Two More Years: DoD Gives Defense Contractors Until December 31, 2017, to Comply With Baseline “Adequate” Cybersecurity Requirements
At the eleventh hour (or, really, past the stroke of midnight), the Department of Defense (DoD) issued a short modification to its contractor cybersecurity and cloud computing interim rule, primarily to push back the date on which all defense contractors must be compliant with a baseline set of "adequate security" requirements from "now" to December 31, 2017.1 The new interim rule otherwise modestly amends the interim rule that DoD implemented in August.2
In particular, and most importantly, the new interim rule amends DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires (in the absence of other requirements specific to a particular contract or the approval of "alternative" measures) that all contractors with systems that store, transmit, or process "covered defense information" ensure that such covered systems meet the security requirements of NIST Special Publication (SP) 800-171. The original interim rule provided that contractors were obligated to meet, without exception, the requirements of NIST SP 800-171 at the time of contract award. The revised clause now provides that contractors must meet the requirements "as soon as practical, but not later than December 31, 2017." This two-year extension is significant, and indicates that DoD recognized the contractor concerns over compliance with the interim rule that were raised in the rulemaking docket and at the "Industry Day" public meeting that DoD held on December 14.
In exchange for this two-year extension, however, DoD is requiring all contractors to report, within 30 days of contract award, "any security requirements specified by NIST SP 800-171 not implemented at the time of contract award[.]" DoD explains in the preamble to the new interim rule that this reporting requirement will enable DoD to (1) "monitor progress across the Defense industrial base"; (2) "identify trends in the implementation of these requirements and, in particular, identify issues with industry implementation of specific requirements that may require clarification or adjustment"; and (3) "inform the Department in assessing the overall risk to DoD covered defense information on unclassified contractor systems and networks."
In addition to the two-year extension, DoD also modified the original interim rule to indicate that contractors can seek DoD Chief Information Officer (CIO) approval before and, now, after contract award of "alternative" security measures to NIST SP 800-171 that provide an equivalent level of protection. The newly issued rule also slightly curtails the clause flowdown requirement (the original rule required flowdown to all subcontractors full stop; the new rule requires flowdown only to "subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve a covered contractor information system, including subcontracts for commercial items"). In practice, the flowdown requirement will likely remain broad, given the broad applicability of the rule, and the revised rule also clarifies that the clause must be flowed down "without alteration, except to identify the parties." Finally, the revised rule includes a technical change to the definition of "cyber incident" to make it uniform across all parts of the interim rule.
The revisions DoD released are also notable for what they do not address: despite significant contractor concerns about the broad definitions of "covered defense information" and "cyber incident," those definitions remain unchanged, as do all of the elements of the cyber incident reporting provisions in the interim rule which are the source of much controversy. In short, while the two-year extension for contractors to attain full compliance with NIST SP 800-171 is a response to many concerns regarding the "adequate security" elements of the interim rule, the revisions do not begin to address all of the concerns voiced by the many stakeholders engaged in this process.
Defense contractors subject to the rule should, if they have not already, audit their systems for compliance with NIST SP 800-171, be prepared to identify non-implemented requirements of SP 800-171, and ensure that they are prepared to meet the cyber incident reporting requirements of the interim rule. The rule may be subject to additional modifications as DoD continues to refine it in response to public comments and information gathered from contractors, but the rule is likely here to stay in a form similar to the interim rule currently in effect.
See Arnold & Porter Advisory, "Defense Contractors Subject to New Cybersecurity and Cloud Computing Regulations" (Sept. 2015).