Justin A. Chiarodo and Daniel A. Broderick
Last November, the U.S. Department of Defense (DoD) issued a final rule imposing enhanced cybersecurity and reporting obligations on contractors and subcontractors with information systems containing unclassified controlled technical information (UCTI). 78 Fed. Reg. 69273 (Nov. 18, 2013). UCTI is defined to mean technical information with a military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
The final rule adds a new subpart (224.73) and corresponding contract clause (252.204-7012) to the Defense Federal Acquisition Regulation Supplement (DFARS), and together they direct contractors that handle UCTI to (1) implement enhanced safeguards and (2) report and investigate certain incidents affecting such information.
This final rule implements one part of the broader and more controversial proposed rule, published in June 2011. 76 Fed. Reg. 38089 (June 29, 2011). That rule, which proposed substantial compliance obligations for protection of unclassified information, applied to a larger class of nonpublic information, including nonpublic information either provided by or on behalf of the DoD or collected, developed, received, or transmitted in conjunction with the contractor’s support of an official DoD activity. Unlike the proposed rule, however, this final rule is narrower in scope because it concerns only a single category of data: UCTI.
Additional UCTI Safeguards
Under the new contract clause, DoD contractors and subcontractors must provide “adequate security” to avoid compromise of computer networks with UCTI resident or transiting through them. As most contractors and subcontractors do not maintain separate networks for UCTI and non-UCTI functions, the new contract clause likely will apply to the majority of their networks.
The clause defines “adequate security” to mean protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. At minimum, “adequate security” means that a contractor or subcontractor with UCTI resident on or transiting through its systems must implement and follow a host of common practices codified by the National Institute of Standards and Technology (NIST), including those relating to (1) access control, (2) awareness and training, (3) audit and accountability, (4) configuration management, (5) contingency planning, (6) identification and authentication, (7) incident response, (8) maintenance, (9) media protection, (10) physical and environmental protection, (11) program management, (12) risk assessment, (13) system and communication protection, and (14) system and information integrity.
To the extent a contractor or subcontractor does not implement these controls, it must justify to its contracting officer, in writing, that the control is inapplicable or that a preferred alternative provides equivalent protection. Notably, the rule offers no “safe harbor” for contractors that experience cyber incidents notwithstanding their compliance. Rather, it says that a contractor or subcontractor must employ extra security protocols when it “reasonably determines” that they are necessary to safeguard UCTI. The final rule, however, does not define the term “reasonably determine.” In light of the already challenging adequacy determination, a contractor or subcontractor might struggle to identify the safeguards commensurate with the risk to the DoD.
Application to Subcontractors, Small Businesses, and Cost Recovery
The new rule has a broad reach. Prime contractors must flow down these safeguards to each subcontractor, which in this context includes outsourced IT such as an Internet or cloud computing service provider. Accordingly, the contractor is responsible for ensuring that they too comply with these requirements.
Moreover, the final rule does not exclude small businesses. So while large and sophisticated companies may already have invested in the infrastructure necessary to comply with the new rule, and thus might not incur significant new costs, small businesses with less sophisticated systems and IT personnel could face significant new compliance costs.
The final rule suggests that compliance costs might be allowable under Cost Accounting Standards, finding “nothing in FAR 31 or DFARS 231 that would make costs of compliance with DFARS unallowable if the costs are incurred in accordance with FAR 31.201-2,” and “nothing included in the final rule that would cause or compel a company to incur costs that would be in violation of FAR 31.201-2.” But because it warns that “[t]he Government does not intend to directly pay for the operating costs associated with the rule,” contractors performing solely fixed-price contracts are likely to have to bear the full costs of compliance without direct cost recovery.
Additional Cyber Incident Reporting and Investigation Obligations
Contractors and subcontractors with UCTI resident on or transiting through their networks must report information related to cyber events within 72 hours of discovery of any cyber incident and assist the DoD with damage assessments.
A “cyber incident” is defined to mean “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” Reportable cyber incidents include, among other things, unauthorized access to and possible exfiltration, manipulation, or other loss or compromise of any UCTI resident on or transiting through a contractor’s, or its subcontractors’, unclassified information systems.
The DoD expects, within that short 72-hour period, as much information as can be obtained, including information about the (1) Data Universal Numbering System (DUNS), (2) contract numbers affected, (3) facility CAGE code, (4) point of contact, (5) CO point of contact, (6) contract clearance level, (7) name of subcontractor and CAGE code, (8) DoD programs, platforms or systems involved, (9) location(s) of compromise, (10) date incident discovered, (11) type of compromise (e.g., unauthorized access, inadvertent release, other), (12) description of technical information compromised, and (13) any additional information relevant to the information compromise.
Additionally, reporting contractors and subcontractors are expected to (1) analyze information systems on the compromised network to, among other things, identify compromised computers, servers, specific data and users accounts, (2) review the data accessed during the cyber incident and identify specific UCTI associated with DoD programs, systems, or contracts, and (3) preserve and protect images of known affected information systems and all relevant monitoring/packet capture data for at least 90 days from the cyber incident.
If the DoD requests it, the contractor or subcontractor must provide all of the information listed above, including potentially proprietary or protected files and images. This raises a number of issues. First, a contractor or subcontractor could be liable to a third party should it turn over protected information. Alternatively, should it refuse to turn over such information, the government might find the contractor in breach of the contract.
Second, a contractor might lose control of its own proprietary information. The DoD has said that it “will protect incident reporting information and any files or images in accordance with applicable statutes and regulations” and “disclose it only to authorized persons for purposes and activities consistent with this clause.” But because it does not define “authorized persons,” the rule raises the risk that shared information could fall into competitors’ hands.
Finally, the cost of complying with these requirements while mitigating the many practical risks, on short notice and when handling potentially enormous volumes of information, could be significant. The DoD has revised its burden estimates upward to five reports per company per year with a 3.5-hour burden per response, but in certain easily conceivable circumstances, those numbers seem very low. Companies must consider not only the costs associated with analyzing and preserving relevant information, which in a large-scale breach could be a massive undertaking, but also the costs associated with reviewing, labeling, and otherwise protecting potentially sensitive information associated with it.
Government contractors and subcontractors should assess their current cybersecurity practices to ensure they can comply with the new safeguarding requirements. In addition, companies should assess their current cyber incident procedures to ensure that they can timely comply with the new reporting requirements. In particular, covered contractors should ensure that they have written practices to manage both the assessment and the reporting of a cyber incident, preferably involving all appropriate stakeholders (e.g., legal, IT, contract management, public relations, etc.). Involving counsel in the process can help provide protections under the attorney-client privilege and ensure that any documents or information shared with the government are protected to the maximum extent permitted by law.
From a business risk perspective, companies should review their current practices and assets for ways to mitigate risks created by the rule. For example, contractors should consider including language in their subcontracts and vendor agreements that assigns risks related to cyber incident reporting, like indemnification or waiver provisions that cover the disclosure of information provided to the government in connection with a DoD cyber incident investigation. Contractors should also review their current insurance policies for potential coverage in the event of damages arising out of a cyber incident. In addition, contractors may be able to secure liability protections under federal programs like the SAFETY Act. Regardless of the approach, advance preparation—before the first, inevitable cyber incident occurs—is essential to minimizing the business risks presented by the new rule.