New Rule Forces Contractors to Report Cybersecurity Incidents
Whether it is the theft of hard-earned intellectual property or the national security implications posed by a foreign power’s effort to use technology, companies operating in the defense space recognize the need to work collaboratively with the government and industry members to defend networks and protect information. That is not new.
What is new is the Defense Federal Acquisition Regulation Supplement Final Rule, issued Nov. 18, which will shape this collaboration for years to come and provide increased protections for unclassified controlled technical information (UCTI) residing on or transiting through the networks of defense contractors and their subcontractors. The new requirements under the rule will be set forth in a specific clause in every new Defense Department solicitation, contract and subcontract, including those involving commercial items.
The rule, which has been a work in progress since at least 2010, represents a significant expansion of the private sector’s obligation to protect unclassified information and report the possible loss or compromise of such information. It sets forth two basic requirements. First, government contractors possessing unclassified controlled technical information must provide adequate security for technology systems and networks.
Second, contractors must report promptly to the department a broad range of “cyber-incidents,” including the possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through contractor’s network.
Moreover, while subcontractors are not only covered directly by the rule, prime contractors have these security and notification obligations as to their subcontractors’ unclassified information systems and are responsible for ensuring that their subcontractors comply with the rule’s requirements.
The list of technical information covered by the rule is extensive: research-and-engineering data; engineering drawings and associated lists specifications; standards; process sheets; manuals; technical reports; technical orders; catalog-item identifications; data sets studies, analyses and related information; and computer software executable code and source code.
The rule also imposes standards for authentication, training, incident response, contingency planning and access controls among others drawn from National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.
The rule itself identifies a series of “minimum security controls” from this NIST publication that must be implemented. They apply to any project, enterprise or company-wide unclassified information technology systems with unclassified controlled technical information. These requirements include not merely systems where the information resides, but also any other system over which it transits.
Absent a wholly segregated information-technology system for this type of information, the rule would appear to apply to a contractor’s entire network, as well as the entire network of its subcontractors.
Further, absent adoption of the NIST controls, a contractor must explain in writing to the relevant government contracting officer how either the control is not applicable or an alternative measure is being used to achieve equivalent protection. And beyond these minimum standards, when a contractor reasonably determines that further security measures may be required to provide adequate security, the contractor must apply additional requirements.
Perhaps more significantly, the rule requires contractors to report cyber-incidents and cooperate in damage assessments conducted by the Defense Department. Contractors are obliged to report intrusions within 72 hours of discovery. Reportable incidents include those involving the possible exfiltration, manipulation or other loss or compromise of any unclassified controlled technical information and any other activities that allow unauthorized access to the contractor’s unclassified information system on which it is resident or transiting. And, as with the security based requirements discussed above, these reporting obligations for contractors extend to incidents on the networks of their subcontractors.
The rule requires contractors to provide the department as much information as can be obtained in multiple areas: the location of incident; the name of subcontractor if not on the prime contractor network; the contract clearance level; the programs, platforms or systems involved; the date the incident was discovered; the type of compromise and a description of the compromised technical information.
Beyond the initial reporting requirements, the final rule also imposes duties on contractors to support department damage assessments. A reportable cyber-incident triggers an obligation on the part of the contractor to conduct further review of its unclassified network for evidence of compromise. This includes, but is not limited to, identifying compromised computers, servers, specific data and user accounts.
Contractors must analyze the compromised information system as well as other information systems on the network that were accessed as a result of the compromise. In addition, contractors must review the data accessed during the cyber-intrusion to identify specific unclassified controlled technical information associated with Defense Department programs, systems or contracts, including military programs, systems and technology.
Contractors must preserve and protect images of known affected information systems and all relevant monitoring and packet capture data for at least 90 days from the incident to allow the department to request information or decline interest. Additional obligations are imposed on the contractor where the department elects to conduct a damage assessment including a requirement to share files and images unless there are legal restrictions that limit the ability to share digital media.
Any contractor or subcontractor with unclassified controlled technical information should be aware of a few key implications and provisions of this new rule.
Contractors must recognize that they have the burden of determining what information is protected, which means that they should be familiar with the definition of unclassified controlled technical information and the adequate security requirements.
In response to industry comments, the department also said that “[t]he rule does not require a specific analysis to determine if additional controls are required. The intent is to require that if the contractor is aware, based on an already assessed risk or vulnerability that the specified controls are inadequate, then the contractor must implement additional controls to mitigate the specific shortcoming.”
As noted, contractors are responsible for subcontractors’ compliance with these security requirements and for reporting incidents involving subcontractors’ systems.
In response to industry comments, the department has explained that prime contractors must “report when [UCTI] has potentially been compromised regardless of whether the incident occurred on a prime contractor’s information system or on a subcontractor’s information system.”
Subcontractors are viewed broadly and include, among other entities, Internet and cloud service providers of the defense contractor. As a result, contractors should work with their subcontractors to ensure compliance with the rule and to report promptly any relevant incidents. Items for contractors to consider may include examining their contractual rights to audit subcontractors’ network security safeguards, require subcontractors to notify the contractor of any cyber-incidents, and ensure cooperation and participate in any investigation.
The triggering event for reporting is not particularly clear. A network intrusion can trigger the reporting requirement even without adverse effects because they include actions that result in a potentially adverse effect on an information system and/or the information residing therein. They can be something as simple — but serious — as the copying of data to unauthorized media.
The implications of reporting an incident are likewise unclear. The Defense Department does not intend to provide any safe harbor statements in connection with reportable intrusions. While a properly reported incident by the contractor “by itself” is not to be interpreted as evidence that the contractor has failed to provide adequate information safeguards, it is not clear what other factors will impact the department’s assessment of contractor compliance with the requirement to provide adequate security measures.
Finally, vendors should note that the contracting officer has discretion to conduct audits and reviews of safeguarding measures “in accordance with the terms of the contract.” It is therefore possible that defense contractors may face audit and investigation costs before and after a cyber-incident. As to the cost of compliance, the department’s response to industry comment states that “costs associated with implementation will be allowable and chargeable to indirect cost pools” but that the “government does not intend to directly pay for the operating costs associated with the rule.”
Given the significance of the new rule and its obvious potential to affect relationships between contractors and their subcontractors, it is imperative that companies develop a thorough understanding of how it functions and what is now demanded regarding unclassified controlled technical information and cyber-incident reporting.
Eleanor J. Hill (firstname.lastname@example.org) is a partner and Alexander K. Haas (email@example.com) is counsel at the King & Spalding international law firm. John Richter, John Drennan and Clint Long assisted in the preparation of this article.