By Marcia G. Madsen and Luke Levasseur
A few days ago, on August 26, DoD issued new interim rules amending the Defense Federal Acquisition
Regulations (DFARS) with respect to “network penetration reporting and
contracting for cloud services.”
The new rules, which are now effective, revise
several broadly applicable definitions applicable to numerous parts of the
DFARS, expand the incident reporting requirements applicable to contractors,
and impose security requirements applicable to cloud computing. DoD contractors
need to understand these important new rules, which are summarized here, so
that they can perform necessary compliance planning and make any necessary
disclosures.
Parts of two National Defense Appropriation
Acts, section 941 of the FY 2013 NDAA and section 1623 of the FY 2015 NDAA,
imposed requirements that had to be implemented by changes to the DFARS. DoD
seeks to address those requirements with its interim rules, which become
effective immediately (though comments will be accepted for 60 days).
New Definitions. Three regulatory definitions are added to the
DFARS that expand and clarify contractors’ security obligations.
First, “compromise” of a system is defined as a “disclosure of information to
unauthorized persons, or a violation of the security policy of a system, in
which unauthorized intentional or unintentional disclosure, modification,
destruction, or loss of an object, or the copying of information to
unauthorized media may have occurred.”
Second, a “cyber incident” means “actions taken
through the use of computer networks that result in a compromise or an actual
or potentially adverse effect on an information
system and/or the information residing” within that system.
And third, “media” is
defined as “physical devices or writing surfaces including, but not limited to,
magnetic tapes, optical disks, magnetic disks, large-scale integration memory
chips, and printouts onto which covered defense information is recorded,
stored, or printed within a covered contractor information system.”
The interim rules’ use of phrases like “may have
occurred” and “potentially adverse” in the definitions of “compromise” and
“cyber incident” (as emphasized above) should give contractors pause with
respect to the degree of certainty to which one will be expected to investigate
and understand whether a system has been compromised—or a cyber incident has occurred.
It is not clear what is required for those thresholds to be satisfied, and
contractors will be reasonably concerned that agencies’ after-the-fact
judgments about what should have been reported may be more expansive than
contractors’ real-time assessments.
Enhanced Reporting Obligations. The DFARS clause included in the interim rules
implements statutory requirements that cleared defense contractors must report
penetrations of networks and information systems—and that they must provide DoD
personnel with access to equipment and information to assess the impact of such
penetrations. Specifically, the rules require contractors and subcontractors to
report any cyber incident that results in an actually or potentially adverse
effect on:
Ÿ Ÿ“a covered contractor information system”; or
Ÿ “covered defense information
residing” within a covered contractor system; or
Ÿthe “contractor’s ability to provide
operationally critical support.”
Each phrase used to describe these obligations
is defined in the first part of the new contract clause, DFARS 252.204-7012(a),
and must be carefully analyzed by a contractor in understanding its reporting
obligations. When a contractor discovers a “cyber incident” raising these
issues, it must “[c]onduct a review for evidence of compromise of covered
defense information, including, but not limited to, identifying compromised
computers, servers, specific data, and user accounts.” The contractor also must
“analyz[e] covered contractor information system(s)” and information systems on
its networks that may have been accessed, analyze the extent of the intrusion,
and “[r]apidly report cyber incidents to DoD.”
Notably, DFARS clause 252.204-7009 is included
in the interim rule, limiting the use and disclosure of contractor and
subcontractor information that is provided in response to actual or potential
cyber incidents. This provision provides some protection to contractors being
forced to disclose information about their systems.
Cloud Computing. DoD’s interim rule also imposes a series of
new requirements regarding how DoD can acquire cloud-based computing services.
“Generally, the DoD shall acquire cloud computing services using commercial
terms and conditions that are consistent with Federal law, and the agency’s
needs” (subject to the restrictions imposed by the rule). A company wishing to
provide cloud-based services to DoD must obtain at least a “provisional
authorization by Defense Information Systems Agency, at a level appropriate to
the requirement” it is seeking to satisfy.
One cloud-related restriction important to
service provides is the new DFARS 239.7602-2, which (for “all Government data
that is not physically located on DoD premises”) requires storage of DoD data
within the United States or outlying areas. Contracting officers can permit
storage outside the United States, though they must do so via written
notification to the contractor. The interim rule also imposes a series of new
security requirements related to cloud-based data storage.
DoD’s interim rule also has cloud-based rules
that will be of interest to contractors that are not cloud services providers.
For instance, DFARS 252.239-7009 requires contractors providing various types
of services to make representations about whether they “anticipate that cloud
computing services will be used in the performance of any contract or
subcontract resulting from this solicitation.” This certification will need to
be carefully considered before submission of a proposal.
* * *
Cyber security is an increasing concern not just
for DoD and other parts of the Government, but for all companies and
individuals. DoD’s new interim rules provide important additional
requirements—and compliance obligations—with which Government contractors must
familiarize themselves.
No comments:
Post a Comment