United States: DoD Revises Its Interim Cybersecurity DFARS Clauses Concerning Network Penetrations And Cloud Computing, Giving Contractors Additional Time To Comply With Applicable NIST Requirements

Keywords: DoD, Interim, Cybersecurity, DFARS, Cloud Computing, NIST

Back in August 2015, DoD issued an interim rule, which was effective immediately (and was previously discussed on this blog), imposing substantial new requirements on government contractors with respect to reporting information system network penetrations—and providing new cloud computing requirements. Six weeks later, DoD issued a class deviation giving contractors more time to comply with one of the technical requirements being applied by the new DFARS clauses included with the new rule. Last week, DoD again revised the rule to give contractors more time to comply with many of the new technical standards. Specifically, the revised DFARS provision makes clear that contractors have until December 31, 2017 to comply with the technical standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171.

NIST 800-171 describes a series of procedures for "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations." These NIST requirements cover a wide array of security issues applicable to contractors' information systems and are intended to ensure the security of government information that is provided to contractors so that the companies can provide goods and services to DoD.

Initially, DoD made the NIST 800-171 requirements immediately applicable to the large number of businesses that either have a "covered contractor information system" or have "covered defense information transiting their information systems" as part of their contract performance. DoD's class deviation in October relaxed the standard slightly by amending the DFARS clauses to allow contractors up to nine months (from the date of a new contract award) to comply with section 3.5.3 of NIST 800-171. That section mandates "multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts." (Multifactor authentication requires two or more types of information, e.g., a password and a cryptographic device such as a token, to gain access to the government information.)

Many contractors were unhappy with the unrealistic implementation schedule imposed by the initial (and revised) DFARS provision, and they made their concerns clear to DoD in comments and during a December 14 meeting conducted by the Department to obtain additional feedback. Contractors expressed the need for additional time to analyze the scope of changes that were necessary for their systems—and to implement those changes.

To its credit, DoD modified the DFARS clauses to "provide offerors [contractors] additional time to implement the security requirements specified by NIST 800-171." Each contractors will now be required to agree, by submitting an offer for a DoD procurement in which DoD information will be provided to contractors, that all of the contractor's systems will be compliant with NIST 800-171 "not later than December 31, 2017." Notably, the same requirements must be flowed down in all "subcontracts, or similar contractual instruments, for services that include support for" the goods or services being provided under a contract to which the DFARS clauses apply.

Although the additional time to achieve compliance with NIST 800-171's requirements is helpful, the new DFARS clauses also impose an additional requirement that must be understood by contractors. "The second interim rule requires contractors, within 30 days of contract award, to notify the DoD Chief Information Officer of any NIST SP 800-171 security requirements that are not implemented at the time of contract award." Accordingly, contractors will need to track where they are on the path to compliance with 800-171's requirements so that accurate reports identifying gaps can be provided to the DoD each time contract performance begins under a new award.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2016. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.