United States: The New DFARS Interim Rule on Network Penetration Reporting And Contracting For Cloud Services: Five Immediate Steps Contractors Can Take To Comply

Last Updated: October 7 2015
Article by Keir X. Bancroft

Contractors must act now to address the Department of Defense's (DoD's) interim rule on Network Penetration Reporting and Contracting for Cloud Services. The rule applies many new Defense Federal Acquisition Regulation Supplement (DFARS) clauses into all DoD contracts. The interim rule has immediate effect,1 so any government contractor, subcontractor, or supplier should take these five immediate steps to demonstrate compliance with the new requirements:

  1. Register with the DoD to obtain a mandatory Medium Assurance Certificate.
    Any contractor or subcontractor reporting a cyber incident under the DFARS must have a certificate in order to make its report.2 Act now to register for a certificate so you can rapidly report cyber incidents within the limited 72-hour window.
  2. Identify and mark all Attributional/Proprietary Information.
    The DoD states in its interim rule that it will try to minimize the disclosure of any attributional/proprietary information included in a cyber incident report that could identify a contractor or its commercially sensitive information. Contractors and subcontractors should therefore identify and mark any such information now in order to prepare for a cyber incident disclosure.
  3. Consider Employee Nondisclosure Agreements.
    Support services contractors that assist agencies in managing and responding to cyber incident reports must prohibit their employees from disclosing any information included in the reports. These contractors should develop and enter into NDAs with their employees to prepare to perform cyber incident response-related services.
  4. Flow down and incorporate the new DFARS clauses.
    The new DFARS clauses must be incorporated into subcontracts, even commercial item subcontracts and small business subcontracts. Contractors should start incorporating the flow-down provisions into their subcontract templates and teaming agreements to prepare to demonstrate compliance with the new DFARS clauses.
  5. Monitor existing contract and task orders.
    Customers may modify existing contracts and task orders to incorporate the new DFARS clauses. Contractors and subcontractors should monitor all modifications to be sure of the new requirements that are being imposed upon them.

The new DFARS clauses are wide-reaching, and apply to commercial item contractors, small businesses, and their subcontractors. The analysis below gives details of the many areas of compliance that all contractors must demonstrate.

The DFARS interim rule addresses two high-level issues: 1) contractor safeguarding of covered defense information (CDI) and reporting of network penetrations, and 2) DoD policy for the purchasing of cloud computing services.

Safeguarding CDI and Reporting Network Penetrations

New Safeguarding and Reporting Clause
DoD has renamed DFARS 252.204-7012 to "Safeguarding Covered Defense Information and Cyber Incident Reporting." The clause, which formerly focused on unclassified controlled technical information, now requires the safeguarding of the much broader range of covered defense information and obligates contractors to rapidly report within 72 hours cyber incidents that involve CDI, or that could affect operationally critical support.

CDI: A Broad Term Covering Nearly All DoD Unclassified Information
The interim rule applies to a wide range of unclassified information falling under the definition of CDI. Generally, CDI includes unclassified information that is provided to a contractor by or on behalf of the DoD in connection with performance of a contract, or information that is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance. If any of the information falls into the following categories summarized below, it is CDI:

  1. Controlled Technical Information: Technical information with a military or space application that is subject to controls including but not limited to access, use, reproduction, and disclosure. 3
  2. Critical Information: Information identified in the operations security process that is vitally needed by adversaries.
  3. Export Control: Information concerning items, technology, software, or information whose export could reasonably be expected to adversely affect national security and nonproliferation objectives.
  4. Other Restricted Information: Information, marked or otherwise identified in the contract, requiring safeguard or dissemination controls.

Applies to Covered Contractor Information Systems
Contractors are required to provide adequate security for CDI on all covered contractor information systems, defined as systems owned, or operated by or for, a contractor that processes, stores, or transmits CDI.

Safeguarding Information
The DoD prescribes different safeguarding requirements, depending on the contractor's system and access.

