[Federal Register Volume 81, Number 204 (Friday, October 21, 2016)]
[Rules and Regulations]
[Pages 72986-73001]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-25315]
[[Page 72985]]
Vol. 81
Friday,
No. 204
October 21, 2016
Part III
Department of Defense
-----------------------------------------------------------------------
Defense Acquisition Regulations System
-----------------------------------------------------------------------
48 CFR Parts 202, 203, 204, et al.
Defense Federal Acquisition Regulation Supplement: Network Penetration
Reporting and Contracting for Cloud Services (DFARS Case 2013-D018);
Final Rule
Federal Register / Vol. 81 , No. 204 / Friday, October 21, 2016 /
Rules and Regulations
[[Page 72986]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 202, 204, 212, 239, and 252
[Docket DARS-2015-0039]
RIN 0750-AI61
Defense Federal Acquisition Regulation Supplement: Network
Penetration Reporting and Contracting for Cloud Services (DFARS Case
2013-D018)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: DoD is adopting as final, with changes, an interim rule
amending the Defense Federal Acquisition Regulation Supplement (DFARS)
to implement a section of the National Defense Authorization Act for
Fiscal Year 2013 and a section of the National Defense Authorization
Act for Fiscal Year 2015, both of which require contractor reporting on
network penetrations, as well as DoD policy on the purchase of cloud
computing services.
DATES: Effective October 21, 2016.
FOR FURTHER INFORMATION CONTACT: Mr. Dustin Pitsch, telephone 571-372-
6090.
SUPPLEMENTARY INFORMATION:
I. Background
DoD published two interim rules in the Federal Register on August
26, 2015 (80 FR 51739), and December 30, 2015 (80 FR 81472), to
implement section 941 of the National Defense Authorization Act (NDAA)
for Fiscal Year (FY) 2013 (Pub. L. 112-239) and section 1632 of the
NDAA for FY 2015 (Pub. L. 113-291) regarding contractor reporting of
network penetrations, as well as DoD policies and procedures with
regard to purchases of cloud computing services. This final rule also
implements, for DoD, section 325 of the Intelligence Authorization Act
for FY 2014 (Pub. L. 113-126); however, implementing section 325
requires no new changes to the rule, because the reporting requirement
is already included.
This rule is part of DoD's retrospective plan, completed in August
2011, under Executive Order 13563, ``Improving Regulation and
Regulatory Review.'' DoD's full plan and updates can be accessed at:
http://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036. Twenty-
five respondents submitted public comments in response to the interim
rules.
II. Discussion and Analysis
DoD reviewed the public comments in the development of the final
rule. A discussion of the comments received and the changes made to the
rule as a result of those comments follows:
A. Summary of Significant Changes From the Interim Rule
1. The definition of ``covered defense information'' is amended to
clarify that, in order to be designated as covered defense information,
the information must be controlled technical information or other
information (as described in the Controlled Unclassified Information
(CUI) Registry) that requires safeguarding or dissemination controls
and is (1) marked or otherwise identified in the contract, task order,
or delivery order, and provided to the contractor by or on behalf of
DoD in connection with the performance of the contract; or (2)
collected, developed, received, transmitted, used, or stored by or on
behalf of the contractor in support of the performance of the contract.
This definition is in line with the National Archives and Record
Administration (NARA) ``Controlled Unclassified Information'' final
rule published in the Federal Register on September 14, 2016 (81 FR
63324). Covered defense information includes all of the categories of
information that are considered CUI. The rule also now specifies that
all covered contractor information systems need to be protected in
accordance with DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting.
2. The definition of ``covered contractor information system'' is
amended to clarify that it is an ``unclassified'' information system
that is owned, or operated by or for, a contractor and that processes,
stores, or transmits covered defense information.
3. DFARS 204.7304, Solicitation provision and contract clauses, is
amended to specify that DFARS provision 252.204-7008, Compliance with
Safeguarding Covered Defense Information Controls, and DFARS clause
252.204-7012 are not prescribed for use in solicitations or contracts
that are solely for the acquisition of commercially available off-the-
shelf (COTS) items.
4. DFARS 239.7602-1, General, is amended to provide for two
exceptions in which a contracting officer may award a contract to
acquire cloud services from a cloud service provider (CSP) that has not
been granted a provisional authorization by the Defense Information
System Agency.
5. DFARS clause 252.204-7000, Disclosure of Information, is amended
to clarify that fundamental research, by definition, must not involve
any covered defense information.
6. DFARS clause 252.204-7012 is amended to--
a. Specify that contractors are obligated to implement information
protection requirements on all covered contractor information systems;
b. Provide additional guidance on requests to vary from National
Institute of Standards and Technology (NIST) Special Publication (SP)
800-171, ``Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations;''
c. Clarify that contractors are not required to implement any
security requirement if an authorized representative of the DoD Chief
Information Officer (CIO) has adjudicated the contractor's request to
vary from NIST SP 800-171 and indicated the security requirement to be
nonapplicable or to have an alternative, but equally effective,
security measure;
d. Require contractors to ensure that external CSPs used in
performance of the contract to store, process, or transmit any covered
defense information meet security requirements equivalent to those
established by the Government for the Federal Risk and Authorization
Management Program (FedRAMP) Moderate baseline (available at https://www.fedramp.gov/resources/documents/) and comply with requirements in
the clause for cyber incident reporting, malicious software, media
preservation and protection, access to additional information and
equipment necessary for forensic analysis, and cyber incident damage
assessment;
e. Clarify that subcontractor flowdown is only necessary when
covered defense information is necessary for performance of the
subcontract, and that the contractor may consult with the contracting
officer, if necessary, when uncertain if the clause should flow down;
and
f. Clarify that the prime contract shall require its subcontractors
to notify the prime contractor (or the next higher-tier subcontractor)
when submitting requests to vary from a NIST SP 800-171 security
requirement to the contracting officer.
[[Page 72987]]
B. Analysis of Public Comments
1. Applicability
a. Commercial/COTS Providers
Comment: Multiple respondents commented on the applicability of the
rule to contracts and subcontracts for commercial and COTS items. One
suggested that the full potential impact of the interim rule on
commercial providers should be studied and quantified by DoD before
implementation of the rule. Others suggested that the vast majority of
commercial contracts do not require that DoD provide information in
order for the contractor or subcontractor to perform the work, and that
the clause should only apply when DoD provides controlled unclassified
information to a contractor as a necessary predicate to performing the
contract. One respondent recommended that DoD exempt contracts for
commercial and COTS items from application of the final rule or, in the
alternative, exempt subcontractors supplying commercial or COTS items
from the final rule.
