The DoD Rules for Protecting Data Generated or Received as Part of Your DoD Contract or Subcontract Goes Into Effect in Four Short Months
By: Keil J. Ritterpusch, Esq. – Senior Compliance Associate, FD Associates, Inc.
Over the past few years the U.S. Federal Government has been working to establish a regulatory system to ensure that U.S. companies and individuals who are involved with U.S. Government contracts institute sufficient protections for information that they receive or produce in furtherance of their government contracts. Over this period, there have been numerous proposed rules in the Federal Register by various agencies involved with government contracting and the protection of data pertaining to these government contracts.
On June 18, 2015, the U.S. Government, operating through its National Institute of Standards and Technology (“NIST”), published the first major guidance on the security protocols that persons doing business with the U.S. Federal Government should implement to protect data in which the U.S. Federal Government has a vested interest: NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (“NIST SP 800-171”).
The U.S. Department of Defense (“DoD”) then published proposed rules in the Federal Register in August and December 2015 proposing to implement a security system for prime contractors and subcontractors working under contracts with DoD to protect Controlled Unclassified Information (“CUI”). Through the notice and comment rulemaking process, DoD substantially modified its proposal for contractors to protect CUI and in turn directed the NIST to revise the NIST SP 800-171.
What resulted from the revision of NIST SP 800-171 and the 2015 proposed rules for the protection of CUI was a DoD Final Rule, 81 Fed Reg 72986, issued on October 21, 2016, and Revision 1 of NIST SP 800-171, published in December 2016. The DoD final rule provided pertinent revisions of Defense Federal Acquisition Regulations (“DFARS”) 252.204-7000 and 252.204.7012, meanwhile the revision of NIST SP 800-171 was mainly through the insertion of clarifying language.
While this regulatory change was published in October 2016, with NIST SP 800-171 being revised in December 2016, the DFARS CyberSecurity rules go into full effect on December 31, 2017. By this date, only four short months from now, all U.S. DoD Contractors and Subcontractors must have fully implemented the cybersecurity protocols dictated by DFARS 252.204-7000 and 252.204-7012.
A failure to have properly implemented the system is grounds for DoD to void any prime contract held by the entity failing to comply with the DFARS requirement or to any subcontractor to whom DFARS 252.204-7012 has been flowed down.
The key tenets of the DFARS Cybersecurity rules are as follows:
- •Contractors MUST establish a system in compliance with NIST SP 800-171 for the protection of “Covered Defense Information” (“CDI”), which is defined as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
- o(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- o(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
- •Based on this definition of CDI, the terms CDI and CUI are essentially synonymous. As a result, for the remainder of this article, we refer to the term as CDI/CUI. While there is a minor distinction between what is CUI and what is CDI, the distinction is pertinent more to the US Government and its policies for retaining and protecting data than it is to the contractor community
- •This definition for what contractors MUST protect (CDI/CUI) is extraordinarily broad, as defense contractors and their subcontractors working under contracts with DoD do not need to protect only “export controlled information”, but all other information that is “collected,” “developed,” “received,” “transmitted” “used,” or “stored” in the performance of a DoD contract or subcontract.
- •Extrapolating out the definition for CDI/CUI, it could include, for example, the attendees at a meeting with U.S. Army personnel related to the bathrooms for a new base being constructed – not the technical details related to the effort, but the actual attendees, as the list of attendees (for a meeting that is required for the fulfillment of a contractual obligation to DoD) will have been generated “in support of the performance of the [DoD] contract.”
- •CDI/CUI does not need to contain a single piece of data that would be export controlled in order for a pertinent defense contractor who merely possesses the attendee list to be required to have instituted an information security system in furtherance of the NIST SP 800-171 requirements. DFARS 252.204-7012.
- •Pursuant to DFARS 252.204-7000(a), contractors must not release any CDI/CUI to “anyone outside the Contractor’s organization, regardless of medium (e.g., film,, tape, document), pertaining to any part of [the DoD] contract or any program related to [the DoD] contract” unless the Contracting Officer has given approval or the information is in the public domain.