  • Covered contractor information services that are part of IT service or system operated on behalf of the government;
    • For cloud computing services, the contractor must comply with the new DFARS clause 252.239-7010, Cloud Computing Services;
    • For any non-cloud computing related IT service or system, other contract requirements apply.
  • Covered contractor information services not part of an IT service or system operated on behalf of the government;
    • Under the interim rule, contractors must safeguard CDI by using the security controls under NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST SP 800-171 was issued shortly before the interim rule, and provides a set of security controls for the contractor to apply in safeguarding CDI. This replaces specific security controls under NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations that DoD prescribed under its predecessor rule. DoD also allows contractors, under DFARS 252.204-7008, to propose alternative, equally effective, security measures to protect CDI in order to compensate for an inability to satisfy a requirement under the clause; contractors may also explain why a particular safeguarding requirement in some cases is not applicable. Any proposed deviation from the safeguarding requirements must be approved, prior to award, by a representative of the DoD CIO.

72-Hour Cyber Incident Reporting

If a contractor discovers a cyber incident, it must investigate and report the incident to the contracting officer within 72 hours.

  • Cyber Incident Discovery
    A cyber incident is any action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. A contractor must investigate any cyber incident that affects: (i) a covered contractor information system or any CDI residing in that system; or (ii) the contractor's ability to perform any parts of a contract designated as operationally critical support.4
  • Cyber Incident Review for Compromise
    Upon discovering a cyber incident, the contractor must conduct a review, seeking evidence of a compromise of covered defense information. A compromise includes the disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media, may have occurred. The review may include:
    • Identifying compromised computers, servers, specific data, and user accounts;
    • Analyzing covered contractor information systems that were part of the cyber incident;
    • Analyzing other information systems in the contractor's network that may have been accessed as a result of the incident;
    • Identifying all compromised CDI, and any details that may affect the contractor's ability to provide operationally critical support.
  • Cyber Incident Rapid Reporting
    Within 72 hours of the discovery, the contractor must rapidly report a cyber incident to the DoD.

Additional Post-Reporting Obligations
The DoD clarifies that a contractor's obligations do not stop at a report. Additional steps and coordination must be followed under the clause.

  • Reporting Malicious Software
    A contractor or subcontractor may discover and isolate malicious software in its cyber incident review. In this case the contractor must submit the malicious software per the instructions of the contracting officer.
  • 90-Day Image Protection, Forensic Analysis, and Damage Assessment
    For 90 days after reporting the cyber incident, the contractor must preserve and protect images of all known information systems affected by the cyber incident. The contactor must also provide the DoD with access to additional information or equipment necessary to conduct a forensic analysis. The contractor may also be obligated to provide the DoD any information related to a cyber incident damage assessment based on information preserved by the contractor.
  • Protect Attributional/Proprietary Contractor Information
    In some instances, the DoD will release information contained in the contractor's cyber incident report, including: (i) entities affected by the information; (ii) entities that may assist in diagnosis, detection, or mitigation of the cyber incident; (ii) law enforcement or counterintelligence entities; (iii) Defense Industrial Base (DIB) participants; and (iv) support services contractors. Therefore, the contractor must identify and mark any attributional or proprietary information (i.e., information that identifies the contractor or its trade secrets and other commercially sensitive information) included in its cyber incident report. The markings will be used by the government to minimize the release of the contractor's information.

Subcontractor Rapid Reporting Obligations are Flowed Down
The clause must be flowed down to subcontractors (and lower-tier subcontractors as necessary). Regardless of their place in the reporting chain, each subcontractor must rapidly report cyber incidents to the DoD within 72 hours, and to the prime contractor. Though subcontractors must also report their DoD-assigned incident report numbers to their higher-tier subcontractors, nothing in the rule obligates subcontractors to include any contractor other than the prime contractor among the recipients of a cyber incident report.

Third-Party Information Protection
A key feature of the new rule is its applicability to contractors that assist the DoD in handling cyber incidents, and therefore receive the cyber incident reports (Recipient Contractors). Under a new DFARS clause 252.204-7009, Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information, if a contractor (the Reporting Contractor) reports a cyber incident, any Recipient Contractor (or its subcontractor) that assists the DoD in handling the cyber incident and either has access to the report or develops information based on the report must protect the report against any further disclosure. The Recipient Contractor must not only protect the reported information, it must also ensure that its employees are subject to nondisclosure obligations before they can access the reported information. The Reporting Contractor is a third-party beneficiary under DFARS clause 252.204-7009. Any Recipient Contractor breaching its obligations is subject to multiple penalties, including criminal, civil, administrative, or contractual actions by the United States and civil actions and other remedies from the Reporting Contractor.

