United States: The New DFARS Interim Rule on Network Penetration Reporting And Contracting For Cloud Services: Five Immediate Steps Contractors Can Take To Comply

Last Updated: October 7 2015
Article by Keir X. Bancroft

Contractors must act now to address the Department of Defense's (DoD's) interim rule on Network Penetration Reporting and Contracting for Cloud Services. The rule applies many new Defense Federal Acquisition Regulation Supplement (DFARS) clauses into all DoD contracts. The interim rule has immediate effect,1 so any government contractor, subcontractor, or supplier should take these five immediate steps to demonstrate compliance with the new requirements:

  1. Register with the DoD to obtain a mandatory Medium Assurance Certificate.
    Any contractor or subcontractor reporting a cyber incident under the DFARS must have a certificate in order to make its report.2 Act now to register for a certificate so you can rapidly report cyber incidents within the limited 72-hour window.
  2. Identify and mark all Attributional/Proprietary Information.
    The DoD states in its interim rule that it will try to minimize the disclosure of any attributional/proprietary information included in a cyber incident report that could identify a contractor or its commercially sensitive information. Contractors and subcontractors should therefore identify and mark any such information now in order to prepare for a cyber incident disclosure.
  3. Consider Employee Nondisclosure Agreements.
    Support services contractors that assist agencies in managing and responding to cyber incident reports must prohibit their employees from disclosing any information included in the reports. These contractors should develop and enter into NDAs with their employees to prepare to perform cyber incident response-related services.
  4. Flow down and incorporate the new DFARS clauses.
    The new DFARS clauses must be incorporated into subcontracts, even commercial item subcontracts and small business subcontracts. Contractors should start incorporating the flow-down provisions into their subcontract templates and teaming agreements to prepare to demonstrate compliance with the new DFARS clauses.
  5. Monitor existing contract and task orders.
    Customers may modify existing contracts and task orders to incorporate the new DFARS clauses. Contractors and subcontractors should monitor all modifications to be sure of the new requirements that are being imposed upon them.

The new DFARS clauses are wide-reaching, and apply to commercial item contractors, small businesses, and their subcontractors. The analysis below gives details of the many areas of compliance that all contractors must demonstrate.

The DFARS interim rule addresses two high-level issues: 1) contractor safeguarding of covered defense information (CDI) and reporting of network penetrations, and 2) DoD policy for the purchasing of cloud computing services.

Safeguarding CDI and Reporting Network Penetrations

New Safeguarding and Reporting Clause
DoD has renamed DFARS 252.204-7012 to "Safeguarding Covered Defense Information and Cyber Incident Reporting." The clause, which formerly focused on unclassified controlled technical information, now requires the safeguarding of the much broader range of covered defense information and obligates contractors to rapidly report within 72 hours cyber incidents that involve CDI, or that could affect operationally critical support.

CDI: A Broad Term Covering Nearly All DoD Unclassified Information
The interim rule applies to a wide range of unclassified information falling under the definition of CDI. Generally, CDI includes unclassified information that is provided to a contractor by or on behalf of the DoD in connection with performance of a contract, or information that is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance. If any of the information falls into the following categories summarized below, it is CDI:

  1. Controlled Technical Information: Technical information with a military or space application that is subject to controls including but not limited to access, use, reproduction, and disclosure. 3
  2. Critical Information: Information identified in the operations security process that is vitally needed by adversaries.
  3. Export Control: Information concerning items, technology, software, or information whose export could reasonably be expected to adversely affect national security and nonproliferation objectives.
  4. Other Restricted Information: Information, marked or otherwise identified in the contract, requiring safeguard or dissemination controls.

Applies to Covered Contractor Information Systems
Contractors are required to provide adequate security for CDI on all covered contractor information systems, defined as systems owned, or operated by or for, a contractor that processes, stores, or transmits CDI.

Safeguarding Information
The DoD prescribes different safeguarding requirements, depending on the contractor's system and access.