Response: The definition of covered defense information has been
amended to clarify, as suggested by the respondents, that in order to
be designated as covered defense information, the information must be
marked or otherwise identified in the contract and provided to the
contractor by or on behalf of DoD in connection with the performance of
the contract; or collected, developed, received, transmitted, used, or
stored by or on behalf of the contractor in support of the performance
of the contract. In addition, to clarify that the rule does not apply
to COTS items, the prescriptions at DFARS 204.7304 for use of the
provision at 252.204-7008 and the clause at 252.204-7012 are amended to
exclude solicitations and contracts solely for the acquisition of COTS
items.
b. Fundamental Research
Comment: Several respondents requested clarification regarding the
application of the security requirements embedded in DFARS clause
252.204-7012 to fundamental research.
Response: The security requirements in 252.204-7012 need to be in
place when covered defense information is present. A contract or
project that is appropriately scoped as fundamental research will not
contain any covered defense information. The final rule is modified to
only flow down the requirements of 252.204-7012 to subcontractors when
subcontract performance is for operationally critical support or will
involve covered defense information, which means the clause will not
flow down to subcontractors that are exclusively performing fundamental
research. DFARS clause 252.204-7000 is modified to ensure that it is
clear that no covered defense information is involved when making a
fundamental research determination.
c. Classified Information System
Comment: One respondent noted that it is unclear whether the clause
applies to covered defense information resident on contractor
classified information systems. While the covered defense information
itself has been explicitly defined as unclassified, covered contractor
systems are not specified as such.
Response: The definition for ``covered contractor information
system'' has been amended to clarify that it is ``an unclassified
information system that is owned, or operated by or for, a contractor
and that processes, stores, or transmits covered defense information.''
d. When Other Security Requirements Apply
Comment: One respondent noted that the mandatory flowdowns of the
data security and penetration reporting requirements to health care
providers who are subcontractors to military health care plans should
be amended to provide that such providers who comply with their data
security obligations under Health Insurance Portability and
Accountability Act (HIPAA) and the Health Information Technology for
Economic and Clinical Health (HITECH) Act are deemed to be in
compliance with DoD's data security rules.
Response: If the covered defense information provided is DoD HIPAA,
then the requirement would be to meet both HIPAA and NIST SP 800-171.
There are requirements of HIPAA that are not in 800-171, just as there
are requirements in 800-171 that are not in HIPAA. DFARS 204.7300(b)
states that the rule ``does not abrogate any other requirements
regarding contractor physical, personnel, information, technical, or
general administrative security operations governing the protection of
unclassified information.''
e. Small Business
Comment: Several respondents commented on the cost impact to small
businesses. One respondent suggested that this rule will impact
subcontracting cycles and deliveries throughout the DoD supply chain,
due to the inability for smaller suppliers to afford the investment and
skilled labor force required to meet and manage these requirements.
Multiple respondents requested that, due to the high cost of
compliance, DoD provide for an alternative approach for small business.
One respondent suggested that DoD consider collaborating with
universities or other companies, to provide low-cost cybersecurity
services to small businesses, or providing a one-time subsidy to small
businesses to help cover the cost of initial consultations with third
party vendors. Another suggested that DoD coordinate with the Small
Business Administration, Department of Commerce, and other relevant
executive agencies, to establish policy, training mechanisms, and
learning centers that allow access to the necessary resources to assist
small and commercial businesses in creating compliant information
systems.
Response: While it is understood that implementing the minimum
security controls outlined in the DFARS clause may increase costs,
protection of unclassified DoD information is deemed necessary. The
cost to the nation in lost intellectual property and lost technological
advantage over potential adversaries is much greater than these
initial/ongoing investments. The value of the information (and impact
of its loss) does not diminish when it moves to contractors (prime or
sub, large or small). NIST SP 800-171 was carefully crafted to use
performance-based requirements and eliminate unnecessary specificity
and include only those security requirements necessary to provide
adequate protections for the impact level of CUI (e.g., covered defense
information). Implementation of the NIST SP 800-171 security
requirements will provide significant benefit to the small business
community in the form of increased protection of their intellectual
property. In addition, defining one set of standards will help small
businesses to avoid a situation in which small business must adopt
multiple standards and rule sets as small businesses navigate amongst
the many different organizations with which they do business. The
addition of a new provision at 252.204-7008, Compliance with
Safeguarding Covered Defense Information Controls, ensures that the
offeror is aware of the requirements of clause 252.204-7012 and has
time to bring their system into compliance and negotiate the terms of
the contract accordingly. With regard to training, DoD will engage
across both Government and industry to educate and raise awareness of
the importance of protecting our controlled unclassified information
and to address implementation of the rule.
[[Page 72988]]
2. Regulatory Flexibility Act
Comment: Various respondents addressed application of the rule to
small entities.
Response: For analysis of applicability to small entities see the
regulatory flexibility analysis at section V of this preamble.
3. Definitions
a. Covered Defense Information
Comment: Several respondents suggested that the definition of
``covered defense information'' is too expansive, requiring that data
be safeguarded without clear marking instructions and identification of
operational processes. Several respondents commented that contractors
should not be required to make independent decisions regarding whether
information is subject to safeguarding requirements, and that the rule
limit its application only to covered defense information marked or
expressly identified as protected by DoD. One respondent requested
clarification that the rule only imposes restrictions on covered
defense information that DoD provides to the contractor to perform the
contract. Another respondent suggested that the relationship between
``controlled defense information'' and ``controlled unclassified
information'' and the ``Controlled Unclassified Information Registry
(CUI Registry)'' should be clearly articulated. Two respondents
suggested that covered data be limited to the ``unclassified controlled
technical information'' covered in the predecessor DFARS rule. One of
the respondents further suggested that if the scope is not focused back
to the ``unclassified controlled technical information'' definition,
the rule should define covered defense information to specifically
exclude the contractor's own information that is not delivered to the
Government. One respondent commented that, because it is not possible
to contemplate every type of information that may arise in the future,
it would be prudent to set forth in the rule a centralized process that
contractors could use when it is not clear whether a specific type of
information falls within the definition of ``covered defense
information'' to ensure that information is treated consistently across
contracts and commands. This respondent further stated that the rule
should provide a standard for evaluating whether a contractor has
reasonably complied with the rule when faced with a judgment call as to
whether information falls within the definition.