Purchasing Cloud Computing Services

Representation of the Use of Cloud Services
DoD in its interim rule added DFARS clause 252.239-7009, Representation of Use of Cloud Computing, to allow contractors to represent whether they intend to use cloud computing services in performance of the contract. Whether a contractor uses cloud computing services may determine the degree of burden the contractor must bear for securing CDI.

Use of Cloud Computing Services
The DoD also added DFARS clause, 252.239-7010, Cloud Computing Services, to address security requirements applicable to contractors providing cloud computing security requirements. The clause addresses access, security, and reporting requirements, and applies to all solicitations for information technology services, including commercial items solicitations.

Applying Controls
Any contractor using cloud computing services under a DoD contract must implement and maintain administrative, technical, and physical safeguards and controls as required in the Cloud Computing Security Requirements Guide (SRG) effective at the time the Solicitation is issued.

Physical Location
Under the clause, the contractor must maintain within the U.S. or outlying areas all government data not located on DoD premises, unless the contracting officer provides written instructions to use another location.

Access and Disclosure Limitation of Government Data and Government-Related Data
The cloud computing services clause applies restrictions on access to, use of, and disclosure of government data, defined generally as information created or obtained by the government in the course of official business. The clause also imposes similar restrictions on government-related data, defined generally as information created or obtained by a contractor through storage, processing, or communication of government data. The term does not include contractor business records or any other data (e.g., operating procedures, software coding, or algorithms) not uniquely applied to the government data. A contractor is restricted to using government data and government-related data only for the purposes specified in the relevant contract, task, or delivery order. In addition, the contractor must impose access, use, and disclosure obligations on its employees.

Cyber Incident Reporting
As with the new DFARS 252.204-7012, a contractor providing cloud computing services must report all cyber incidents related to the cloud computing services provided under the contract to the DoD.

Malicious Software, Media Preservation and Protection, Forensic Analysis, and Damage Assessments
A contractor providing cloud computing services that reports a cyber incident must adhere to the same requirements under DFARS 252.204-7012 with regard to:

  • Furnishing malicious software as instructed by the contracting officer;
  • Preserving and protecting images of all known affected information systems for 90 days after the report;
  • Granting the DoD access to information and equipment for forensic analysis; and
  • Providing damage assessment information.

Records Management and Facility Access
A cloud computing service contractor is under certain information-handling restrictions. Government data and government-related data must be transmitted to the contracting officer and, at contract closeout, disposed of, in accordance with contract requirements. In addition, in the course of audits, investigations, inspections, or other activities, the contractor must grant the government (or authorized representatives) access to:

  • Government data and government-related data;
  • Contractor personnel;
  • Contractor facilities with government data.

Third Party Access

The contractor must notify the government of any third-party requests for access to government data or government-related data, including warrants, seizures, or subpoenas. If such a request is made, the contractor is required to take all measures necessary to protect against unauthorized disclosure of the data.

Spillage
In addition to cyber incidents, cloud computing contractors must report spillage, defined as an incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited for the appropriate security level. Either the contractor or the government may detect spillage. Upon notification of a spillage, the contractor must cooperate with the contracting officer to address the spillage.

Subcontracting
As with the other requirements of the DoD's interim rule, a prime contractor must flow down the requirements under DFARS 252.239-7010 in all subcontracts that involve or may involve cloud services, including subcontracts for commercial items.

Footnotes

1 Although the interim rule has gone into effect, the public is still able to submit comments on the rule up until October 26, 2015.

2 For information on obtaining a DoD-approved medium assurance certificate, the interim rule directs readers here. It appears the link provided in the interim rule does not work. However, a visit to the Information Assurance Support Environment appears to provide the details necessary to obtain a medium assurance certificate.

3 Unclassified controlled technical information, covered under the predecessor rule, meets the criteria, if disseminated, for distribution statements B through F, using the criteria set forth in DoD Instruction 5230.23, Distribution Statements on Technical Documents.

4 The DoD defines "operationally critical support" as supplies or services designated by the government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the armed forces in a contingency operation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.