On October 4th, the Department of Defense (DoD) issued a Final Rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors who have “agreements” with DoD. The Final Rule also highlights DoD’s desire to encourage greater participation in the voluntary Defense Industrial Base (DIB) cybersecurity information sharing program. This Rule is effective on November 3, 2016.
This Final Rule implements, in part, statutory requirements for rapidly reporting cyber incidents, including section 941 of the Fiscal Year (FY) 2013 National Defense Authorization Act (NDAA) and sections 391 and 393 of Title 10, and follows an interim rule issued on October 2, 2015. DoD intends for this Rule to incorporate and harmonize all of the cyber incident reporting requirements – both mandatory and voluntary – for entities that have any “agreements” with DoD. 81 Fed. Reg. 68316. Key highlights of the Final Rule are addressed below.
- DoD declined to address the liability protections for reporting of cyber incidents that are now incorporated in 10 U.S.C. §§ 391 and 393. In general, these sections provide that no cause of action will be permitted against “cleared defense contractors” or “operationally critical contractors” for complying with the cyber reporting requirements imposed by DoD. The liability protections, however, do not extend to contractors who engage in “willful misconduct” in the course of complying with such requirements. In comments accompanying the Final Rule, DoD stated that the regulatory implementation of these liability protections “will be addressed through future rulemaking activities to ensure the opportunity for public comment.” 81 Fed. Reg. 68316. Given that the DFARS clause and its requirements apply to all DoD contractors, it is unclear how these liability provisions will be implemented given the narrower application of liability protections.
- The Final Rule clarified that it was not retroactive and that contract specific requirements would take precedence over requirements in the Final Rule. Thus, the language in current procurement contracts will continue to govern. DoD noted, however, that the rule “enabled the option to modify such pre-existing agreements where deemed appropriate,” which means that contractors with existing agreements still may be subject to this rule. 81 Fed. Reg. 68313.
- DoD clarified that the Final Rule applies to “all forms of agreements (e.g., contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement).’’ Currently the DFARS rule and clauses at 252.204-7012 and 252.239-7009 apply only to procurement contracts under the DFARS. Thus, companies that enter into agreements beyond procurement contracts should expect to see terms and conditions implementing the requirements for reporting of cyber incidents. When that will occur is unclear. 81 Fed. Reg. 68314.
- This Final Rule provides some insight into possible revisions to DFARS clause 252.204-7012. The current version of the DFARS clause imposes mandatory reporting requirements for cyber incidents and results from two interim rules issued in August and December. A final rule is expected later this year or early next year. Examples of how the Final Rule is likely to impact the DFARS clause include the following:
- The definition of “covered defense information” or CDI is likely to change. Rather than the four categories of information that appear in the current DFARS Clause, the definition in the Final Rule defines CDI as any data in the Controlled Unclassified Information (CUI) Registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies” so long as the information is either marked or identified in the contract or received or created during performance of an “agreement.” 81 Fed. Reg. 68314. The reliance on the CUI Registry expands the scope of information that could be implicated because it is a dynamic registry. Nonetheless, the registry provides common nomenclature across the Government for defining data.
- The 72 hour deadline for reporting cyber incidents is here to stay. In response to a comment on the proposed rule that 72 hours was not “practical,” DoD responded that the “72 hour period has proven to be an effective balance of the need for timely reporting while recognizing the challenges inherent in the initial phases of investigating a cyber incident.” 81 Fed. Reg. 68314.
- In response to comments on the proposed rule, DoD confirmed that the definition of compromise, which includes a “violation of security policy of a system” will not change despite the possibility that this could include violations of internal procedures or a simple breach of a firewall. DoD responded that this is a widely accepted definition within the Government and cited to National Security Systems Instruction No. 4009, which includes the same language. 81 Fed. Reg. 68314. DoD did not, however, address directly the specific concern of overly broad application raised by the commenter.
- There should be new procedures for notifying contractors if they are providing “operationally critical support.” Currently, the Final Rule and the DFARS clause require contractors to report a cyber incident if it affects CDI, an information system with CDI, and/ or if the cyber incident affects the contractor’s ability to perform work that is designated as “operationally critical support.” In response to comments that this phrase was too vague, DoD explained that it is developing new procedures to ensure contractors are notified if their contracts fall into this category and that if a contractor is unsure it should seek guidance from the Government. 81 Fed. Reg. 68314. In addition, DoD has already provided some additional guidance on this point in updated FAQs published on September 15, 2016.
- While the Final Rule stated that contractors must flow down the reporting requirements to “subcontractors that are providing operationally critical support or for which subcontract performance will involve a covered contractor information system,” DoD punted on requests for more guidance on which entities qualify as subcontractors, stating that it depends on whether the services being performed meet the flow down requirements of a particular agreement— pointing to DFARS 252.204-7012 for procurement contacts. 81 Fed. Reg. 68315. But this answer does not address whether certain entities—such as an internet service provider—qualify as subcontractors.
- DoD clarified that the only information that it is entitled to under the cyber incident reporting requirements is that information “necessary to conduct a forensic analysis.” DoD describes this as “carefully tailoring” the information to which it should be provided access. 81 Fed. Reg. 68315. This characterization may provide contractors with a basis for pushing back if DoD seeks broad access to contractor systems and information following the reporting of an incident.
- The Final Rule highlighted the difference between “sharing” information under the Final Rule versus the Cybersecurity Information Sharing Act (CISA)of 2015. While under CISA the information shared can only be used for cybersecurity purposes, DoD clarified that information shared pursuant to this scheme could be used for other purposes, including “law enforcement, counterintelligence, and national security.” 81 Fed. Reg. 68315.
- DoD confirmed that the information shared by contractors as a result of a cyber incident should be protected by the Government but will continue to impose the requirement on contractors to mark appropriately “to the maximum extent practicable.” 81 Fed. Reg. 68316. Such marking is often difficult given that a breach may include vast amounts of data.
- DoD fails to recognize the cost impact on commercial companies that do not operate on a cost reimbursement basis with the Government. The one cost recognized by DoD is the $175 for obtaining a medium assurance certificate. 81 Fed. Reg. 68316. This fails to address the significant response, reporting, and preservation costs that will not be reimbursed for commercial companies working for DoD.
Overall, the Final Rule demonstrates that DoD continues to be at the forefront in the area of cybersecurity issues and in trying to develop a consistent and comprehensive approach to those issues. Although the Final Rule did not address many concerns raised by contractors, it does provide guidance as to where DoD is heading in this area. Contractors will continue to wait for the final DFARS rule and the implementation of the liability protections in 10 U.S.C. §§ 391 and 393.
 These liability provisions originated with section 941 of the FY 2013 NDAA and section 1632 of the FY 2015 NDAA. Section 941 of the 2013 NDAA applied only to “cleared” contractors, i.e., those contractors handling classified information. Section 1632 of the 2015 NDAA expanded the scope of the requirement to include not only cleared contractors but also “operationally critical” contractors, which was defined as a contractor that was a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.” The Final Rule, however, applies to all DoD contractors.