Response: The final rule clarifies the definition of ``covered
defense information'' and the requirement to provide adequate security.
The definition of ``covered defense information'' is amended to state
that covered defense information is unclassified controlled technical
information or other information (as described in the CUI Registry at
http://www.archives.gov/cui/registry/category-list.html) that requires
safeguarding or dissemination controls pursuant to and consistent with
law, regulations, and Governmentwide policies and is either (1) marked
or otherwise identified in the contract and provided to the contractor
by or on behalf of DoD in connection with the performance of the
contract; or (2) collected, developed, received, transmitted, used, or
stored by or on behalf of the contractor in support of the performance
of the contract. This revised definition adds an affirmative
requirement for Government to mark or otherwise identify in the
contract all covered defense information that is being provided to the
contractor, while recognizing the shared obligation of the contractor
to recognize and protect covered defense information that the
contractor is developing during contract performance. In addition,
paragraph (b) of DFARS clause 252.204-7012 is amended to clarify that
adequate security is required on all covered contractor information
systems. Paragraph (m)(1) of the clause is also modified to indicate
that, if necessary, the contractor shall determine if the information
required for subcontractor performance retains its identity as covered
defense information and will require protection under this clause and,
if necessary, consult with the contracting officer.
b. Export Control
Comment: Several respondents suggested that the definition of
covered defense information should refer only to export controlled
information, and not include a general description of the type of
information that may be subject to export controls. One respondent
suggested this section be reworded as follows: ``Unclassified
information concerning items requiring licenses under the export
administration regulations, or the international trafficking in arms
regulations and munitions list.'' Another respondent suggested that DoD
define ``export controlled information'' in the final rule, since
particular categories of International Traffic in Arms Regulations
(ITAR)--controlled technical data and designated control list
categories of the Export Administration Regulations (EAR), such as
national security, nonproliferation, and missile technology. Several
respondents suggested the definition of ``export control'' be limited
to technologies subject to the EAR, ITAR, or nuclear export
regulations. One respondent suggested that DoD exclude items from its
definition of ``covered defense information'' that are subject to
minimal export controls.
Response: The definition of ``covered defense information'' is
amended to clarify that the information includes unclassified
controlled technical information or other information (as described in
the CUI Registry) that is marked or otherwise identified in the
contract and provided to the contractor by or on behalf of DoD in
connection with the performance of the contract; or be collected,
developed, received, transmitted, used, or stored by or on behalf of
the contractor in support of the performance of the contract. Export
control is a category in the CUI Registry, but it is only considered
covered defense information when both DoD contractors hold unclassified
information that is export controlled, and the information is
``provided to the contractor by or on behalf of DoD in connection with
the performance of the contract, or collected, developed, received,
transmitted, used, or stored by or on behalf of the contractor in
support of the performance of the contract,'' as defined in the final
rule. Protecting DoD-related export controlled information as covered
defense information should not be interpreted to imply that the same
information, not related to the DoD activity, requires protection as
covered defense information.
c. Covered Defense Information--``Other'' Category
Comment: Several respondents commented that DoD should provide more
clarity regarding the categories of information that comprise covered
defense information, specifically the scope of ``any other information.
. . .'' One respondent suggested that the rule specifically address DoD
information routinely handled by Contractors, such as information
marked ``For Official Use Only'' and personally identifiable
information (PII) maintained to support DoD clearance processing, and
clearly indicate whether this information is in or out of scope.
Another respondent suggested that the definition of ``covered defense
information'' should be amended to exclude information, such as
protected health information (PHI) that is already subject to security
control regulations.
[[Page 72989]]
Response: The definition of ``covered defense information'' is
amended to clarify that ``other information'' is other information (as
described in the CUI Registry) that requires safeguarding or
dissemination controls pursuant to and consistent with law,
regulations, and Governmentwide policies. The CUI Registry includes
personal information, PII, and PHI. The security requirements in this
clause set a baseline standard. Additional protections may be required
for specific categories of information, such as PHI.
d. Operationally Critical Support and Critical Information (Operations
Security)
Comment: Several respondents commented on how the rule addresses
``operationally critical support'' and ``critical information
(operations security)'' and requested clarification of the terms
``critical information'' and ``operations security.'' One respondent
commented that the rule indicates that the Government will designate
which supplies or services are critical for airlift, etc., but the rule
neither indicates where such information will be found, nor defines a
process for designating contractors in this category or notifying such
contractors that they are critical to operational support. Another
respondent suggested that while the interim rule suggests that DoD will
designate specific portions of its contracts that it considers to be
``operationally critical support,'' the scope of what constitutes a
contractor's ``ability to provide operationally critical support'' is
so vague that it may not accomplish its purpose. This respondent
recommended that DoD clarify that a reportable incident occurs when a
cyber incident affects the security or integrity of operationally
critical information residing in a contractor information system. One
respondent commented that ambiguities with regard to operationally
critical support are particularly concerning to the transportation
industry, suggesting that it is not clear whether ``package level
detail'' which includes information about the identity of the shipping
and receiving parties and the delivery address is considered ``covered
defense information.'' This respondent also suggested that a cyber
incident that affects the contractor's ability to perform
``operationally critical support'' could also include incidents on
systems beyond ``covered information systems'' and the interim rule
requires reporting of those incidents, as well. Another respondent
requested DoD clarify how or whether the term ``operationally
critical'' applies to contractors/subcontractors.
