Mary Elizabeth Bosco is a Partner in Holland & Knight's Washington D.C. office

HIGHLIGHTS:

  • Contractors now have until Dec. 31, 2017, to comply with the U.S. Department of Defense's new interim rules regarding information system security requirements, mandatory cyber breach reporting, and cloud computing standards and procedures.
  • Contractors still need to identify noncompliant procedures in current proposals.
  • The scope of affected subcontractors is limited.

The U.S. Department of Defense (DoD) released interim rules on Aug. 26, 2015, setting forth (i) information system security requirements; (ii) mandatory cyber breach reporting; and (iii) cloud computing standards and procedures. The rules were effective immediately. The rules required that the information systems of contractors storing or using "covered defense information" – defined as non-classified information that is either provided by DoD to the contractor or is transmitted, used, or stored by or on behalf of the contractor in support of performance of its contract – meet the standards contained in National Institute of Standards and Technology (NIST) Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."

New Rule Extends Time Period for Compliance

In written comments on the interim rule, and at a Dec. 14, 2015, public meeting with DoD, contractors urged the government to allow a grace period for compliance with the NIST Publication 800-171 standards. On Dec. 30, 2015, DoD responded to industry concerns by modifying its information security clause to extend the time period within which contractors must meet the NIST SP 800-171 standards to Dec. 31, 2017. See Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008(c); 49 C.F.R. §252.704-7008(c). Under the revised clause, offerors are required to certify in their proposals that they will implement the NIST security standards by the Dec. 31, 2017, date.

The Dec. 31, 2017 extension, however, did not come without conditions. First, DoD has revised the applicable solicitation provisions. The new solicitation clause requires offerors to identify to the contracting officer any variances between their cybersecurity procedures and those NIST SP 800-171 standards that are in effect at the time of the solicitation. This submission must include an explanation as to why a particular security requirement is not applicable or how an alternative security measure will provide protection equivalent to the NIST standards. The clause also provides that the DoD Chief Information Officer (CIO) will approve or disapprove of requested variances prior to award, and that approved alternatives must be incorporated in the final contract.

DoD similarly revised the cyber assurance contract clause. See DFARS 252.204-7012(b)(1)(ii); 48 C.F.R. §252.204-7012(b)(1)(ii). The new clause requires contractors to notify the DoD CIO within 30 days of award of any security requirements included in NIST SP 800-171 that it has not implemented as of the time of award or of alternative but equally effective security measures that have been accepted in writing by the DoD CIO. According to the Dec. 30, 2015, rulemaking, this information will be used by the CIO to monitor progress across the Defense industrial base, identify trends in the implementation of these requirements, identify issues that may require clarification or adjustment, and provide DoD with information to assess the overall risk to DoD covered information.

In sum, while contractors now have until Dec. 31, 2017, to implement the NIST SP 800-171 standards, they will still need (i) to identify any gaps between their current systems and NIST SP 800-171 when submitting proposals for work involving covered defense information, and (ii) inform the DoD CIO of any gaps and obtain the CIO's acceptance of alternative information security protective measures. The new DoD interim rules make no mention of whether security system gaps will be taken into account in proposal evaluations. Even without express direction, it is rational to assume that contracting agencies would consider the scope and breadth of gaps as part of their contractor responsibility determinations. In practical terms, therefore, the Dec. 31, 2017 extension may not be as generous as it appears at first glance.

Latest Interim Rule Narrows the Scope of Covered Subcontractors

In addition to extension of the compliance date, DoD's recent interim rule specifies that the cybersecurity clauses should be flowed down to subcontractors only when their efforts involve covered defense information or where the subcontractors will provide operationally critical support.

Incident Reporting Requirement Remains Unchanged

Importantly, the new DoD rule does not change the breach reporting rule. Covered contractors must still report any cyber incidents within 72 hours of discovery and must conduct an investigation to gather evidence of the scope of the incursion. In order to submit a report, a contractor must have or acquire a "DoD-approved medium assurance certificate" for reporting cyber incidents. In addition to the reporting requirement, the regulations obligate contractors to (i) submit to DoD any malicious software they are able to isolate; (ii) preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days from the submission of the incident report; and (iii) permit DoD access in order to perform its own forensic investigation or damage analysis.

The bottom line is that, while government contractors do not need to implement all of the NIST SP 800-171 provisions until Dec. 31, 2017, they need to be able to identify – as of now – the differences between their current information security procedures and the NIST standards in order to submit offers on covered DoD contracts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.