Businesses that seek to obtain and preserve contracts with the
United States government, or to deal in certain enumerated defense
articles and services, are subject to strict privacy regulations
imposed by the U.S. government. For those under contract (or
subcontract) with the U.S. Department of Defense (DoD), the Defense
Federal Acquisition Regulation Supplements (DFARS) place stringent
minimum security requirements and reporting obligations that must
be met, otherwise a business could face financial penalties or
termination of its contract. Businesses that export and import
defense articles or services and related technical data must comply
with the International Traffic in Arms Regulations (ITAR), which
comprise approval, registration and records maintenance
requirements. If a violation of ITAR is voluntarily reported, the
penalties imposed by the U.S. Department of State's Directorate
of Defense Trade Controls (DDTC) can be reduced. Businesses subject
to DFARS and ITAR should have a compliance program in place that
includes an appropriate response to any security incident.
Subpart 204.73 of the DFARS is a set of cybersecurity regulations that the DoD imposes on external contractors and suppliers. The DFARS is intended to maintain cybersecurity standards according to requirements laid out by the National Institute of Standards and Technology (NIST), specifically, NIST SP 800-171. These standards were constructed to protect the confidentiality of Controlled Unclassified Information (CUI) that requires safeguarding or dissemination controls and is either (1) identified in the contract and provided to the contractor by or on behalf of the DoD in support of the performance of the contract, or (2) collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of the contract. [DFARS §204.7301.] DoD contractors had until December 31, 2017, to become DFARS compliant; with the deadline now past, all DoD contractors must meet the minimum requirements and show proof to the DoD for all contracts moving forward.
Requirements: To meet the minimum requirements of DFARS, DoD contractors must:
- Provide adequate security to safeguard covered defense information that resides in or transits through internal unclassified information systems from unauthorized access and disclosure. While there is no prescribed format or specified level of detail for system security plans, organizations should use the NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, NIST HB 162 as a guide to assist in implementing the required information in SP 800-171.
- Rapidly report cyber-incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.
Penalties for Noncompliance: DoD contractors that are audited by the DoD and are found noncompliant with DFARS will likely receive a stop-work order, meaning work for the DoD will be suspended until suitable security measures are implemented to protect CUI. In addition, the DoD may impose financial penalties, including damages for breach of contract and false claims. In the worst-case scenario, a noncompliant DoD contractor could have its contracts with the DoD terminated and possibly face suspension or debarment from working with the DoD again.
DFARS requires rapid reporting within 72 hours of discovery of all intrusions and any actual or potential security threats. Reports can be made online by completing the fields in the Incident Collection Form (ICF). Access to this form requires a DoD-approved medium assurance public key infrastructure (PKI) certificate. If a company does not have a PKI certificate, it may contact the DoD Cyber Crime Center (DC3) for additional information. Contractors and subcontractors have an obligation to report; a subcontractor must provide the incident report number to the prime contractor.
If a contractor does not have all information required by section 204.7203 within 72 hours of discovery of a cyber-incident, the contractor/subcontractor should report whatever information is available within 72 hours. When more information becomes available, the contractor/subcontractor should submit a follow-up report with the added information. See DFARS FAQs for additional information.
Section 204.7203 of DFARS provides:
(b) Contractors and subcontractors are required to rapidly [within 72
hours of discovery of any cyber-incident] report cyber-incidents
directly to the DoD. Subcontractors provide the incident report
number automatically assigned by DoD to the prime contractor.
Lower-tier subcontractors likewise report the incident report number
automatically assigned by DoD to their higher-tier subcontractor,
until the prime contractor is reached.
(1) If a cyber-incident occurs, contractors and subcontractors
submit to DoD:
(i) A cyber-incident report;
(ii) Malicious software, if detected and isolated; and
(iii) Media (or access to covered contractor information
systems and equipment) upon request.
The ITAR, 22 C.F.R. §§ 120-130, control the export and import of defense articles (including technical data) as defined on the United States Munitions List (USML, part 121 of the ITAR) and defense services. The United States government requires that all manufacturers, exporters and brokers of defense articles, defense services or related technical data be ITAR compliant.