  • Covered contractor information services that are part of IT service or system operated on behalf of the government;
    • For cloud computing services, the contractor must comply with the new DFARS clause 252.239-7010, Cloud Computing Services;
    • For any non-cloud computing related IT service or system, other contract requirements apply.
  • Covered contractor information services not part of an IT service or system operated on behalf of the government;
    • Under the interim rule, contractors must safeguard CDI by using the security controls under NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST SP 800-171 was issued shortly before the interim rule, and provides a set of security controls for the contractor to apply in safeguarding CDI. This replaces specific security controls under NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations that DoD prescribed under its predecessor rule. DoD also allows contractors, under DFARS 252.204-7008, to propose alternative, equally effective, security measures to protect CDI in order to compensate for an inability to satisfy a requirement under the clause; contractors may also explain why a particular safeguarding requirement in some cases is not applicable. Any proposed deviation from the safeguarding requirements must be approved, prior to award, by a representative of the DoD CIO.

72-Hour Cyber Incident Reporting

If a contractor discovers a cyber incident, it must investigate and report the incident to the contracting officer within 72 hours.

  • Cyber Incident Discovery
    A cyber incident is any action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. A contractor must investigate any cyber incident that affects: (i) a covered contractor information system or any CDI residing in that system; or (ii) the contractor's ability to perform any parts of a contract designated as operationally critical support.4
  • Cyber Incident Review for Compromise
    Upon discovering a cyber incident, the contractor must conduct a review, seeking evidence of a compromise of covered defense information. A compromise includes the disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media, may have occurred. The review may include:
    • Identifying compromised computers, servers, specific data, and user accounts;
    • Analyzing covered contractor information systems that were part of the cyber incident;
    • Analyzing other information systems in the contractor's network that may have been accessed as a result of the incident;
    • Identifying all compromised CDI, and any details that may affect the contractor's ability to provide operationally critical support.
  • Cyber Incident Rapid Reporting
    Within 72 hours of the discovery, the contractor must rapidly report a cyber incident to the DoD.

Additional Post-Reporting Obligations
The DoD clarifies that a contractor's obligations do not stop at a report. Additional steps and coordination must be followed under the clause.

  • Reporting Malicious Software
    A contractor or subcontractor may discover and isolate malicious software in its cyber incident review. In this case the contractor must submit the malicious software per the instructions of the contracting officer.
  • 90-Day Image Protection, Forensic Analysis, and Damage Assessment
    For 90 days after reporting the cyber incident, the contractor must preserve and protect images of all known information systems affected by the cyber incident. The contactor must also provide the DoD with access to additional information or equipment necessary to conduct a forensic analysis. The contractor may also be obligated to provide the DoD any information related to a cyber incident damage assessment based on information preserved by the contractor.
  • Protect Attributional/Proprietary Contractor Information
    In some instances, the DoD will release information contained in the contractor's cyber incident report, including: (i) entities affected by the information; (ii) entities that may assist in diagnosis, detection, or mitigation of the cyber incident; (ii) law enforcement or counterintelligence entities; (iii) Defense Industrial Base (DIB) participants; and (iv) support services contractors. Therefore, the contractor must identify and mark any attributional or proprietary information (i.e., information that identifies the contractor or its trade secrets and other commercially sensitive information) included in its cyber incident report. The markings will be used by the government to minimize the release of the contractor's information.

Subcontractor Rapid Reporting Obligations are Flowed Down
The clause must be flowed down to subcontractors (and lower-tier subcontractors as necessary). Regardless of their place in the reporting chain, each subcontractor must rapidly report cyber incidents to the DoD within 72 hours, and to the prime contractor. Though subcontractors must also report their DoD-assigned incident report numbers to their higher-tier subcontractors, nothing in the rule obligates subcontractors to include any contractor other than the prime contractor among the recipients of a cyber incident report.

Third-Party Information Protection
A key feature of the new rule is its applicability to contractors that assist the DoD in handling cyber incidents, and therefore receive the cyber incident reports (Recipient Contractors). Under a new DFARS clause 252.204-7009, Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information, if a contractor (the Reporting Contractor) reports a cyber incident, any Recipient Contractor (or its subcontractor) that assists the DoD in handling the cyber incident and either has access to the report or develops information based on the report must protect the report against any further disclosure. The Recipient Contractor must not only protect the reported information, it must also ensure that its employees are subject to nondisclosure obligations before they can access the reported information. The Reporting Contractor is a third-party beneficiary under DFARS clause 252.204-7009. Any Recipient Contractor breaching its obligations is subject to multiple penalties, including criminal, civil, administrative, or contractual actions by the United States and civil actions and other remedies from the Reporting Contractor.

