Defense contracting…not for the faint of heart for a number of reasons. Two that always jump to my mind:
- Defense contractors are on the front line of our national security, which if you think about it, it is sobering.
- ALL – THE – REGULATIONS.
Combining these two means that if a defense contractor fails to comply with regulations it can literally be a national security incident, dependingon what happened. This exposes contractors and their employees to serious legal consequences.
Most defense contractors are passionate about their mission on the front line of national security and are committed to following the regulations that are designed to protect national security.
What makes this commitment challenging is the complexity of the regulations which just cannot seem to say in plain English what a contractor must do. I confess, even as a lawyer who loves reading and thinking about regulations, I get bogged down in the complexity.
One DFAR (Defense Acquisition Regulation) that is vital to national security and a maze to get through is Safeguarding Covered Defense Information and Cyber Incident Reporting. (The cite for everyone interested in reading the reg: 48 CFR 252.204-7012.)
The concept of this regulation is simple, defense contractors must:
- Provide “adequate security” for any covered defense information they may possess
- Report “cyber incidents” to DOD.
But, as I have noted before, with the law, the meaning of the words in the regulation must be dissected to understand what a contractor is to do. Even then, it is not always clear. Instruction for reading the rest of this post: words in italics have regulatorily defined meaning.
How Does a Contractor “Provide Adequate Security”?
To provide adequate security, contractors must, at a minimum:
- Comply with the security requirements in National Institute of Standards and Technology (NIST) SP 800-171 (Click here for NIST on cybersecurity)
- Determine if, it is necessary to apply other information systems security measures to protect their information.
If a contractor uses an external cloud service to store, process, or transmit any covered defense information, then the contractor must ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP). Contractors using external cloud services must assure that the cloud service provider complies with requirements for reporting cyber incident reporting.
If a defense contractor DOES NOT have these requirements in place, it must notify DoD within 30 days of contract award of any security requirements it has NOT implemented at the time of contract award.
These requirements can be tough for not only small businesses but also for large, global businesses to meet. DOD appreciates this. So regulations allow for contractors to ask DOD for waivers. To get a waiver, a contractor must submit a written request to the contracting officer asking for a variance from the NIST SP 800-171 requirements. The CO must get the request to the DOD CIO for review and possible approval. If a contractor has such a waiver from the D)D CIO, it must provide a copy of the approval to their COs.
Note though, if you are a defense contractor that provides DOD information technology services or operate an IT system on behalf of the government you will be subject to additional security requirements that will likely be specified in your contract and be subject to other regulations beyond what is discussed in this blog.
Reporting Cyber Incidents
This DFAR requires contractors to report, within 72 hours, cyber incidents to DOD if the incident affects:
- A covered contractor information system or
- Covered defense information residing on a covered system, or
- The contractor’s ability to perform contract requirement that are designated as operationally critical support and identified in the contract.
Complying with these reporting requirements means defense contractors must:
- Have methods for detecting cyber incidents
- Rapidly report cyber incidents
- Upload the report to DOD at https://dibnet.dod.mil
- Include all information required by the dibnet reporting system
- Have some method to allow for forensic analysis, and/or cyber incident damage assessment and preservation of media or other information in the event of a cyber incident
DOD assures defense contractors that it will treat cyber incident reports as DOD information – that is – its protected.
Now to the Words That Matter
Adequate Security: Protective measures that appropriately address the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. Basically, more risk to DOD information more security is required to be considered “adequate.”
Compromise: A cyber security breach where information is disclosed to unauthorized persons, or where system security policies are breached, whether intentional or unintentional; and, the information is disclosed, modified, destroyed, lost, or copied to unauthorized media.
Contractor Attributional and Proprietary Information: A contractor’s information can also be considered covered defense information. Contractor attributional information is information that can be tied to the contractor such as: program descriptions, facility locations, personally identifiable information. Contractor proprietary information includes, among other things, trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
Covered Contractor Information System: An unclassified information system that is owned, or operated by or for a contractor that processes, stores, or transmits covered defense information.
Covered Defense Information:
- Is listed in the government’s CUI Registry
- That law, regulation or government policy defines how it must be safeguarded or disseminated and
- Is marked or otherwise identified as Covered Defense Information when DOD provides it to the contractor, whether provided to the contractor directly or indirectly, (through a sub or prime for example); or
- The contractor collected, developed, received, transmitted, used, or stored to support contract performance.
Sometimes, when it comes to definitions, thinking about what something is NOT, helps figure out what it actually is. (This is a lawyer trade craft secret, try it works.)
CUI is NOT information that a “non-executive branch entity”, a defense contractor is a non-executive branch entity, possess or maintains that did not come from or was not created or possessed by or for the federal government or an entity acting for the government.
Also note, with no disrespect to our colleagues at DOD – covered defense information or CUI is not always marked… so stay alert and ask your DOD team if you suspect you are provided CUI or covered defense information.
Cyber Incident: Actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse impact on an information system and/or the information on the system.
Information “To Support Contract Performance”: A type of “Covered Defense Information” that DoD provides to a contractor or that a contractor develops, produces or uses to execute the contract.
What it is NOT – it is NOT information that the contractor develops that is not associated with contract performance.
A funny quote on a type of cyber incident, email scams:
“Toughen up cupcake, the Prince of Nigeria is sad too; no one falls for his emails anymore.” –Anonymous