Department of Defense Publishes FAQs on DFARS Cybersecurity Interim Rule
On November 17, the Department of Defense (DoD) released a set of Frequently Asked Questions (FAQs) on the Interim Rule on Network Penetration Reporting and Contracting for Cloud Services (Interim Rule).1 The FAQs provide several clarifications on the scope of the Interim Rule and the functionality of NIST Special Publication (SP) 800-171 (which provides substantive cybersecurity requirements for most contractors and subcontractors that may store, transmit, or process Covered Defense Information (CDI)).2 However, the FAQs do not necessarily assuage concerns about the potentially broad scope of the Interim Rule, nor do the FAQs address many contractor and commenter concerns about the Interim Rule's cyber incident reporting requirements.
First, the FAQs confirm that most contractors will be subject to NIST SP 800-171 (with respect to providing "adequate security" for CDI), including those contractors that use cloud computing for their own purposes, and that DoD's new cloud computing rules only apply to systems that would be "considered a DoD system." Accordingly, DoD's Cloud Computing Security Requirements Guide only applies when a cloud solution is being used to process data on DoD's behalf or when DoD contracts with a Cloud Services Provider to process its data, not when a contractor is doing its own cloud processing to meet a DoD contract requirement.
Second, the FAQs suggest that while the scope of information that is "CDI" may be broad, such information will be clearly marked or identified under the contract. Also, the FAQs reiterate that if a contractor thinks a required security control is not applicable, it can provide a written explanation in the proposal describing why, which will be referred to the DoD Chief Information Officer for resolution. These statements are notable, but they do not necessarily suggest that the Interim Rule is limited in scope, as categories covered by CDI remain quite broad and the process for getting sign-off on alternative security requirements on a requirement-by-requirement basis may be cumbersome.
Finally, and importantly, half of the FAQs focus on technical compliance issues related to NIST SP 800-171. Despite this amount of guidance, DoD states that it anticipates that contractors who were compliant with the previously applicable DFARS clause will be 90-95% compliant with the NIST SP 800-171 security requirements after implementation of policy and procedure requirements not involving substantive IT changes. DoD indicates that contractors may address any residual compliance issues through "plans of action," as provided by security requirement 3.12.2. Again, while this may serve to comfort contractors who were already processing Controlled Technical Information (CTI) (which was the only category of information covered by the previous iteration of the rule), that category of information was much narrower than CDI, so many more contractors will likely need to ensure compliance with NIST SP 800-171 than were already compliant with the previous rule.
In short, the FAQs provide some insight into DoD's understanding of the scope of the Interim Rule, but they do not entirely address many of the primary concerns of contractors and commenters regarding the potentially onerous aspects of the rule. Nor do the FAQs' brief discussions regarding the functioning of the rule's cyber incident report requirements and related DoD investigatory rights in response to such incidents address many contractor concerns about the collection, use, and disclosure of information gathered from contractors under these processes.
See also Ronald D. Lee, Charles A. Blanchard, Nicholas L. Townsend, and Tom McSorley, "Defense Contractors Subject to New Cybersecurity and Cloud Computing Regulations," Arnold & Porter Advisory (Sept. 2015).