Purchasing Cloud Computing Services

Representation of the Use of Cloud Services
DoD in its interim rule added DFARS clause 252.239-7009, Representation of Use of Cloud Computing, to allow contractors to represent whether they intend to use cloud computing services in performance of the contract. Whether a contractor uses cloud computing services may determine the degree of burden the contractor must bear for securing CDI.

Use of Cloud Computing Services
The DoD also added DFARS clause, 252.239-7010, Cloud Computing Services, to address security requirements applicable to contractors providing cloud computing security requirements. The clause addresses access, security, and reporting requirements, and applies to all solicitations for information technology services, including commercial items solicitations.

Applying Controls
Any contractor using cloud computing services under a DoD contract must implement and maintain administrative, technical, and physical safeguards and controls as required in the Cloud Computing Security Requirements Guide (SRG) effective at the time the Solicitation is issued.

Physical Location
Under the clause, the contractor must maintain within the U.S. or outlying areas all government data not located on DoD premises, unless the contracting officer provides written instructions to use another location.

Access and Disclosure Limitation of Government Data and Government-Related Data
The cloud computing services clause applies restrictions on access to, use of, and disclosure of government data, defined generally as information created or obtained by the government in the course of official business. The clause also imposes similar restrictions on government-related data, defined generally as information created or obtained by a contractor through storage, processing, or communication of government data. The term does not include contractor business records or any other data (e.g., operating procedures, software coding, or algorithms) not uniquely applied to the government data. A contractor is restricted to using government data and government-related data only for the purposes specified in the relevant contract, task, or delivery order. In addition, the contractor must impose access, use, and disclosure obligations on its employees.

Cyber Incident Reporting
As with the new DFARS 252.204-7012, a contractor providing cloud computing services must report all cyber incidents related to the cloud computing services provided under the contract to the DoD.

Malicious Software, Media Preservation and Protection, Forensic Analysis, and Damage Assessments
A contractor providing cloud computing services that reports a cyber incident must adhere to the same requirements under DFARS 252.204-7012 with regard to:

  • Furnishing malicious software as instructed by the contracting officer;
  • Preserving and protecting images of all known affected information systems for 90 days after the report;
  • Granting the DoD access to information and equipment for forensic analysis; and
  • Providing damage assessment information.

Records Management and Facility Access
A cloud computing service contractor is under certain information-handling restrictions. Government data and government-related data must be transmitted to the contracting officer and, at contract closeout, disposed of, in accordance with contract requirements. In addition, in the course of audits, investigations, inspections, or other activities, the contractor must grant the government (or authorized representatives) access to:

  • Government data and government-related data;
  • Contractor personnel;
  • Contractor facilities with government data.

Third Party Access

The contractor must notify the government of any third-party requests for access to government data or government-related data, including warrants, seizures, or subpoenas. If such a request is made, the contractor is required to take all measures necessary to protect against unauthorized disclosure of the data.

Spillage
In addition to cyber incidents, cloud computing contractors must report spillage, defined as an incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited for the appropriate security level. Either the contractor or the government may detect spillage. Upon notification of a spillage, the contractor must cooperate with the contracting officer to address the spillage.

Subcontracting
As with the other requirements of the DoD's interim rule, a prime contractor must flow down the requirements under DFARS 252.239-7010 in all subcontracts that involve or may involve cloud services, including subcontracts for commercial items.

Footnotes

1 Although the interim rule has gone into effect, the public is still able to submit comments on the rule up until October 26, 2015.

2 For information on obtaining a DoD-approved medium assurance certificate, the interim rule directs readers here. It appears the link provided in the interim rule does not work. However, a visit to the Information Assurance Support Environment appears to provide the details necessary to obtain a medium assurance certificate.

3 Unclassified controlled technical information, covered under the predecessor rule, meets the criteria, if disseminated, for distribution statements B through F, using the criteria set forth in DoD Instruction 5230.23, Distribution Statements on Technical Documents.

4 The DoD defines "operationally critical support" as supplies or services designated by the government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the armed forces in a contingency operation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions