On November 18, 2013, the Department of Defense (DOD) issued a final cyber security rule imposing requirements on contractors handling unclassified controlled technical information. While the new rule, which is effective immediately, does not go nearly as far as DOD’s 2011 cyber proposal, it does contain two significant new obligations. First, it requires specific safeguards for information systems containing unclassified controlled technical information, defined below. Second, covered DOD contractors will now have to report and investigate cyber incidents.
Compliance with the new rule requires contractors and subcontractors to:
- Determine where unclassified controlled technical information resides on or transits through contractor or subcontractor information systems.
- Assess compliance of relevant information systems using the National Institute of Standards and Technology (NIST) Special Publication 800-53 (incorporated into the rule) related to (1) access control, (2) awareness and training, (3) audit and accountability, (4) configuration management, (5) contingency planning, (6) identification and authentication, (7) incident response, (8) maintenance, (9) media protection, (10) physical and environmental protection, (11) program management, (12) risk assessment, (13) systems and communication protection, and (14) system and information integrity.
In the event of non-compliance with the NIST standards, contractors are required to provide a written explanation to the Contracting Officer stating why particular standards do not apply or why other protections provide adequate security.
- Assess risks and vulnerabilities and, if warranted, ensure additional protections are in place to address those risks.
- Assess possible system compromise events to determine whether a cyber incident has occurred and whether it is reportable, and ensure policies are in place to address the timely and adequate reporting of cyber incidents to DOD and to preserve evidence of cyber incidents.
- Conduct detailed and thorough investigations of possibly reportable incidents, taking into consideration the use of outside counsel and outside technical experts as necessary. Specifically, contractors must report, within 72 hours of discovery, (1) a cyber incident involving possible exfiltration, manipulation, or other loss or compromise of unclassified controlled technical information, or (2) any other activities that allow unauthorized access to a system containing unclassified controlled technical information.
In the 72-hour incident report, contractors are required to report up to 13 specific categories of information, including affected contracts, a description of the technical information compromised, the type of compromise, and, if the incident occurred on a subcontractor network, the name of the subcontractor. Contractors are then required to conduct a more detailed review to determine the specific data and technical information accessed and the scope of the compromise to the information system. Contractors are required to preserve relevant images and monitoring data captured for at least 90 days to allow DOD time to request additional information for purposes of a DOD damage assessment.
- Assess supply chain compliance with the rule’s requirements, to include updating terms and conditions to include the new DFARS cyber clause and addressing the consequences of a supplier noncompliance. Failure to flow down the DFARS clause and ensure supply chain compliance could result in purchasing system disapproval and payment withholding under the DOD business system rule.
The new requirements represent a significantly more limited approach than the June 29, 2011 DFARS proposed rule that would have required enhanced security for a broader range of unclassified information provided by or developed for DOD. The proposed rule divided information into two subsets: “basic” information was defined as any, information nonpublic (i.e., not specifically authorized for release by DOD) provided by or used or generated in support of a DOD activity. “Enhanced” information included information designated by DOD as critical information subject to export control laws, information subject to DOD-specific FOIA directives, information designated as controlled information (such as “Official Use Only”), personal identification information, and certain technical data. Different security measures applied to each category. In response to comments received on the proposed rule, the scope of the final rule has been limited to “unclassified controlled technical information,” defined as technical data or computer software with military or space application that is subject to controls on access, use, disclosure or distribution, including engineering data and drawings, associated specifications, data sets, studies and analyses, computer software executable code and source code, and any other technical information covered by DOD Directive 5230.24, Distribution Statements on Technical Documents, and DOD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure.
Given the broad applicability of this new rule, contractors at any level in the DOD supply chain should immediately take steps to comply with the new guidance, summarized as follows:
- Determine where unclassified controlled technical information resides on or transits through contractor and subcontractor information systems.
- Assess information systems compliance against the NIST standards, and address or be prepared to explain any instances of noncompliance.
- Assess risks and vulnerabilities, and, as appropriate, ensure additional protections are in place to address those risks.
- Assess supply chain compliance with cyber security requirements, to include flowing down the DFARS clause.
The new requirements are found at the newly established clause DFARS 252.204-7012, Safeguarding of Unclassified Controlled Technical Information, which is mandatory for all DOD prime contracts and subcontracts.