Response: The modified definition of covered defense information
replaces the requirement that information ``falls in any of the
following categories: Controlled technical information, critical
information (operations security), export control, and any other
information, marked or otherwise identified in the contract, that
requires safeguarding or dissemination controls pursuant to and
consistent with law, regulations, and Governmentwide policies'' with
the statement ``as described in the CUI Registry at http://www.archives.gov/cui/registry/category-list.html, requires safeguarding
or dissemination controls pursuant to and consistent with law,
regulations, and Governmentwide policies.'' Because ``critical
information (operations security)'' is not currently listed on the CUI
Registry, it can no longer, in and of itself, be designated as covered
defense information. Section 1632 of the NDAA for FY 2015, which
requires that a contractor designated as operationally critical report
each time a cyber incident occurs on that contractor's network or
information systems, is implemented via the DFARS clause 252.204-7012
requirement for contractors and subcontractors to report cyber
incidents that result in an actual or potentially adverse effect on a
their ability to provide operationally critical support. Operationally
critical support is an ``activity''--not an information type--performed
by the contractor or subcontract. DFARS does not require protections
for contractor information systems that are used to provide
operationally critical support, but does require the contractor to
report a cyber incident that affects the contractor's ability to
perform the requirements of the contract that are designated as
operationally critical support. Operationally critical support
requirements must be marked or otherwise identified in the contract,
task order, or delivery order.
4. Compliance
a. Multiple Versions/Block Change
Comment: Several respondents commented that the new rule could
leave contractors subject to different security standards depending on
which version of clause 252.204-7012 appears in their contracts and
subcontracts. One respondent suggested that this results in them
incurring costs due to the changes involved. Other respondents
recommended that, in lieu of each contractor negotiating the phase-in
relief provided in the amended rules on every transaction, DoD issue a
block change modification to all contracts where the relevant August
interim rule clauses are present to adopt the December 30 changes and
allow for equitable adjustment to the contract price. One respondent
suggested that DoD consider issuing instructions to contracting
officers to substitute the most recent version of this clause for older
versions, at the request of the contractor.
Response: The security requirements in NIST SP 800-171 build upon
the table of controls contained in the November 2013 version of DFARS
clause 252.204-7012. While there is additional effort for the
difference, none of the effort to implement the original controls is
lost. Due to the differences in the multiple versions of 252.204-7012,
however, amending the contract requires procuring contracting officer
authority and is generally bilateral, requiring contractor signature.
``Block changes'' and ``mass modifications'' are generally reserved for
administrative changes, such as a payment office address change. There
is nothing that precludes a contracting officer from considering a
modification of the contract upon request of the contractor.
b. Cost
Comment: One respondent commented that the cost recovery model for
complying with the interim rule is not well understood, suggesting that
the cost to them and their supply base will be significant as they
expand their capabilities to meet the new controls and absorb the
administrative costs to oversee the supply base's compliance. The
respondent recommended that the Office of the Under Secretary of
Defense (Acquisition, Technology, and Logistics) work with industry to
clarify cost recovery options.
Response: DoD does not develop ``cost recovery models'' for
compliance with DFARS rules. The requirements levied by this rule
should be treated the same as those levied by any other new DFARS rule
and the cost related to compliance should be considered during proposal
preparation. Contractors should continue to comply with their own
internal accounting processes.
c. Certification and Oversight
Comment: A number of respondents commented on the lack of oversight
and certification of compliance with the NIST controls in the rule.
Several respondents requested clarification on the requirements for an
organization to be considered compliant, as well as the intended means
of verification, which organization will verify, how compliance will be
assessed, and how
[[Page 72990]]
often. One respondent requested details on the process for obtaining
official, consistent interpretations of the standards when DoD and the
contractor have different interpretations of the NIST SP 800-171
standards. Another respondent recommended that large companies be
allowed to certify at the company level, suggesting that the
requirement to certify each program individually creates an
insurmountable burden for both the company and DoD.
Response: No new oversight paradigm is created through this rule.
If oversight related to these requirements is deemed necessary, then it
can be accomplished through existing Federal Acquisition Regulation
(FAR) and DFARS allowances, or an additional requirement can be added
to the terms of the contract. The rule does not require
``certification'' of any kind. By signing the contract, the contractor
agrees to comply with the contract's terms.
d. Implementation Deadline
Comment: One respondent asked for clarification with regard to what
the term ``as soon as practical'' means.
Response: The phrase ``as soon as practical'' is added to encourage
contractors to begin implementing the security requirements in NIST SP
800-171 prior to the December 31, 2017, deadline, but allows
contractors to exercise their own judgement when planning an optimal
implementation strategy.
e. Source Selection
Comment: One respondent inquired if DoD can require immediate
compliance with all NIST controls as a condition of responsiveness to a
solicitation, and urged DoD to prohibit source selection exclusions
based on a desire or demand for 100% compliance at time of solicitation
or contract prior to December 31, 2017. Another respondent suggested
that the final rule clarify that DoD does not intend for DFARS clause
252.204-7012 to be used in the evaluation process.
Response: DFARS Clause 252.204-7012 is not structured to facilitate
the use of the contractor's compliance with NIST SP 800-171 as a factor
in the evaluation/source selection process. The requirements are set as
the minimum acceptable level to protect covered defense information.
The rule does not preclude a requiring activity from specifically
stating in the solicitation that compliance with the NIST SP 800-171
will be used as an evaluation factor in the source section process, and
the specifics on how such an evaluation factor would be utilized to
evaluate proposals would need to be detailed within the solicitation.
However, this is outside of the scope of this rule and would need to be
appropriately addressed on an individual solicitation basis.
5. 30-Day Notification and Alternative Controls
a. Notification Versus Alternatives
Comment: Several respondents requested clarification as to why
DFARS 252.204-7008 and 252.204-7012 are separate. Other respondents
suggested that there is a contradiction between DFARS provision
252.204-7008 and clause 252.204-7012, and requested clarification
regarding the intent of the 30-day notification requirement.
Respondents also requested that DoD clarify how the NIST controls
requirements variance process identified in the representation clause
at 252.204-7008 (i.e., a written explanation and adjudicative process
by the DoD CIO pre-award) differs from the security clause at 252.204-
7012, which allows for phased-in implementation with a process of
proposing alternatives without pre-award approval.
Response: DFARS provision 252.204-7008 serves as a notice to
offerors. The provision puts the offeror on notice that, when
performance of the contract requires covered defense information on a
covered contractor information system, the security requirements in
NIST SP 800-171 apply and must be implemented no later than December
31, 2017. In addition, the provision notifies the offeror that they may
submit a request to vary from any of the security requirements in NIST
SP 800-171 to the contracting officer, for adjudication by DoD CIO,
prior to award. DFARS clause 252.204-7012 is amended by adding a new
paragraph (b)(2)(ii)(B) to clarify that the contractor may submit a
request to vary from the security requirements in NIST SP 800-171 after
contract award.
