Cyber Security Rule Creates New Obligations for Defense Contractors

The Defense Department and its contractors have long recognized the need to work collaboratively to protect networks and information. The Defense Federal Acquisition Regulation supplement (DFARS) for years has required prime and subcontractors to report cyber incidents to the government.

Those requirements changed substantially when the Pentagon published a new interim rule Aug. 26 amending DFARS to require “rapid” reporting of cyber incidents that result in an “actual or potentially adverse effect” on certain information systems or defense information residing on contractor networks.  

Defense took the unusual step of issuing an interim rule without first issuing a proposed rule for comment in view of “the urgent need to protect covered defense information and gain awareness of the full scope of cyber incidents being committed against defense contractors.”  

The interim rule is effective immediately. It significantly expands the reporting mandate on defense contractors and their subcontractors.

First, the interim rule expands a contractor’s safeguarding and reporting duties beyond unclassified technical information. The scope is broadened to “covered defense information.” This includes controlled technical information, export controlled information, critical information, and other information requiring protection by law, regulation or government-wide policy.  

Second, the interim rule now requires contractors to report cyber incidents involving this new class of information on entire covered contractor systems as well as “any cyber incident that may affect the ability to provide operationally critical support.” It also expands the definition of “cyber incident” beyond network penetrations or the exfiltration of data. Cyber incident will now include any “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The rule likewise defines “compromise” broadly to mean the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object or the copying of information to unauthorized media may have occurred.”

Third, the interim rule modifies the baseline standards defense contractors must comply with to provide “adequate security” by referencing a different National Institute of Standards and Technology  (NIST) publication. This potentially raises some immediate compliance challenges.

Fourth, the interim rule explicitly pushes down reporting obligations to subcontractors, even for commercial articles. Prime contractors must now “include the substance” of these contract clauses in all subcontracts for services that include “support for the government’s activities related to safeguarding covered defense information and cyber incident reporting, including subcontracts for commercial items.” It explicitly requires subcontractors to “rapidly” report cyber incidents directly to the Defense Department through the dibnet portal (http://dibnet.DoD.mil).  Subcontractors must also inform their higher-tier subcontractor, until the prime contractor is reached.

In short, defense contractors and subcontractors now have an enhanced obligation to protect a number of categories of unclassified information and to report cyber incidents to the  government.
Further, cyber incidents trigger the reporting requirement even without adverse effects because the interim rule applies to actions that result in a “potentially adverse effect on an information system and/or the information residing therein.” When paired with the definition of “compromise,” a large swath of cyber incidents are covered that would not necessarily involve a network penetration or the known exfiltration of data.  

Contractors must report relevant cyber incidents involving their subcontractors’ systems and must be prepared for lower-tier subcontractors to report information to the Defense Department before the prime contractor learns of the possible cyber incident.  

To be sure, the interim rule provides that a “cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate information safeguards for covered defense information on their unclassified information systems.” But defense officials have previously stated that the department does not intend to provide safe-harbor statements related to reportable cyber incidents. It is not yet clear what other factors, beyond the mere occurrence of a properly reported cyber incident, will impact the assessment of contractor compliance with the requirement to provide adequate security measures.  

Contractors should be aware that the Defense Department has substantial authority to use information provided in cyber incident reports, including contractor proprietary information not created by or for the government. Defense may release this information to entities with missions that may be affected by such information; to entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents; to government counterintelligence or law enforcement investigations; for national security purposes or to certain support services contractor under particular government contracts.

In light of this new rule, contractors should examine their contractual rights to audit subcontractors’ network security safeguards; require subcontractors to notify the contractor of any cyber incidents and participate in any investigation related to a cyber incident involving a subcontractor’s network.

We believe it is likely that future audits by the Defense Department’s inspector general, other agencies’ inspectors general, or investigations by Congress could be prompted by reported cyber incidents.  

Although the rule is already in place, the Defense Department will be accepting comments on the interim rule until Oct. 26.

Eleanor J. Hill (ehill@kslaw.com) is a partner and Alexander K. Haas (ahaas@kslaw.com) is counsel at the King & Spalding international law firm.  Attorneys Gary Grindler, John Drennan, and  Nick Oldham contributed to this article.

Topics: Cyber, Cybersecurity