1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

DoD announces industry day to facilitate implementation of new network penetration reporting clause

In response to a chorus of implementation questions raised by the contracting community, the US Department of Defense (DoD) has announced an industry information day, during which contractors who have questions or wish to provide feedback regarding DoD’s Network Penetration Reporting and Contracting for Cloud Services final rule can raise those questions. On April 5, 2017, DoD published a notice of meeting in the Federal Registerannouncing the “Industry Information Day” on June 23, 2017.

The public meeting will address the implementation of DFARS Case 2013-D018, and the associated DFARS clauses, including DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct. 2016). The final rule, published October 21, 2016, finalized an interim rule mandating that both prime and subcontractors safeguard covered defense information, report on network penetrations, and require adequate security from external cloud computing services. We have previously analyzed these new requirements.

The industry day announcement is an important reminder to contractors of the upcoming December 31, 2017, deadline for implementing the new security requirements required under the final rule to qualify for new DoD awards. The event will be held on Friday, June 23, from 9 a.m. to 1 p.m. at the Mark Center Auditorium in Arlington, VA. Any contractors with questions or feedback about the rule’s requirements or implementation should attend. The registration deadline is June 12, 2017.  Contractors may register via email at: OSD.DIBCSIAEvents@mail.mil. DoD will accept written questions until May 1 at the same address, and contractors grappling with various implementation questions are encouraged to submit questions in advance.

For additional details regarding the Industry Information Day, registration and process for submitting questions, please consult the meeting notice.

DoD announces industry day to facilitate implementation of new network penetration reporting clause

DoD Clarifies Covered Defense Information Definition in Final Cyber Reporting Rule

The Department of Defense (DoD) on October 4, 2016, issued a rule finalizing cyber reporting regulations applicable to DoD contractors and subcontractors set forth in 32 CFR Part 236.  The rule finalizes an interim rule DoD issued on October 2, 2015 and  addresses cyber incident reporting obligations for DoD prime contractors and subcontractors.

Notably, the final rule clarifies the by now well-known definition of the term ‘covered defense information’ (“CDI”).  This same term is used in DFARS 252.204-7012.  This DFARS clause defines CDI to include four different categories: (1) covered technical information (“CTI”); (2) operations security; (3) export controlled information; and (4) any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.

Given the similarities of this final category to the definition of controlled unclassified information (“CUI”) promulgated in connection with the National Archives and Records Administration’s (NARA)  rule, we have understood this latter category to include CUI identified by NARA pursuant to its efforts under EO 13556.  The DoD’s new final rule provides support for this understanding because it narrows the definition of CDI to only two categories:  (1) CTI and (2) CUI.  This modification accordingly appears to make clear that the “catch-all” category of CDI contained in DFARS 252.204-7012 was intended to align with NARA’s CUI efforts.

Importantly, this final rule makes no changes to the DFARS clause itself,  and it is likely that conforming changes will be made to the DFARS clause in a future revision.  The December 2015 version of the DFARS clause remains effective.  Nevertheless, in light of the final rule contractors and subcontractors seeking to understand the scope of the CDI  under the DFARS clause should include CUI in their review as they await further revision to the clause.

DoD Clarifies Covered Defense Information Definition in Final Cyber Reporting Rule

Cybersecurity and your supply chain: What you don’t know may hurt you

Recently revised cybersecurity regulations affecting US defense contractors and their subcontractors seek to address gaps in government contractor supply chains and expand the breadth of regulations in this area. In the February issue of Contract Management magazine, Dentons Partners Phillip Seckman and Erin Sheppard and Counsel Michael McGuinn provide guidance to contractors seeking to enhance subcontractor compliance under these regulations. In the attached article, entitled “Cybersecurity and your supply chain: What you don’t know may hurt you,” the authors provide a three-step approach to ensuring compliance with the updated Defense Federal Acquisition Regulation Supplement (DFARS) covered defense information regulations within a contractor’s supply chain. Please feel free to contact the authors with questions.

Cybersecurity and your supply chain: What you don’t know may hurt you

The gift of time: A second DOD interim rule grants contractors additional time to comply with cyber security requirements

The US Department of Defense (DOD) earlier today issued a second interim rule, effective immediately, that gives affected contractors until December 31, 2017, to implement fully compliant cyber security controls.

The cyber security requirements, contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) No. 800-171, were part of a prior interim rule issued in August 2015. Sometimes referred to as the Network Penetration Rule, DOD’s first interim rule had required immediate compliance with NIST SP 800-171 at both the prime and subcontract levels. Although DOD’s second interim rule gives contractors additional time to implement the requirements of NIST SP 800-171, the rule as revised still imposes certain near-term burdens on affected contractors and subcontractors. Read the full article.

The gift of time: A second DOD interim rule grants contractors additional time to comply with cyber security requirements

Department of Defense seeks to clarify contractor cybersecurity obligations

Earlier this year, we reported on the Department of Defense’s (DOD) imposition of new and revised cybersecurity requirements on DOD prime and subcontractors. The new requirements reflected in DOD’s interim rule, among other things, expanded the clause governing unclassified controlled technical information to cover all “covered defense information,” replaced old safeguarding requirements, and expanded contractors’ reporting obligations in the event of a cyber incident. Since DOD released these new and revised requirements, which took effect immediately, contractors have been hustling to understand the requirements and to ensure full compliance.