Separate and distinct from the process to request to vary from the
security requirements in NIST SP 800-171, the 30-day notification
requirement contained in DFARS clause 252.204-7012 requires the
contractor to provide the DoD CIO with a list of the security
requirements that the contractor is not implementing at the time of
award. This notification will end for all contracts awarded after
September 30, 2017, in preparation of the full security requirement
implementation date of December 31, 2017.
b. Alternative Controls
Comment: Several respondents requested that DoD clarify 252.204-
7008 with regard to the process to request variances from the SP 800-
171 security controls, to include where a contractor/subcontractor
request should be sent, if subcontractors may bypass their prime
contractor when submitting in order to safeguard any proprietary
information, a timeline for the authorized representative from the DoD
CIO's office to respond to contractor/subcontractor requests, and
whether and how CIO evaluations could impact award decisions. One
respondent recommends that DoD clarify that contractors may also
identify and seek CIO adjudication on variances from NIST SP 800-171
requirements after award as they progress through implementation, and
that DoD clarify that such documents will be securely maintained and
not be released publicly.
Response: DFARS provision 252.204-7008 ensures that offerors are
aware of the safeguarding requirements of DFARS clause 252.204-7012,
and provides a process for the offeror to identify situations in which
a security requirement in NIST SP 800-171 is not necessary in
performance of the contract, or to propose an alternative to a security
requirement is NIST SP 800-171. In such cases, the offeror must provide
a written explanation in their proposal describing the reasons why a
security requirement is not applicable, or how alternative, but equally
effective, security measures can compensate for the inability to
satisfy a particular requirement. The contracting officer will refer
the proposed variance to the DoD CIO for adjudication. The DoD CIO is
responsible for ensuring consistent adjudication of proposed non-
applicable or alternative security measures. If the DoD CIO needs
additional information, a request is made to the contracting officer.
Responses are then returned to the contracting officer who, in turn,
advises the contractor of the decision. The timeframe for response by
the DoD CIO is typically within five business days. The basis for
determining if an alternative to a security requirement is acceptable
is whether the alternative is equally effective; the basis for
determining a security requirement is ``not applicable'' is whether the
basis or condition for the requirement is absent. While the scope of
this rule does not provide for the CIO evaluation to impact the award
decision, there is nothing that precludes an activity from drafting the
solicitation to provide for this.
DFARS clause 252.204-7012 is amended by adding a new paragraph
[[Page 72991]]
(b)(2)(ii)(B) to clarify that the contractor may request the
contracting officer seek DoD CIO adjudication on variances from NIST SP
800-171 requirements after award. DFARS clause 252.204-7012 is flowed
down to subcontractors without alteration when performance will involve
operationally critical support or covered defense information. However,
paragraph (m) of the clause is amended to clarify that the prime
contractor shall require subcontractors to notify the prime contractor
(or next higher-tier subcontractor) of any requests for variance
submitted directly to the contracting officer.
c. 30-Day Notification
Comment: Several respondents requested that clarification be
provided regarding the requirement that the contractor provide
notification to the DoD CIO within 30 days of contract award listing
the unmet NIST SP 800-171 security requirements. Respondents asked the
following questions: Is the 30-day deadline for the prime contractor's
response only, or also for the prime's entire supply base? Would post-
award notifications also be required 30 days after award of
subcontracts? Should subcontractors submit their notifications directly
to the DoD CIO? Can subcontractors also be required to submit copies to
the prime contractor? How will these sensitive documents be protected?
One respondent asked what is required for the 30-day assessment, if the
contract in question ends prior to the December 31, 2017, compliance
date. One respondent also suggested that the requirement should be
modified to allow at least 90 days after award, and that DoD should
allow for a single corporate-wide compliance, and that such a
compliance requirement could be accomplished at annual or semi-annual
intervals, and not on every single transaction within 30 days.
Response: DFARS clause 252.204-7012 requires the contractor to
notify the DoD CIO, within 30 days of contract award, of the security
requirements that are not implemented at the time of award. The list
need only identify the security requirement(s) (e.g., NIST SP 800-171
security requirement 3.1.1) that is/are not implemented. No additional
information is required.
DFARS clause 252.204-7012 is flowed down to subcontractors without
alteration when performance will involve operationally critical support
or covered defense information. As such, prior to October 1, 2017, the
requirement is for the subcontractor to provide the DoD CIO, within 30
days of the prime contractor's award to the subcontractor, with a list
of the security requirements that the subcontractor has not implemented
at the time of award. Bypassing the prime is a matter to be addressed
between the prime and the subcontractor.
Nothing precludes the contractor from providing a corporate-wide
update to the status of requirements not implemented on a periodic
basis, assuming it meets the requirements of the clause. If the
contract in question ends prior to December 31, 2017, the Contractor
must still provide the DoD CIO, within 30 days of contract award, with
a list of the security requirements that are not implemented at the
time of award.
Comment: One respondent asked that DoD confirm/clarify that after
the 30-day notification, contractors are expected to manage compliance
with DFARS clause 252.204-7012 through system security plans and plans
of action and milestones. The respondent also asked for clarification
that the only required reporting to DoD CIO subsequent to the initial
list is to identify any NIST SP 800-171 controls that a contractor does
not intend to meet either because the contractor has deemed the
controls to be not applicable or because mitigating controls have been
implemented.
Response: The notification to the DoD CIO of the NIST-SP security
requirements not implemented at the time of contract award is a one-
time action per contract and is a requirement for contracts awarded
prior to October 1, 2017 (see 252.204-7012(b)(2)(ii)(A)). Separately, a
contractor may submit requests to vary from a NIST SP 800-171 security
requirement (because it is believed to be not applicable or the
contractor has an alternative in place) to the contracting officer for
adjudication by the DoD CIO (see 252.204-7012(b)(2)(ii)(B)).
