Final Rule Issued on Cyber Incident Reporting
By Susan B. Cassidy, Ashden Fein and John Sorrenti
The Department of Defense Oct. 4 issued a final cyber rule addressing mandatory cyber incident reporting requirements for companies that enter into “agreements” with the department. The rule also highlights the department’s desire to encourage greater participation in the voluntary defense industrial base cybersecurity information sharing program. This rule is effective Nov. 3.
The department confirmed that the cyber rule was not retroactive and that contract specific requirements would take precedence over the rule’s requirements. Thus, the language in current procurement contracts will continue to govern unless modified.
The department clarified the applicability of the cyber rule in some respects. Specifically, the it applies to “all forms of agreements (contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements and any other type of legal instrument or agreement).’’ Currently the defense federal acquisition regulations (DFARS) clauses at 252.204-7012 and 252.239-7009 apply only to procurement contracts. Thus, companies that enter into agreements beyond procurement contracts should expect to see terms and conditions implementing the requirements for reporting cyber incidents. When that will occur, however, remains unclear.
On the other hand, the cyber rule does not address whether certain entities — such as an internet service provider —qualify as subcontractors under the DFARS clauses. Lack of clarity in this area makes the flow down requirements for DFARS 252.204-7012 challenging for prime and subcontractors alike.
The cyber rule previewed revisions that the department made on Oct. 21 to the clauses in the DFARS that implement cybersecurity requirements for defense procurement contracts. For example, the definition of “covered defense information” was modified consistent with this cyber rule. Rather than the four categories of information that appeared in the December 2015 version of the clause, the October version defines covered defense information as any data in the “controlled unclassified information” registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government wide policies,” so long as the information is either marked or identified in the contract, or received or created during performance of a contract.
Although reliance on the registry expands the scope of information that requires safeguarding, it also provides common nomenclature across the government for defining data.
This rule provided further clarity on certain requirements for reporting incidents. First, the 72-hour deadline for reporting cyber incidents currently in DFARS 252.204-7012 is here to stay. In response to a comment that 72 hours was not “practical,” the department responded that the “72 hour period has proven to be an effective balance of the need for timely reporting while recognizing the challenges inherent in the initial phases of investigating a cyber incident.”
In addition to reporting cyber incidents that impact covered defense information and the systems on which that information is processed, stored, or transmitted, contractors also must report a cyber incident if it affects the contractor’s ability to perform work that is designated as “operationally critical support.” The department intends to issue new procedures for notifying contractors if they are providing “operationally critical support,” thus clarifying their reporting obligations.
The cyber rule provided insight into the information that the department will require a contractor to produce once an incident is reported. The department characterized the information sought from contractors as “carefully tailor[ed].” Nonetheless, the department acknowledged this could be an area of contention and clarified that any disagreement should be resolved pursuant to the disputes clause in each individual contract.
The cyber rule highlighted the difference between submitting information pursuant to the DFARS clause versus voluntarily sharing information under the Cybersecurity Information Sharing Act of 2015. Under the act, shared information can only be used for cybersecurity purposes. In contrast, information submitted to the Department of Defense pursuant to the DFARS clause can be used by the government for any lawful purpose, including “law enforcement, counterintelligence, and national security.”
The department confirmed that the information shared by contractors as a result of a cyber incident should be protected by the government, but contractors must mark appropriately “to the maximum extent practicable.” Such marking is often difficult given that a breach may include vast amounts of data.
Finally, the department failed to recognize the cost impact on commercial companies that do not operate on a cost reimbursement basis with the government. Although it appears that defense contractors that operate under cost reimbursement contracts can recover the reasonable costs related to these incidents through their overhead rates, commercial contractors simply do not have that option.
The final rule does not address the third-party liability protections for the reporting of cyber incidents included in section 1641 of the Fiscal Year 2016 National Defense Authorization Act for certain defense contractors, which are now incorporated in 10 U.S.C. § 391 (operationally critical contractors) and 10 U.S.C. § 393 (cleared contractors). In general, these sections provide that no cause of action will be permitted against “cleared defense contractors” or “operationally critical contractors” for complying with the cyber reporting requirements imposed by the department.
The liability protections, however, do not extend to contractors that engage in “willful misconduct” in the course of complying with such requirements. These liability protections are the subject of a separate DFARS case currently under regulatory review, and the department will address this issue in a future rulemaking.Susan B. Cassidy is a partner, Ashden Fein is a senior associate and John Sorrenti is an associate with Covington & Burling LLP in Washington, D.C.