Defense Information and Cyber Incident Reporting." The clause,
which formerly focused on unclassified controlled technical
information, now requires the safeguarding of the much broader
range of covered defense information and obligates contractors to
rapidly report within 72 hours cyber incidents that involve CDI, or
that could affect operationally critical support.
CDI: A Broad Term Covering Nearly All DoD Unclassified
Information
The interim rule applies to a wide range of unclassified
information falling under the definition of CDI. Generally, CDI
includes unclassified information that is provided to a contractor
by or on behalf of the DoD in connection
with performance of a contract, or
information that is collected, developed, received, transmitted,
used, or stored by or on behalf of the contractor in support of
contract performance. If any of the information falls into the
following categories summarized below, it is CDI:
- Controlled Technical Information: Technical information with a military or space application that is subject to controls including but not limited to access, use, reproduction, and disclosure. 3
- Critical Information: Information identified in the operations security process that is vitally needed by adversaries.
- Export Control: Information concerning items, technology, software, or information whose export could reasonably be expected to adversely affect national security and nonproliferation objectives.
- Other Restricted Information: Information, marked or otherwise identified in the contract, requiring safeguard or dissemination controls.
Applies to Covered Contractor Information Systems
Contractors are required to provide adequate security for
CDI on all covered contractor information systems, defined as
systems owned, or operated by or for, a contractor that
processes, stores, or transmits CDI.
Safeguarding Information
The DoD prescribes different safeguarding requirements, depending
on the contractor's system and access.
- Covered contractor information services that are
part of IT service or system operated on behalf of the
government;
- For cloud computing services, the contractor must comply with the new DFARS clause 252.239-7010, Cloud Computing Services;
- For any non-cloud computing related IT service or system, other contract requirements apply.
- Covered contractor information services not part of
an IT service or system operated on behalf of the
government;
- Under the interim rule, contractors must safeguard CDI by using the security controls under NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST SP 800-171 was issued shortly before the interim rule, and provides a set of security controls for the contractor to apply in safeguarding CDI. This replaces specific security controls under NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations that DoD prescribed under its predecessor rule. DoD also allows contractors, under DFARS 252.204-7008, to propose alternative, equally effective, security measures to protect CDI in order to compensate for an inability to satisfy a requirement under the clause; contractors may also explain why a particular safeguarding requirement in some cases is not applicable. Any proposed deviation from the safeguarding requirements must be approved, prior to award, by a representative of the DoD CIO.
72-Hour Cyber Incident Reporting
If a contractor discovers a cyber incident, it must investigate
and report the incident to the contracting officer within 72
hours.
- Cyber Incident Discovery
A cyber incident is any action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. A contractor must investigate any cyber incident that affects: (i) a covered contractor information system or any CDI residing in that system; or (ii) the contractor's ability to perform any parts of a contract designated as operationally critical support.4 - Cyber Incident Review for Compromise
Upon discovering a cyber incident, the contractor must conduct a review, seeking evidence of a compromise of covered defense information. A compromise includes the disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media, may have occurred. The review may include:- Identifying compromised computers, servers, specific data, and user accounts;
- Analyzing covered contractor information systems that were part of the cyber incident;
- Analyzing other information systems in the contractor's network that may have been accessed as a result of the incident;
- Identifying all compromised CDI, and any details that may affect the contractor's ability to provide operationally critical support.
- Cyber Incident Rapid Reporting
Within 72 hours of the discovery, the contractor must rapidly report a cyber incident to the DoD.- Mandatory Medium Assurance Certificate Requirement: To report a cyber incident a contractor must have a DoD-Approved Medium Assurance Certificate.
Additional Post-Reporting Obligations
The DoD clarifies that a contractor's obligations do
not stop at a report. Additional steps and coordination must be
followed under the clause.
- Reporting Malicious Software
A contractor or subcontractor may discover and isolate malicious software in its cyber incident review. In this case the contractor must submit the malicious software per the instructions of the contracting officer. - 90-Day Image Protection, Forensic Analysis, and Damage
Assessment
For 90 days after reporting the cyber incident, the contractor must preserve and protect images of all known information systems affected by the cyber incident. The contactor must also provide the DoD with access to additional information or equipment necessary to conduct a forensic analysis. The contractor may also be obligated to provide the DoD any information related to a cyber incident damage assessment based on information preserved by the contractor. - Protect Attributional/Proprietary Contractor
Information
In some instances, the DoD will release information contained in the contractor's cyber incident report, including: (i) entities affected by the information; (ii) entities that may assist in diagnosis, detection, or mitigation of the cyber incident; (ii) law enforcement or counterintelligence entities; (iii) Defense Industrial Base (DIB) participants; and (iv) support services contractors. Therefore, the contractor must identify and mark any attributional or proprietary information (i.e., information that identifies the contractor or its trade secrets and other commercially sensitive information) included in its cyber incident report. The markings will be used by the government to minimize the release of the contractor's information.
Subcontractor Rapid Reporting Obligations are Flowed
Down
The clause must be flowed down to subcontractors (and
lower-tier subcontractors as necessary). Regardless of their place
in the reporting chain, each subcontractor must rapidly report
cyber incidents to the DoD within 72 hours, and to the prime
contractor. Though subcontractors must also report their
DoD-assigned incident report numbers to their higher-tier
subcontractors, nothing in the rule obligates subcontractors to
include any contractor other than the prime contractor among the
recipients of a cyber incident report.
