By Colleen Johnson | Sera-Brynn Business Development – Regulatory Specialist
Defense Federal Acquisition Supplement: DFARS 252.204-7012, as revised on Dec. 30, 2015, is the cybersecurity rule issued by the Department of Defense (DoD) titled, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
The DFARS clause requires all DoD contractors and subcontractors, regardless of size, to comply with two key information security requirements: (1) Adequate Security and (2) Incident Reporting. This impacts every DoD contractor and subcontractor, in high-tech to low-tech environments, regardless of the nature of work so long as “covered defense information” (CDI) is involved.
For most contractors, “adequate security” is satisfied by showing compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. There are exceptions and a variance process.
“Incident Reporting” requires contractors to report any cyber incidents that may have affected CDI within 72 hours of discovery. Reporting is to be done (1) to the DoD through the Department’s DIBNet portal, on an Incident Collection Form and (2) to the prime contractor. In addition, the contractor must adhere to regulations regarding investigating, preserving and submitting information about the breach to the DoD.
October 2016 Updates to DFARS
On Oct. 21, 2016, after over a year of rule making and revisions, the DoD issued a final rule clarifying DFARS clause 252.204-7012. See 82 Fed. Reg. 72986 (Oct. 21, 2016).
Notably, the December 2015 version of DFARS 252.204-7012 remains effective. However, the final October 2016 rule clarifies several key components and adds one new requirement.
First, the final rule provides more clarity on what categories of information comprise “covered defense information.” The final rule states that CDI means “unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies ….” 82 Fed. Reg. 73000 (Oct. 21, 2016).
Although there is still a catch-all phrase in play (by way of the CUI definition), the scope of CDI is now harmonized with the definition of CUI as promulgated by the National Archives and Records Administration (NARA).
Second, contracts that are solely for the acquisition of commercially available off-the-shelf (COTS) items are now exempted.
Importantly, the Dec. 31, 2017, deadline for DFARS 252.204-7012 was not extended. Contractors and subcontractors are required to comply “as soon as practical” but not later than the end of 2017. In addition, the final rule added another noteworthy deadline. The DoD Chief Information Officer (CIO) must now be notified within 30 days of contract award of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award. This applies to all contracts awarded prior to Oct. 1, 2017.
Other Cybersecurity Regulations to Consider
As a whole, the cybersecurity laws that direct government contractors and subcontractors to combat cyber threats are complex. They involve overlapping U.S. regulations. For instance, on the same day the DFARS clause 252.204-7012 regulation was made final, the DoD issued a separate proposed rule on “Withholding of Unclassified Technical Data and Technology From Public Disclosure” and also made final the rules regarding contractors’ use of cloud services providers.
In addition, the cybersecurity legal framework applicable to U.S.-based defense contractors may also include extraterritorial or non-U.S. laws, such as the European Union’s General Data Protection Regulation (GDPR). As such, DoD contractors and subcontractors may store or process information that is subject to multiple regulations and regimes.
DFARS regulations directly impact DoD contractors and subcontractors. Since its inception, the DFARS cybersecurity clause has been subject to rule making and the changes that go with that.
However, the DFARS final rule of October 2016 finalizes and helps clarify the specific actions DoD contractors must take to be in compliance with the law. Specifically, the October 2016 revisions (1) clarify the definition of Covered Defense Information, (2) create a COTS exemption, and (3) add a second reporting requirement and deadline regarding DoD contracts. The deadline for compliance is Dec. 31, 2017. That has never changed.
About Colleen Johnson: With technology as a core interest, Colleen Johnson has worked in the commercial space industry, the federal government and the legal industry. She is knowledgeable in many areas of regulatory law, including cybersecurity, space, aviation, maritime, and defense. She holds a B.A. from the Catholic University of America and a J.D. from Washington College of Law.