During the course of performance under the contract, the contractor
may manage compliance with the NIST SP 800-171 security requirements
through a system security plan. One of the assumptions of NIST SP 800-
171 (per table E-12 of the document) is that nonfederal organizations
routinely have a system security plan in place to manage and maintain
their information systems. When a corrective action is necessary to
maintain NIST compliance, a plan of action may be necessary in
accordance with NIST 800-171 requirement 3.12. DFARS clause 252.204-
7012 is updated at paragraph (b)(3) to clarify that temporary
deficiencies with compliance may be addressed within a system security
plan.
6. Incident Reporting and Damage Assessment
a. Reporting (When, Where, What Versus 72 Hours)
Comment: Two respondents commented on the 72-hour reporting
requirement. One suggested that the 72-hour reporting requirement is
unrealistic unless the rule is revised to limit its applicability to
specific information that DoD has provided to the contractor or
subcontractor with appropriate markings. One respondent suggested that
72 hours is not enough time to investigate a potential cyber incident,
confirm the incident, and obtain the requisite report information.
Several respondents commented that the increased reporting requirement
to include potentially adverse effects on an information system
regardless of an actual compromise to covered defense information, is
too burdensome to industry for little apparent benefit, and suggested
that DoD eliminate the words ``or potentially'' from the definition of
cyber incident. One respondent suggested that the rule address what
factors contractors should consider when evaluating whether an incident
has a ``potentially adverse effect.'' One respondent recommended that a
threshold be established on when a contractor and subcontractor would
be required to report a cyber incident, and that the agency point of
contact be a centralized figure/office in which all cyber incident
reports are submitted to or, in the alternative, a centralized figure/
office that handles reporting for all contracts under which a given
contractor performs.
Response: When a cyber incident is discovered, the contractor/
subcontractor should report whatever information is available to the
DIBNet portal within 72 hours of discovery. If the contractor/
subcontractor does not have all the information required on the
Incident Collection Form (ICF) at the time of the report, and if more
information becomes available, the contractor should submit a follow-on
report with the added information. The DoD Cyber Crime Center (DC3)
serves as the DoD operational focal point for receiving cyber threat
and incident reporting from those Defense contractors who have a
contractual requirement to report under DFARS clause 252.204-7012. Upon
receipt of the contractor/subcontractor-submitted ICF in the DIBNet
portal, DC3 will provide the submitted ICF to the contracting officer
identified on the ICF. The contracting officer is directed in DFARS
Procedures, Guidance, and Information 204.7303-3 to notify the
[[Page 72992]]
requiring activities that have contracts identified in the ICF.
b. Incident Collection Form
Comment: One respondent recommended that the ICF, for example on
the DIBnet site, should include a field where the contractor can
indicate the vulnerability suspected, known, or created.
Response: The ICF fields are described at the ``Resources'' tab at
http://dibnet.dod.mil. Field numbers 16 (Type of compromise), 17
(Description of technique or method used in cyber incident), 19
(Incident/Compromise narrative), and 20 (Any additional information)
each provide the opportunity for the contractor to indicate the
vulnerability suspected.
d. Access to Contractor Information
Comment: Multiple respondents commented that the rule does not
appropriately limit the Government's access to contractor systems and
fails to adequately protect sensitive contractor data, suggesting that
the rule be revised to recognize the need for appropriate limits on the
Government's rights to request, use, and disclose sensitive contractor
information it may obtain as a result of a reported cyber incident or
investigation. Many respondents offered alternatives of how to limit
access. Several respondents suggested that the final rule use the same
use and disclosure rights that were contained in the prior unclassified
controlled technical information (UCTI) rule. Others suggested that the
rule be modified to state that DoD limit access to equipment or
information only in connection with a contractor report of a ``cyber
incident'' and as necessary to conduct a forensic analysis or damage
assessment, adding that the parties should discuss in good faith
whether additional information or equipment is necessary. One suggested
that the rule indicate that the Government may require access to
equipment or information only ``to determine whether information
created by or for the Department in connection with any Department
program was successfully exfiltrated from a network or information
system and, if so, what information was exfiltrated.''
Response: This rule adds on to the prior UCTI rule, by implementing
10 U.S.C. 391 and 393 (previously section 941 of the NDAA for FY 2013
and section 1632 of the NDAA for FY 2015), which state that contractors
will provide access to equipment or information to determine if DoD
information was successfully exfiltrated from a network or information
system of such contractor and, if so, what information was exfiltrated.
This requirement is implemented in DFARS clause 252.204-7012 by stating
that, upon request by DoD, the Contractor shall provide DoD with access
to additional information or equipment that is necessary to conduct a
forensic analysis--thus limiting DoD access to equipment/information
necessary to conduct the analysis resulting from a cyber incident, as
suggested above. This analysis is critical to understand what
information was exfiltrated from the information system.
e. Protection/Use of Contractor Information
Comment: Multiple respondents commented that the interim rule
should address how DoD will safeguard any contractor data provided. One
respondent added that the clause also does not allow contractors an
opportunity to review their security information before it is
disclosed. Several respondents recommend that the final rule use the
same use and disclosure rights that were contained in the prior UCTI
rule. One respondent recommended that DoD make clear that the
information it receives from contractors under the cyber incident
reporting rules may not be used for Government commercial or law
enforcement purposes. One respondent suggested that the rule should
address personal information in internal contractor systems,
recommending that the DoD Privacy Officer review the rule and conduct a
privacy impact assessment, and that DoD address special procedures and
protections for personal information. One respondent suggested that the
DFARS prohibit the release outside DoD of PHI or PII provided to DoD in
connection with the reporting or investigation of a cyber incident.
Response: DoD protects against unauthorized use or release of cyber
incident reporting information from the contractor, in accordance with
applicable statutes and regulations. DoD complies with 10 U.S.C. 391
and 393 and provides reasonable protection of trade secrets and other
information, such as commercial or financial information, and
information that can be used to identify a specific person. DoD limits
the dissemination of cyber incident information to the entities
specified in the rule.
f. Attributional/Proprietary Information
Comment: One respondent suggested that the definition of contractor
attributional/proprietary information exceeds the stated scope of the
subpart 204.7300, namely, ``to safeguard covered defense information
that resides in or transits through covered contractor information
systems.'' One respondent commented that the rule places the burden on
the contractor to mark information as ``contractor attributional/
proprietary,'' adding that the rule should either address how
contractors can protect previously unmarked information while still
complying with the requirement to preserve images of their information
system, or enumerate what steps the Government will take to ensure that
the absence of a marking on a document provided to the Government as
part of that image will not be treated as determinative of the
Government's ultimate obligations to protect that information as
contractor attributional/proprietary.