Third-Party Information Protection
A key feature of the new rule is its applicability to
contractors that assist the DoD in handling cyber incidents, and
therefore receive the cyber incident reports (Recipient
Contractors). Under a new DFARS clause 252.204-7009,
Limitations on the Use and Disclosure of Third-Party Contractor
Reported Cyber Incident Information, if a contractor
(the Reporting Contractor) reports a cyber incident, any Recipient
Contractor (or its subcontractor) that assists the DoD in handling
the cyber incident and either has access to the report or develops
information based on the report must protect the report against any
further disclosure. The Recipient Contractor must not only protect
the reported information, it must also ensure that its employees
are subject to nondisclosure obligations before they can access the
reported information. The Reporting Contractor is a third-party
beneficiary under DFARS clause 252.204-7009. Any Recipient
Contractor breaching its obligations is subject to multiple
penalties, including criminal, civil, administrative, or
contractual actions by the United States and civil actions and
other remedies from the Reporting Contractor.
Purchasing Cloud Computing Services
Representation of the Use of Cloud Services
DoD in its interim rule added DFARS clause
252.239-7009, Representation of Use of Cloud
Computing, to allow contractors to represent whether
they intend to use cloud computing services in performance of the
contract. Whether a contractor uses cloud computing services may
determine the degree of burden the contractor must bear for
securing CDI.
Use of Cloud Computing Services
The DoD also added DFARS clause, 252.239-7010,
Cloud Computing Services, to address security
requirements applicable to contractors providing cloud computing
security requirements. The clause addresses access, security, and
reporting requirements, and applies to all solicitations for
information technology services, including commercial items
solicitations.
Applying Controls
Any contractor using cloud computing services under a DoD
contract must implement and maintain administrative, technical, and
physical safeguards and controls as required in the Cloud Computing
Security Requirements Guide
(SRG) effective at the time the Solicitation is issued.
Physical Location
Under the clause, the contractor must maintain within the
U.S. or outlying areas all government data not located on DoD
premises, unless the contracting officer provides written
instructions to use another location.
Access and Disclosure Limitation of Government Data and
Government-Related Data
The cloud computing services clause applies restrictions
on access to, use of, and disclosure of government data, defined
generally as information created or obtained by the government in
the course of official business. The clause also imposes similar
restrictions on government-related data, defined generally as
information created or obtained by a contractor through storage,
processing, or communication of government data. The term does not
include contractor business records or any other data (e.g.,
operating procedures, software coding, or algorithms) not uniquely
applied to the government data. A contractor is restricted to using
government data and government-related data only for the purposes
specified in the relevant contract, task, or delivery order. In
addition, the contractor must impose access, use, and disclosure
obligations on its employees.
Cyber Incident Reporting
As with the new DFARS 252.204-7012, a contractor providing
cloud computing services must report all cyber
incidents related to the cloud computing services
provided under the contract to the DoD.
Malicious Software, Media Preservation and Protection,
Forensic Analysis, and Damage Assessments
A contractor providing cloud computing services that
reports a cyber incident must adhere to the same requirements under
DFARS 252.204-7012 with regard to:
- Furnishing malicious software as instructed by the contracting officer;
- Preserving and protecting images of all known affected information systems for 90 days after the report;
- Granting the DoD access to information and equipment for forensic analysis; and
- Providing damage assessment information.
Records Management and Facility Access
A cloud computing service contractor is under certain
information-handling restrictions. Government data and
government-related data must be transmitted to the contracting
officer and, at contract closeout, disposed of, in accordance with
contract requirements. In addition, in the course of audits,
investigations, inspections, or other activities, the contractor
must grant the government (or authorized representatives) access
to:
- Government data and government-related data;
- Contractor personnel;
- Contractor facilities with government data.
Third Party Access
The contractor must notify the government of any third-party
requests for access to government data or government-related data,
including warrants, seizures, or subpoenas. If such a request is
made, the contractor is required to take all measures necessary to
protect against unauthorized disclosure of the data.
Spillage
In addition to cyber incidents, cloud computing
contractors must report spillage, defined as an incident that
results in the transfer of classified or controlled unclassified
information onto an information system not accredited for the
appropriate security level. Either the contractor or the government
may detect spillage. Upon notification of a spillage, the
contractor must cooperate with the contracting officer to address
the spillage.
Subcontracting
As with the other requirements of the DoD's interim
rule, a prime contractor must flow down the requirements under
DFARS 252.239-7010 in all subcontracts that involve or may involve
cloud services, including subcontracts for commercial items.
Footnotes
1 Although the interim rule has gone into effect, the public is still able to submit comments on the rule up until October 26, 2015.
2 For information on obtaining a DoD-approved medium assurance certificate, the interim rule directs readers here. It appears the link provided in the interim rule does not work. However, a visit to the Information Assurance Support Environment appears to provide the details necessary to obtain a medium assurance certificate.
3 Unclassified controlled technical information, covered under the predecessor rule, meets the criteria, if disseminated, for distribution statements B through F, using the criteria set forth in DoD Instruction 5230.23, Distribution Statements on Technical Documents.
4 The DoD defines "operationally critical support" as supplies or services designated by the government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the armed forces in a contingency operation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.