Getting and Staying in Compliance: The ITAR requires a company engaged in the manufacturing, exporting, temporary importing or brokering of defense articles (including technical data) to (1) register with the Directorate of Defense Trade Controls (DDTC), (2) maintain records as required by 22 CFR §122.5, and (3) obtain licenses or other approvals prior to making exports or temporary imports, or engaging in brokering agreements.
Establish and Maintain a Compliance Program: The DDTC strongly advises parties engaged in defense trade to establish and maintain an ITAR/export compliance program. Possessing defense articles or technical data increases the risk of an inadvertent violation. Many companies that don't engage in manufacturing, exporting or brokering still maintain compliance programs to reduce the risk of such violations. A good program is generally clearly documented in writing, tailored to the business, regularly reviewed/updated and fully supported by management.
Reporting Requirements (22 C.F.R. § 127.12 Voluntary
The ITAR "strongly encourages" the prompt disclosure of any violation, or suspected violation, to the DDTC. The proper disclosure of a violation, or potential violation, can be a significant mitigating factor in DDTC's analysis of such violations. Failure to report a violation is considered by the DDTC when assessing penalties.
Examples of common violations include:
- Export without authorizations
- Unauthorized accesses to technical data
- Failure to comply with license provisos
- Failure to maintain required records
- Failure to register or maintain registrations
- Misuse of ITAR exemptions.
How to Voluntarily Disclose: Any person wanting to disclose information that constitutes a voluntary disclosure should follow these steps:
- Initially notify DDTC immediately after a violation is discovered.
- Conduct a thorough review of all defense trade transactions where a violation is suspected.
- If the initial notification does not contain all the required information, a full disclosure must be submitted within 60 calendar days of the notification, or the DDTC will not consider the notification a voluntary disclosure. If you are unable to provide full disclosure within the 60-day deadline, an Empowered Official or a senior officer may request an extension in writing. The request must specify what information could not be provided immediately and the reasons why.
What to Include in a Voluntary Disclosure: Notification of a violation must be in writing and should include the following information:
- A precise description of the nature and extent of the violation
- The exact circumstances surrounding the violation (a thorough explanation of why, when, where and how the violation occurred)
- The complete identities and addresses of all persons known or suspected to be involved in the activities giving rise to the violation (including mailing, shipping and email addresses; telephone and fax/facsimile numbers; and any other known identifying information)
- U.S. Department of State license numbers, exemption citation or description of any other authorization, if applicable
- U.S. Munitions List category and subcategory, product description, quantity, and characteristics or technological capability of the hardware, technical data or defense service involved
- A description of corrective actions already undertaken that clearly identifies the new compliance initiatives implemented to address the causes of the violations set forth in the voluntary disclosure and any internal disciplinary action taken; and how these corrective actions are designed to deter those particular violations from occurring again
- The name and address of the person making the disclosure and a point of contact, if different, should further information be needed.
How to Submit a Voluntary Disclosure: ITAR §127.12(g) requires hard copies of voluntary disclosures be sent to the DDTC. Disclosures may be submitted via mail or overnight delivery to the following addresses:
|DDTC Postal Mail||DDTC Express Mail & Courier Delivery|
|PM/DDTC, SA-1, 12th Floor
Office of Defense Trade Controls Compliance
|U.S. Department of State
PM/DDTC, SA-1, 12th Floor
Government contractors need to be aware of the requirements and restrictions of the DFARS and ITAR. Those not in compliance should take prompt action to review and revise their privacy and security policies to meet the minimum requirements outlined above. Moreover, contractors should have a plan in place in the event of a security incident, as compliance with the notification and disclosure provisions of these regulations can go a long way toward eliminating or reducing any penalties.
Wilson Elser's Cybersecurity & Data Privacy practice attorneys are available to discuss the impact of these regulations in greater detail.
NOTE: Stefanie Ferrari (Law Clerk-Chicago) assisted in researching and drafting this Alert.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.