- •As a result, Contractors must establish a system for protecting CDI/CUI from being accessed by persons who do not have the legal authority to access or possess the CDI/CUI. This includes foreign parents and affiliates of US contractors and subcontractors to DoD.
- •If the U.S. contractor allows the foreign parent or foreign affiliate to govern its network storage solutions, for example, the U.S. contractor could be unwittingly permitting the disclosure of CDI/CUI to persons without a right to have access to said information – foreign persons no less.
- •This is not permissible under the NIST SP 800-171 publication or the DFARS cybersecurity protection requirements.
- •A failure to prevent foreign person control/access to a contractor’s IT infrastructure could result not only in a violation of the ITAR or the EAR, if the information managed by the foreign parent or affiliate is export-controlled, but also in sanctions under the DFARS, including the possibility of the contractor losing its contracting privileges with DoD for failing to comply with the DFARS Cybersecurity rules.
- •Even more cumbersome for US contractors is that they cannot permit their foreign parents of affiliates to manage their email systems, for the US contractors cannot predict the type of information that will be received by them related to their performance of pertinent DoD contracts – which information would be received by their foreign parent or affiliate in the course of managing the mail servers of the US subsidiary or affiliate.
- •If the US contractor permits its mail systems to be administered by foreign persons in any way, the US contractor will not be in compliance with the NIST SP 800-171 and DFARS 252.204-7012 requirement for the protection of CDI/CUI, for the US contractor will be allowing the foreign person to have access to CDI/CUI, including both export-controlled and non-export-controlled information.
- •Along these lines, we note that the use of GOOGLE for email or other document creation and storage is not compliant with the DFARS Cybersecurity rules, as GOOGLE has clearly stated that its servers and services are commercial and that GOOGLE uses foreign persons in the management of its Information Technology (“IT”) infrastructure, such that GOOGLE cannot certify that CDI/CUI housed in GOOGLE would only be accessed by US persons on US-based servers.
- •Fortunately for contractors and subcontractors, NIST SP 800-171 offers significant flexibility for how the contractors meet the basic and derived security requirements in the policy document.
- •NIST and DoD are not concerned with how contractors achieve the security requirements. They do not require any specific technological solution, do not require that contractors purchase (or refrain from purchasing) any particular hardware or software, and do not require that contractors overhaul their existing systems – per se.
- •Rather, the requirements of the DFARS rules and the NIST policy document allow contractors to adequately protect CDI/CUI “using the systems they already have in place, rather than trying to use government-specific approaches.” Of course, not all contractors presently have systems in place that can achieve the NIST requirements, and the burden is on the contractor to ensure that it meets its legal and contractual obligations to the government for handling CDI/CUI. Contractors whose work involves CDI/CUI, therefore, should promptly conduct an assessment of their existing systems that effectively:
- oIdentifies whether they possess or are likely to possess CDI/CUI;
- oAnalyzes their current practices, systems and solutions for protecting that data and monitoring data security to determine if they can meet applicable standards, including, but not limited to their federal contract(s) clauses, NIST SP 800-53 and NIST SP 800-171; and
- oDevelops an effective incident response plan and implements processes for responding to security incidents and mitigating any negative effects of security incidents.