One respondent commented that restrictions and requirements imposed
by the rule with regard to attributional/proprietary information would
impact international suppliers of U.S. allies who provide critical
components that are integrated into major systems and subsystems,
suggesting that international suppliers may be unable to comply with
the requirements of the DFARS due to the applicable laws in their
country or a lack of resources.
Response: The Government may request access to media to assess what
covered defense information was affected by the cyber incident. DoD
will protect against the unauthorized use or release of contractor
attributional/proprietary information. The contractor should identify
and mark attributional/proprietary information and personal information
to assist DoD in protecting this information. To the extent that media
may include attributional/proprietary information, the Government will
protect against unauthorized access. DoD will need to work with the
prime contractor to resolve challenges with international suppliers on
a case by case basis.
g. Third Party Information
Comment: Several respondents commented on third-party support
contractors' access to other contractors' internal systems and/or
information. One respondent suggested that third party support
contractor access to other contractors' internal systems raises serious
concerns and encouraged DoD to incorporate an effective mechanism to
notify the originating party about third parties with access to such
data, as well as any disclosure of such data by those third parties.
One respondent recommended that DoD add a requirement for third parties
to sign a non-disclosure agreement with each
[[Page 72993]]
company they may conduct a forensic analysis on or an investigation
against.
Response: The rule subjects support service contractors directly
supporting Government activities related to safeguarding covered
defense information and cyber incident reporting (e.g., providing
forensic analysis services, damages assessment services, or other
services that require access to data from another contractor) to
restrictions on use and disclosure obligations.
h. Liability Protections
Comment: One respondent recommended that the final rule integrate
the liability protections provided by section 1641 of the NDAA for FY
2016, further suggesting that DoD work to extend the liability
protections so that all contractors and subcontractors that are
required to report cyber incidents under its regulations are provided
the same levels of protection.
Response: DFARS Case 2016-D025, Liability Protections when
Reporting Cyber Incidents, was opened on April 20, 2016 to implement
section 1641 of the FY 2016 NDAA.
7. Subcontractors
a. Reporting
Comment: Multiple respondents addressed the requirement for
subcontractors to simultaneously report incidents directly to the
Government and the prime contractor. One respondent suggested that
having subcontractors report directly to DoD creates a control
challenge for prime contractors. Another suggested that subcontractor
reporting directly to DoD removes the prime contractors ability to
educate themselves about the incident and to be a resource to DoD.
Others suggested that the obligation for subcontractors to report
violates the subcontractor's confidentiality rights. Other respondents
requested clarification regarding the types of information that must be
disclosed by subcontractors to prime contractors. One respondent
suggest the rule should limit the information that a subcontractor is
required to report to its prime contractor or, otherwise, limit the
prime contractors' ability to disclose any information that is received
as a result of the disclosures. One respondent commented that it is not
clear how the Government intends to protect proprietary information
reported by the subcontractor to the prime contractor from unauthorized
use.
Response: The rule has been amended to clarify that subcontractors
are required to rapidly report cyber incidents directly to DoD at
http://dibnet.dod.mil, and to provide the incident report number,
automatically assigned by DoD, to the prime Contractor (or next higher-
tier subcontractor) as soon as practicable. Any requirement for the
subcontractor to provide anything more than the incident report number
to the prime Contractor (or next higher-tier subcontractor) is a matter
to be addressed between the prime and the subcontractor.
DoD will protect against the unauthorized use or release of cyber
incident information reported by the contractor or subcontractor in
accordance with applicable statutes and regulations.
b. Flowdown
Comment: Multiple respondents commented on aspects of the flowdown
and subcontractor requirements of the rule. One respondent asked which
party determines whether a subcontractor's efforts involve covered
defense information or require providing operationally critical
support, suggesting that, without additional detail or guidance, the
determination of what constitutes covered defense information or
operationally critical support would vary. Several respondents
requested clarification regarding how DoD intends to enforce the
flowdown of DFARS clause 252.204-7012 beyond the first tier of the
supply chain, and how subcontractors can comply with the final rule's
requirements. One respondent asked DoD to clarify whether it will
prohibit a prime contractor from entering into a subcontract if the
subcontractor refuses to accept DFARS 252.207-7012. Several respondents
commented on the change made to the second interim rule that, when
applicable, the clause shall be included without alteration, except to
identify the parties, suggesting that this requirement restrains prime
contractors' and subcontractors' ability to negotiate flowdown
provisions that address the specific needs of their contractual
arrangements. Another asked if ``where DoD requires flow-down without
alteration, can industry assume that wherever the language in 252.204-
7012 refers to a ``contractor,'' the term ``subcontractor'' should or
can be used in the flowdown version of the clause, except where
``subcontractor'' is already used in the clause''?
Response: Paragraph (m) of DFARS clause 252.204-7012, states that
the clause will be included without alteration, ``except to identify
the parties.'' This allows the Contractor to identify the appropriate
party as required. Paragraph (m) is amended in the final rule to
clarify that flowdown of the clause is required for subcontracts for
operationally critical support, or for which subcontract performance
will involve ``covered defense information,'' instead of ``a covered
contractor information system.'' Paragraph (m) is further amended to
instruct the contractor to, if necessary, consult with the contracting
officer to determine if the information required for subcontractor
performance retains its identity as covered defense information and
will require protection under this clause, thus driving when the
substance of DFARS clause 252.204-7012 must be included in a
subcontract. Flowdown is a requirement of the terms of the contract
with the Government, which should be enforced by the prime contractor
as a result of compliance with these terms. If a subcontractor does not
agree to comply with the terms of 252.204-7012, then covered defense
information shall not be on that subcontractor's information system.
8. Cloud Computing
a. Access
Comment: One respondent commented that they did not agree with
DFARS 252.239-7010(i)(3), ``which provides that a Government
contracting officer may require physical access to data centers for
purposes of audits, inspections, or other similar and undefined
activities,'' suggesting that the DFARS be revised to reflect the
practice of infrastructure as-a-service providers to limit third party
access to data centers to accredited FedRAMP third party assessment
organizations and to law enforcement activities.