Just last week, likely in an attempt to address some of the confusion surrounding the new and revised requirements in the interim rule, DOD released (1) updated Defense Federal Acquisition Regulation Supplement (DFARS) Procedures, Guidance and Information (PGI), and (2) Frequently Asked Questions (FAQs) covering network penetration reporting, safeguarding covered defense information, and cloud services. These two documents shed light on the manner in which DOD is implementing the cybersecurity requirements. For example, together the FAQs and the PGI:

• Explain why DOD replaced the security protections from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 with the NIST SP 800-171;

• Provide DOD’s interpretation of the security controls outlined in NIST SP 800-171;

• Describe how covered defense information and operationally critical support will be identified;

• Provide examples of operationally critical support;

• Clarify that the DOD Cyber Crime Center is the “operational focal point” for receiving reports of cyber threats and cyber incidents; and

• Dictate the roles and responsibilities of the Contracting Officer and/or the requiring activity in, among other things, identifying and marking unclassified controlled technical information, handling a reported cyber incident, and conducting damage assessment activities.

Contractors struggling with how, precisely, to implement DOD’s cybersecurity requirements should look to this issued guidance to see if it addresses the questions they have and use it in formulating their own compliance plans. Additionally, contractors should consider attending DOD’s recently-announced “Industry Implementation Information Day” on December 14, 2015, wherein the department will present a briefing regarding DOD’s new and revised cybersecurity requirements. Information on the industry day, including registration information, can be found here.

Dentons lawyers will continue to monitor key developments in this area and will be providing more information about contractors’ compliance obligations and best practices as part of the Public Contracting Institute’s series on government contracts cybersecurity. More information on the series can be found here.

Department of Defense seeks to clarify contractor cybersecurity obligations

NIST Publishes RFI Seeking Industry Input on Cybersecurity Framework

The National Institute of Standards and Technology (“NIST”) has published a Request for Information (“RFI”) seeking input from industry on how organizations are utilizing NIST’s Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) [found here].  As we reported on August 22, 2014, interested parties have forty-five (45) days to submit comments, which are due by October 10, 2014.  Interested parties should plan to address the twenty two questions posed in the RFI, each of which is aimed at providing NIST with key insights as to what aspects of the Framework are working well and what dimensions may not be working as well.

NIST Publishes RFI Seeking Industry Input on Cybersecurity Framework

HHS Audit Reports Signal Increasing Cybersecurity Audits for Contractors

The Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) recently released two audit reports assessing weaknesses in the information security systems of a contractor-operated Medicaid Management Information System (MMIS) and contractors administering federal Medicare programs.  The reports reflect a growing trend toward proactive audits of such cybersecurity controls by state and federal agencies.

The reports highlight the assessed vulnerabilities in each audit and signal a need for increased vigilance on the part of companies operating healthcare information technology (“IT”) systems.  Importantly, both reports signal a growing trend away from a presumption of security for contractor IT system and toward an increased number of cybersecurity audits to verify security in advance of a cyber incident.

HHS Audit Reports Signal Increasing Cybersecurity Audits for Contractors

Recently Released Policy Statement of the Department of Justice and Federal Trade Commission Clarifies that Sharing Cyber Threat Information Likely Does Not Raise Antitrust Concerns

Announcing their belief that antitrust is not, nor should be, “a roadblock to legitimate cybersecurity information sharing,” on April 10, 2014, the Department of Justice, Antitrust Division and the Federal Trade Commission published an Antitrust Policy Statement on Sharing of Cybersecurity Information (the “Policy Statement”) explaining the three-step analysis the two agencies will use to evaluate whether information sharing agreements between two private entities raise antitrust concerns.  Notably, the Policy Statement confirms that under the fact-driven analysis, programs and agreements to share cyber information generally will not implicate antitrust concerns.

Recently Released Policy Statement of the Department of Justice and Federal Trade Commission Clarifies that Sharing Cyber Threat Information Likely Does Not Raise Antitrust Concerns

DoD and GSA Issue Notice for Public Comments on Draft Cybersecurity Implementation Plan

The General Services Administration (“GSA”) has issued a Notice requesting public comments on a draft implementation plan for implementing the six recommendations set forth in the Department of Defense and GSA’s January 23, 2014 Final Report, “Improving Cybersecurity and Resilience through Acquisition.”  79 Fed. Reg. 14042 (Mar. 12, 2014), available here.  Of these six recommendations, the draft implementation plan focuses on instituting a federal cyber risk management strategy and, more specifically, on establishing a methodology for categorizing acquisitions.  The plan is accompanied by a discussion draft of Appendix I, which details GSA’s proposed categorization.  GSA invites interested stakeholders to submit comments on the draft implementation plan and accompanying appendix on or before April 28, 2014.

DoD and GSA Issue Notice for Public Comments on Draft Cybersecurity Implementation Plan

National Institute of Standards and Technology Releases Cybersecurity Framework, Version 1.0

The National Institute of Standards and Technology (“NIST”) has issued the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (“Framework”), providing guidance to the nation’s critical infrastructure on best managing and protecting against cyber threats.  Developed in accordance with Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the Framework provides organizations with a crucial tool kit to utilize in reducing cybersecurity risks using existing standards, guidance, and best practices.

The Framework is the product of a collaborative process between NIST and industry.  The newly released version of the NIST Framework incorporates comments received in response to a preliminary draft released last fall.  Based upon the comments received, NIST made some changes to the Framework, although very few were substantively significant.  One of the major changes to the Framework from previous versions is a revised methodology to protect privacy and civil liberties.

Concurrent with the release of the Framework, NIST has also issued a NIST Roadmap for Improving Critical Infrastructure Cybersecurity, which provides additional details on anticipated next steps.  Similarly, the Department of Homeland Security has also has announced the launch of the Critical Infrastructure Cyber Community C3 Voluntary Program to serve as the coordination point within the Federal Government for critical infrastructure owners and operators seeking to improve their cyber risk management through use of the Framework.

National Institute of Standards and Technology Releases Cybersecurity Framework, Version 1.0