The U.S. Department of Defense (DOD) recently published an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS).¹ The interim rule, effective August 26, 2015, focuses on two issues. First, the rule expands cyber incident reporting obligations for government contractors and subcontractors holding certain unclassified defense-related information. Second, the rule focuses on data security and other requirements applicable to such contractors and subcontractors. Many of these requirements will be included in agreements between defense agencies or defense contractors and cloud service providers.

Of note, the DOD issued the new interim rule without public comment, stating that it had "urgent and compelling reasons" "to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors." The DOD expects the rule to have a "significant economic impact" on small entities that are required to comply with the new rule.

Cyber Incident Reporting

Under the new rule, "when [a] Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support," the contractor must report the incident to the DOD's new online portal, located at http://dibnet.dod.mil. The reporting requirement applies directly to both contractors and subcontractors that handle unclassified defense-related information.

The reporting requirement applies when: (1) there has been an unauthorized access or disclosure of defense-related information; or (2) there has been an incident involving systems holding defense-related information, even when such defense information was not involved.

The new rule also updates the incident reporting obligations so that they apply to incidents involving a broader range of data. Previously, reporting obligations applied only to incidents involving "controlled technical information." Under the new rule, cyber incident reporting is required when any of the following types of information is involved: controlled technical information, critical information for mission operations security, data related to items subject to export control, and other information identified in the contracts underlying the provision of the service. The DOD expects these changes to increase the number of entities subject to the reporting requirement to an estimated 10,000 contractors and subcontractors.

The rule also describes several steps for a cyber incident response:

1. Contractors and subcontractors must obtain a "medium assurance certificate" to encrypt and help secure any cyber incident reports submitted to the DOD. Information about obtaining the certificate will be available at http://iase.disa.mil/pki/eca/certificate.html.
2. The contractor or subcontractor directly involved in the incident should investigate the incident to determine if covered defense information was involved.
3. The contractor or subcontractor should report the cyber incident to the DOD using the form provided by the DOD. The DOD estimates this report to take about 4 hours to complete and will likely require an IT expert to provide some of the necessary information.
4. The contractor or subcontractor should attempt to preserve the forensic integrity of the affected data and systems along with any monitoring logs for at least 90 days following the submission of the incident report. The entity should be prepared to respond to follow-up questions for more information or equipment.

Cloud Services—Data Security and Standard Contract Provision Requirements

Data Security. Under the new rule, contractors are required to provide "adequate" security of certain unclassified defense information. Such safeguards include "protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to or modification of information." The security standard a contractor should implement differs based on whether the contractor's system is: (1) part of an information technology service or system operated for or on behalf of the government; or (2) not part of such a service or system.

When a contractor provides a cloud service that is part of an IT service or system operated for or on behalf of the government, it is required to comply with the security requirements specified in DFARS 252.239-7010 Cloud Computing Services. Contractors that have covered defense information but do not provide IT services for or on behalf of the government agree to comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. If the cloud service provider proposes to deviate from such security requirements, it must obtain written permission after submitting an explanation that the requirement is not applicable or that an alternative but equal mechanism has been implemented.

Standard Contract Provisions. The interim rule lists certain requirements that must be met before defense agencies and defense contractors or subcontractors are permitted to use cloud service providers with respect to defense-related data. Cloud service providers providing services to defense agencies or defense contractors or subcontractors should consider reviewing their compliance with these requirements, as these obligations are likely to be included in agreements with agencies and contractors. The list includes the following:

1. The cloud service provider shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG), available at http://iase.disa.mil/cloud_security/Pages/index.aspx.
2. Government data must stay in United States, unless otherwise specifically authorized.
3. The cloud service provider shall not access, use, or disclose data unless specifically authorized by agreement.
4. The cloud service provider's limited access, use, and disclosure rights survive the expiration or termination of a contract.
5. The cloud service provider shall ensure all employees are subject to access, use, and disclosure prohibitions and obligations.
6. The cloud service provider must report any cyber incidents to the DOD as described above.
7. The cloud service provider must dispose of government data according to terms of contract. and
8. The cloud service provider shall notify the government agency promptly of any requests from a third party for access to government data, including warrants, subpoenas, etc.

The DOD has likely moved forward with the interim rule in response to front-page headlines of recent data breaches affecting government systems. Any government contractors and subcontractors, such as cloud service providers, may consider reviewing the types of data they have in their possession to help determine whether the data constitutes the type of defense information covered by the new rule. If a government contractor or subcontractor concludes that it has such data, it may wish to review its incident response policies to take into account the updated incident reporting requirements. They may also review their agreements with subcontractors, such as cloud service providers, to ensure such agreements include provisions that meet the requirements of the new rule. Government contractors and subcontractors—including cloud services—that possess and maintain defense-related data may also consider assessing whether their security safeguards provide "adequate security" that meets the standards set forth by the new rule and prepare to meet the additional privacy and data security provisions they are likely to see in future government contracts.