On 26 August 2015 the Department of Defense (DoD) published a new rule entitled the “Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018).
This rule represents a significant expansion of the mandate on defense contractors and their subcontractors to protect information and report on breaches.
The rule is in immediate effect. It was promulgated with urgency and all contractors and subcontractors are expected to take this with the required amount of seriousness.
The DoD expects these rules will apply to about 10,000 contractors. The rules are meant to ensure that all DoD contractors and subcontractors (not just IT providers, but ALL contractors) take appropriate steps to mitigate risks and enhance their security. It also makes it clear that if DoD information is involved in a breach there are reporting requirements.
Here is what you need to know:
- All DoD contractors and subcontractors must report cyber incidents that result in compromise or other potentially adverse effects on covered DoD information.
- All DoD contractors will have a security program that meets specific requirements and controls expected by the government.
- Mandated security controls flow from NIST guidelines as articulated in NIST Special Publication 800-53 and a new NIST Special Publication 800-171 on Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The SP 800-171 is specially tailored for protecting sensitive information in contractor information systems.
- Covered DoD information includes just about any information you will get or produce for DoD. It is covered by this rule if it is “any DoD information provided to the contractor or collected, developed, received, transmitted, used or stored by or on behalf of he contractor in support of performance of a government contract”
- Any incident must be reported within 72 hours of discovery.
- Processes must be in place to respond to incidents and DoD has the right to inspect systems and conduct forensics themselves.
- The rules also spell out how cloud computing services will be leveraged. Cloud service providers will be contractually obligated to maintain all government data in the U.S. unless otherwise authorized in writing by the contracting officer. DoD intends to acquire and use commercial cloud computing services using commercial terms and conditions, but will only do that with firms that have obtained at least a provisional authorization by DISA.
- Contractors will also be required to let the government know whether or not they anticipate that cloud computing services will be used in performance of any contract or subcontract resulting from this solicitation.
Actions we recommend all DoD Contractors Take Now:
- Read the full rule yourself, slowly. It is not that long. Download it from the link at the bottom of this article.
- Consider external assistance in ensuring your processes, technologies and controls are compliant with this rule. Contact us for help with this.
- Consider joining the Defense Industrial Base ISAC. Although their purpose is defense against security threats, this is also a great means to collaborate with others on issues of common concern.
