Department of Defense Issues New Cybersecurity Rules for Defense Agencies That Use Contractors and Cloud Services to Hold Unclassified Defense Information

by Wilson Sonsini Goodrich & Rosati

The U.S. Department of Defense (DOD) recently published an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS).1 The interim rule, effective August 26, 2015, focuses on two issues. First, the rule expands cyber incident reporting obligations for government contractors and subcontractors holding certain unclassified defense-related information. Second, the rule focuses on data security and other requirements applicable to such contractors and subcontractors. Many of these requirements will be included in agreements between defense agencies or defense contractors and cloud service providers.

Of note, the DOD issued the new interim rule without public comment, stating that it had "urgent and compelling reasons" "to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors." The DOD expects the rule to have a "significant economic impact" on small entities that are required to comply with the new rule.

Cyber Incident Reporting

Under the new rule, "when [a] Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated as operationally critical support," the contractor must report the incident to the DOD's new online portal, located at The reporting requirement applies directly to both contractors and subcontractors that handle unclassified defense-related information.

The reporting requirement applies when: (1) there has been an unauthorized access or disclosure of defense-related information; or (2) there has been an incident involving systems holding defense-related information, even when such defense information was not involved.

The new rule also updates the incident reporting obligations so that they apply to incidents involving a broader range of data. Previously, reporting obligations applied only to incidents involving "controlled technical information." Under the new rule, cyber incident reporting is required when any of the following types of information is involved: controlled technical information, critical information for mission operations security, data related to items subject to export control, and other information identified in the contracts underlying the provision of the service. The DOD expects these changes to increase the number of entities subject to the reporting requirement to an estimated 10,000 contractors and subcontractors.

The rule also describes several steps for a cyber incident response:

  1. Contractors and subcontractors must obtain a "medium assurance certificate" to encrypt and help secure any cyber incident reports submitted to the DOD. Information about obtaining the certificate will be available at
  2. The contractor or subcontractor directly involved in the incident should investigate the incident to determine if covered defense information was involved.
  3. The contractor or subcontractor should report the cyber incident to the DOD using the form provided by the DOD. The DOD estimates this report to take about 4 hours to complete and will likely require an IT expert to provide some of the necessary information.
  4. The contractor or subcontractor should attempt to preserve the forensic integrity of the affected data and systems along with any monitoring logs for at least 90 days following the submission of the incident report. The entity should be prepared to respond to follow-up questions for more information or equipment.

Cloud Services—Data Security and Standard Contract Provision Requirements

Data Security. Under the new rule, contractors are required to provide "adequate" security of certain unclassified defense information. Such safeguards include "protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to or modification of information." The security standard a contractor should implement differs based on whether the contractor's system is: (1) part of an information technology service or system operated for or on behalf of the government; or (2) not part of such a service or system.

When a contractor provides a cloud service that is part of an IT service or system operated for or on behalf of the government, it is required to comply with the security requirements specified in DFARS 252.239-7010 Cloud Computing Services. Contractors that have covered defense information but do not provide IT services for or on behalf of the government agree to comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. If the cloud service provider proposes to deviate from such security requirements, it must obtain written permission after submitting an explanation that the requirement is not applicable or that an alternative but equal mechanism has been implemented.

Standard Contract Provisions. The interim rule lists certain requirements that must be met before defense agencies and defense contractors or subcontractors are permitted to use cloud service providers with respect to defense-related data. Cloud service providers providing services to defense agencies or defense contractors or subcontractors should consider reviewing their compliance with these requirements, as these obligations are likely to be included in agreements with agencies and contractors. The list includes the following:

  1. The cloud service provider shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG), available at
  2. Government data must stay in United States, unless otherwise specifically authorized.
  3. The cloud service provider shall not access, use, or disclose data unless specifically authorized by agreement.
  4. The cloud service provider's limited access, use, and disclosure rights survive the expiration or termination of a contract.
  5. The cloud service provider shall ensure all employees are subject to access, use, and disclosure prohibitions and obligations.
  6. The cloud service provider must report any cyber incidents to the DOD as described above.
  7. The cloud service provider must dispose of government data according to terms of contract. and
  8. The cloud service provider shall notify the government agency promptly of any requests from a third party for access to government data, including warrants, subpoenas, etc.

The DOD has likely moved forward with the interim rule in response to front-page headlines of recent data breaches affecting government systems. Any government contractors and subcontractors, such as cloud service providers, may consider reviewing the types of data they have in their possession to help determine whether the data constitutes the type of defense information covered by the new rule. If a government contractor or subcontractor concludes that it has such data, it may wish to review its incident response policies to take into account the updated incident reporting requirements. They may also review their agreements with subcontractors, such as cloud service providers, to ensure such agreements include provisions that meet the requirements of the new rule. Government contractors and subcontractors—including cloud services—that possess and maintain defense-related data may also consider assessing whether their security safeguards provide "adequate security" that meets the standards set forth by the new rule and prepare to meet the additional privacy and data security provisions they are likely to see in future government contracts.

1 Department of Defense, Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013- D018), 80 Fed. Reg. 51739 (August 26, 2015), available at

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wilson Sonsini Goodrich & Rosati | Attorney Advertising

Written by:

Wilson Sonsini Goodrich & Rosati

Wilson Sonsini Goodrich & Rosati on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.