DFARS Final Rule: Network Penetration Reporting and Contracting for Cloud Services
As the use of cloud-based computing grows, so does the vulnerability of sensitive information stored in such networks. In response to the proliferation of cloud-based systems and networks by its contractors, the U.S. Department of Defense (DOD) issued an interim final rule on August 26, 2015 expanding cybersecurity requirements for all DOD contractors. This rule comes after of a wave of recent cyber-attacks against defense contractors, prompting what the DOD described as an “urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors.”
The new rule, effective immediately, revises the DFARS to implement section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013, and section 1632 of the NDAA for FY 2015. It requires contractors to report within 72 hours any cyber incidents having an actual or potential adverse effect on a covered contractor information system, or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.
A “covered contractor information system” is defined as a system that is owned or operated by a contractor that processes, stores, or transmits covered defense information. “Covered defense information” refers to unclassified information provided by DOD in connection with the performance of a contract, any information falling under the categories of controlled technical information, critical information related to operations security, export control, or any other information identified for safeguarding.
In addition, the interim rule requires DOD to award contracts for cloud computing services to contractors that have been provisionally approved by Defense Information Systems Agency, in accordance with the Cloud Computing Security Requirements Guide. Contractors must also implement administrative, technical, and physical safeguards for storing cloud-based data, and contractors may only store government data within the United States unless otherwise authorized in writing.
This rule applies to all contractors, and all tiers of subcontractors. Because the rule goes into effect immediately, contractors must begin taking measures to ensure compliance. DOD anticipates that about 10,000 contractors will be affected by this new rule. A portion of those are small businesses. Any detected breaches should still be reported using the procedure prescribed by the National Industrial Security Program Operating Manual. The interim rule acknowledges that contractors may have to share proprietary information in reporting any potential breaches, and ensures that such information will be protected against unauthorized use or release.
An issue to watch going forward is the potential for retroactive changes to existing contracts to include the revised DFARS clause. Additionally, contractors should watch for whether debarment is utilized as a punishment for failure to comply, where the rule states that failure to comply subjects a contractor to criminal, civil, administrative, contractual actions at law and equity, damages, and other appropriate action.
The interim rule can be found here. Comments on the interim rule are due October 26, 2015.