- •The NIST SP 800-171 focuses on minimum standards and best practices within 14 “Security Requirement Families” and provides detailed lists of basic and derived security requirements contractors need to employ to meet each of the standards. As “minimum” standards, they attempt to set the base against which efforts and requirements are made; contractors are free to exceed these expectations through heightened efforts. The following is a list of just a few representative requirements for each of the 14 standards:
1. Access Control
- •Limit information system access to authorized users
- •Separate the duties of individuals to reduce the risk of malevolent collusion
- •Limit unsuccessful login attempts
- •Require encryption and authentication of various devices (including mobile devices), and route remote access through managed access control points
- •Require multi-factor account access for system administrators
2. Awareness and Training
- •Educate managers, systems administrators and users about security risks associated with their activities and applicable policies, standards and procedures
- •Provide security awareness training on recognizing and reporting potential indicators of insider threat
3. Audit and Accountability
- •Use automated mechanisms to integrate and correlate audit and reporting processes
- •Support on-demand analysis and reporting
4. Configuration Management
- •Limit the types of programs users can install
- •Control and monitor all user-installed software
5. Identification and Authentication
- •Prevent reuse of identifiers for a defined period
- •Disable identifiers after a defined period of inactivity
- •Enforce minimum password complexity, i.e., “smart passwords”
6. Incident Response
- •Develop and test an incident response plan
- •Ensure equipment removed off-site is sanitized of any CDI/CUI
- •Require multifactor authentication to establish nonlocal maintenance sessions
8. Media Protection
- •Protect (i.e., physically control and securely store) information system media (paper and digital) containing CDI/CUI
- •Sanitize or destroy information system media containing CDI/CUI before disposal or release for reuse
9. Personnel Security
- •Screen individuals prior to authorizing access to systems containing CDI/CUI
10. Physical Protection
- •Maintain audit logs of physical access
- •Control and manage physical access devices
11. Risk Assessment
- •Scan for and remediate vulnerabilities in the information system and applications
12. Security Assessment
- •Periodically assess and monitor the security controls for effectiveness in their applications
- •Develop and implement plans of action designed to correct deficiencies and reduce/eliminate vulnerabilities
13. System and Communications Protection
- •Separate user functionality from information system management functionality
- •Implement cryptographic mechanisms to prevent unauthorized disclosure of UCTI during transmission
- •Control and monitor the use of Voice over Internet Protocol technologies
14. System and Information Integrity
- •Update malicious code protection mechanisms when new releases are available
- •Identify unauthorized use of the information system
Beyond the specific requirements for protecting CDI/CUI, the final rule published by DoD includes clarification on the security standards applicable to cloud-computing services and capabilities. Cloud Service Providers (CSPs), when storing or transmitting CDI should meet the Federal Risk and Authorization Management Program (“FedRAMP”) standard for “moderate” compliance, as well as the DFARS Cybersecurity rules’ incident reporting requirement. Contractors should note these requirements under the DFARS for CSPs and review their CSP agreements to determine if any revision of the CSP agreements are required to ensure compliance with the DFARS Cybersecurity rules.
With regard to reporting requirements under the DFARS Cybersecurity rules, DFARS 252.204-7000(c) imposes a requirement on contractors (and CSPs) to notify DoD at http://dibnet.dod.mil -- using a “Medium Assurance Certificate” obtained from DoD (http://iase.disa.mil/pki/eca/Pages/index.aspx) for security of the notification -- when the contractor:
… discovers a cyber incident that affects covered contractor information systems or CDI residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract.
The contractor must conduct a review for evidence of compromise of CDI, including, but not limited to, identifying comprised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information systems that were part of the cyber incident, as well as other information systems on the contractor’s networks that may have been accessed as a result of the incident in order to identify compromised CDI, or that affect the contractor’s ability to provide operationally critical support.
While DFARS 252.204-7000(c)(ii) provides that contractors shall issue secure cyber incident reports to DoD at the web address above rapidly (i.e., within seventy-two (72 hours) of discovering the cyber incident), it is not clear that a contractor is required to issue a full cyber incident report in this 72 hour period. As significant forensic work is often required to perform the full investigation dictated by DFARS 252-204-7000(c), we recommend the filing of a preliminary report with DoD within 72 hours of discovering a cyber incident, with a full report to follow in a reasonable period of time, or as is expressly directed by DoD.
In parallel with the filing of the cyber incident report to DoD, we recommend that the contractor file an Initial Voluntary Disclosure with the Department of State’s Directorate of Defense Trade Controls (“DDTC”) if any ITAR technical data was or may have been accessed in the breach as well as an Initial Voluntary Self-Disclosure with the Department of Commerce’s Bureau of Industry & Security (“BIS”) if any EAR technology was or may have been accessed in the breach.*