DOD Meeting Makes Clear DOD Cybersecurity Rule Will Trigger New Requirements
We previously notified you of a meeting on the new updated Department of Defense (DOD) rule on cybersecurity, DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (August 2015), and its October 2015 Class Deviation. The meeting, hosted by DOD, made clear that these new updated rules pose significant new obligations for DOD contractors and subcontractors. Your company's procurement and legal compliance representatives need to be on top of these matters.
Key Developments:
DOD considers the new obligations to be triggered under the clause when performance of the DOD contract or subcontract involves ?Covered Defense Information? (CDI) or operationally critical support (OCS). These significant obligations require contractor information systems to comply with new NIST 800-171 standards and, where the contractor uses cloud services, require notification and use of Government-approved cloud services providers for cloud storage or transmission under DOD contracts. Contractors are required to report a cyber incident that affects a covered system or the CDI, or that affects the contractors ability to perform the OCS requirements. Contractors have the right to seek additional compensation to meet these obligations, but to do so they must initiate specific steps before agreeing to the new terms.
Triggers:
Application of the clause is triggered if a DOD contract would provide the contractor, or the contractor otherwise would collect, develop, receive, transmit, use or store, of any of the following four types of CDI in support of performance of your DOD contract or subcontract:
- Controlled technical information [CTI].
- Critical information (operations security).
- Export controlled information.
- Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information).
The clause also is triggered if the contractor would provide OCS, meaning supplies or services the Government designates as ?for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
Requirements:
Compliance with the clause requires that a contractors covered systems and protection of CDI meet the new NIST SP 800-171 standards. Use of cloud services (CS) to store or transit CDI in performance of the contract requires DOD notice and use of DOD-approved cloud services. Contractors must rapidly report directly to DOD on a cyber incident that affects, or risks affecting, a covered contractor information system or CDI, or that affects the contractors ability to perform the operationally critical support requirements. Only pre-approved personnel can do the reporting. The requirements apply to contractors and subcontractors.
Takeaways and Next Steps:
- Ensure your company's procurement and legal compliance representatives are up to speed on these new, significant changes for DOD contracts.
- If asked to include the new clause in your existing contract, you have the right to seek compensation for the increased costs and time needed to address the additional requirements. You must notify the Contracting Officer (or your prime) of the impact of this change and your right to an equitable adjustment, and negotiate the terms before you accept the clause, or risk losing your right to seek compensation.
- New DOD procurements and contracts will include the clause. Proactively check whether they trigger clause requirements and factor your compliance costs, and any required waiver or approvals, into proposal preparations and the ultimate contract. Its likely that most companies will need to do something.
You have options. If you would like to understand your requirements or would like assistance in this area, please contact a FortneyScott attorney.
