On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November 2013, two interim rules published in August 2015 and December 2015, and years of comments and experience by DoD and its contractors.  The new Rule materially alters the predecessor rule in a number of respects and clarifies several important issues relating to contracting for cloud computing services.

 Key substantive changes include the following:

  • Adds new definitions or clarifies existing definitions for “covered defense information,” “covered contractor information system,” “export control,” the “other” category of CDI, and “operationally critical support.”
  • Directs that DFARS provisions 252.204-7008 and 252.204-7012 should not be used in solicitations and contracts “solely” for commercial-off-the-shelf (COTS) items.
  • Amends DFARS 252.204-7000 to clarify that fundamental research, by definition, does not involve any CDI.
  • Amends DFARS 252.204-7012 to:
    • Provide guidance on requests to vary from NIST SP 800-171 security controls and mandate that subcontractors notify the prime contractor (or next higher tier subcontractor) when submitting such a variance request;
    • Clarify that contractors must implement safeguarding requirements on all covered contractor information systems, not just those that support the performance of work on the contract;
    • Confirm that contractors are not required to implement any security requirements if an authorized representative of the DoD Chief Information Officer (CIO) has adjudicated a request to vary or determined that a security control is not applicable;
    • Require contractors to ensure that external cloud service providers (CSPs) used in performance of a contract to store, process, or transmit any CDI must: (i) meet security requirements equivalent to those established by the Government for FedRAMP moderate baseline; and (ii) comply with DFARS 252.204-7012’s reporting, protection, and access requirements; and
    • Clarify that the clause must be flowed down to subcontractors when CDI is necessary for performance of the subcontract.
  • Modifies DFARS 239.7602-1 to provide two exceptions where a contracting officer may award a contract to acquire cloud services from a CSP that has not been granted a provisional authorization by the Defense Information System Agency (DISA).

Our full analysis of the new Rule is available here.

Print:
EmailTweetLikeLinkedIn
Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.

Photo of Michael Wagner Michael Wagner

Mike Wagner helps government contractors navigate high-stakes enforcement matters and complex regulatory regimes.

Combining deep regulatory knowledge with extensive investigations experience, Mr. Wagner works closely with contractors across a range of industries to achieve the efficient resolution of regulatory enforcement actions and government…

Mike Wagner helps government contractors navigate high-stakes enforcement matters and complex regulatory regimes.

Combining deep regulatory knowledge with extensive investigations experience, Mr. Wagner works closely with contractors across a range of industries to achieve the efficient resolution of regulatory enforcement actions and government investigations, including False Claims Act cases. He has particular expertise representing individuals and companies in suspension and debarment proceedings, and he has successfully resolved numerous such matters at both the agency and district court level. He also routinely conducts internal investigations of potential compliance issues and advises clients on voluntary and mandatory disclosures to federal agencies.

In his contract disputes and advisory work, Mr. Wagner helps government contractors resolve complex issues arising at all stages of the public procurement process. As lead counsel, he has successfully litigated disputes at the Armed Services Board of Contract Appeals, and he regularly assists contractors in preparing and pursuing contract claims. In his counseling practice, Mr. Wagner advises clients on best practices for managing a host of compliance obligations, including domestic sourcing requirements under the Buy American Act and Trade Agreements Act, safeguarding and reporting requirements under cybersecurity regulations, and pricing obligations under the GSA Schedules program. And he routinely assists contractors in navigating issues and disputes that arise during negotiations over teaming agreements and subcontracts.