On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November 2013, two interim rules published in August 2015 and December 2015, and years of comments and experience by DoD and its contractors. The new Rule materially alters the predecessor rule in a number of respects and clarifies several important issues relating to contracting for cloud computing services.
Key substantive changes include the following:
- Adds new definitions or clarifies existing definitions for “covered defense information,” “covered contractor information system,” “export control,” the “other” category of CDI, and “operationally critical support.”
- Directs that DFARS provisions 252.204-7008 and 252.204-7012 should not be used in solicitations and contracts “solely” for commercial-off-the-shelf (COTS) items.
- Amends DFARS 252.204-7000 to clarify that fundamental research, by definition, does not involve any CDI.
- Amends DFARS 252.204-7012 to:
- Provide guidance on requests to vary from NIST SP 800-171 security controls and mandate that subcontractors notify the prime contractor (or next higher tier subcontractor) when submitting such a variance request;
- Clarify that contractors must implement safeguarding requirements on all covered contractor information systems, not just those that support the performance of work on the contract;
- Confirm that contractors are not required to implement any security requirements if an authorized representative of the DoD Chief Information Officer (CIO) has adjudicated a request to vary or determined that a security control is not applicable;
- Require contractors to ensure that external cloud service providers (CSPs) used in performance of a contract to store, process, or transmit any CDI must: (i) meet security requirements equivalent to those established by the Government for FedRAMP moderate baseline; and (ii) comply with DFARS 252.204-7012’s reporting, protection, and access requirements; and
- Clarify that the clause must be flowed down to subcontractors when CDI is necessary for performance of the subcontract.
- Modifies DFARS 239.7602-1 to provide two exceptions where a contracting officer may award a contract to acquire cloud services from a CSP that has not been granted a provisional authorization by the Defense Information System Agency (DISA).
Our full analysis of the new Rule is available here.