Response: DFARS 252.239-7010(i)(3) states that the contractor shall
provide the Government or its authorized representatives (vice
contracting officers) access to all Government data and Government-
related data, access to contractor personnel involved in performance of
the contract, and physical access to any Contractor facility with
Government data, for the purpose of audits, investigations,
inspections, or other similar activities, as authorized by law or
regulation (vice undefined activities).
b. 252.204-7012 Versus 252.239-7010
Comment: One respondent commented that it is unlikely that a
majority of CSPs have completed their review/audit of their systems in
order to notify contracting officers within 30 days of award whether or
not they comply with NIST SP 800-171 security
[[Page 72994]]
requirements. This respondent also commented that companies that have
demonstrated compliance with DoD Impact Level L4/5 (as described in the
Cloud Computing Security Requirements Guide (SRG)) should not be
required to do all the paperwork or be subject to the requirement for
an additional assessment.
Response: When using cloud computing to provide information
technology services in the performance of the contract (i.e., an
information technology service or system operated on behalf of the
Government), CSPs shall comply with the requirements of DFARS Clause
252.239-7010, Cloud Computing Services, which points to the Cloud
Computing SRG. The requirement to provide DoD CIO with a list of
security requirements that are not implemented at the time of contract
award applies only to implementation of security requirements as
required in DFARS clause 252.204-7012. The rule has been amended to
clarify that when the contractor is not providing cloud computing
services in the performance of the contract, but intends to use an
external CSP to store, process, or transmit any covered defense
information for the contract, DFARS clause 252.204-7012 (b)(2)(ii)(D)
applies. DFARS clause 252.204-7012(b)(2)(ii)(D) requires the CSP to
meet security requirements equivalent to those established by the
Government for the FedRAMP ``Moderate'' baseline at the time award. The
text in DFARS clause 252.204-7012 has also been amended to clarify that
the contractor shall, within 30 days of contract award, provide the DoD
CIO with a list of the security requirements at (b)(2)(i) that are not
implemented at the time of contract award, to include any security
requirements not implemented by an external cloud service provider.
Comment: One respondent suggested that the rule does not provide
any guidance as to how to reconcile the implementation of DFARS clauses
252.204-7012 and 252.239-7010, and that the appropriate security
controls that should be applied to cloud systems is unclear. The
respondent suggested that because the cloud computing exemption in
DFARS 252.204-7012 is located within the ``adequate security''
requirements of the clause, the clause can be read as to impose the
Cloud Computing SRG security requirements (included in 252.239-7010) on
all cloud information systems, and that different reporting and
preservation requirements would apply if the information stored on the
CSP's cloud is covered defense information. This respondent further
suggested that the scope of DFARS 252.204-7012(b)(1)(A) is defined by
the type of service provided, rather than the environment in which
information is stored.
Response: DFARS clause 252.204-7012 has been amended to clarify the
appropriate security controls that should be applied on all covered
contractor information systems. Cyber incident reporting, media
preservation, and system access are not part of the contractor's
adequate security obligations, but rather distinct requirements of the
clause when a cyber incident occurs on a covered contractor information
system.
Comment: One respondent commented that it is unclear whether the
exemption for security controls contained within DFARS 252.204-7012
covers ancillary cloud services, such as cloud migration and
eDiscovery, that a CSP may provide as an add-on service to a cloud
computing contract. This respondent suggested that a clarification of
the scope of the exemption would be helpful for defining reporting and
safeguarding obligations for these providers. One respondent suggested
that DoD revise DFARS clause 252.204-7012 to clarify that data stored
on a cloud is exempt from the requirements of this clause and subject
only to the requirements of DFARS clause 252.239-7010. Such an approach
will provide contractors with clear guidelines as to when they are
subject to the requirements DFARS 252.204-7012 or DFARS 252.239-7010.
Furthermore, through the application of the Cloud Computing SRG
requirements to data stored on a cloud, this approach will ensure that
DoD information receives the appropriate degree of protection for the
environment in which it is stored.
Response: DFARS clause 252.204-7012 requires that (for an
information technology service or system operated on behalf of the
Government) CSP shall comply with the requirements of DFARS clause
252.239-7010, Cloud Computing Services, which points to the Cloud
Computing SRG (see paragraph (b)(1)(i) of the clause). This clause has
been amended to clarify that (for an information technology services or
system not operated on behalf of the Government) when using an external
CSP to store, process, or transmit any covered defense information, the
CSP shall meet requirements equivalent to those established by the
Government in the FedRAMP Moderate baseline (see paragraph
(b)(2)(ii)(D) of the clause).
Comment: One respondent commented that they understand that the
subcontractor flowdown clause is not required in contracts between the
contractor and the CSPs, and that the contractor is not responsible for
ensuring that CSPs comply with DFARS clause 252.204-7012, and requested
that this be confirmed or clarified.
Response: When a contractor uses an external CSP to store, process,
or transmit any covered defense information for the contract, DFARS
Clause 252.204-7012(b)(2)(ii)(D) applies. While the flowdown provision
in 252.204-7012 does not apply to the CSP in this case, the prime
contractor is responsible to ensure that the CSP meets the requirements
at 252.204-7012(b)(2)(ii)(D).
c. Reporting
Comment: One respondent commented that the rule fails to define the
information that must be reported and creates a reporting system
separate from the FedRAMP and Cloud Computing SRG Requirements,
suggesting that an established system with clear reporting requirements
for cloud computing security incidents would be more efficient than
utilizing a new, separate, possibly conflicting portal at http://dibnet.dod.mil.
Response: The public facing DIBNet Web site includes a
``Resources'' tab that describes the information required when
reporting a cyber incident that is related to the cloud computing
service provided under his contract. Consistent with reporting
requirements in DFARS clause 252.205-7012 and the Cloud Computing SRG,
reports shall be submitted to DoD via http://dibnet.dod.mil/. This is
DoD's single reporting mechanism for DoD contractor reporting of cyber
incidents on unclassified information systems. The rule streamlines the
reporting processes for DoD contractors and minimizes duplicative
reporting processes.
Comment: One respondent commented that it is their understanding
that if a contractor, when not providing information technology
services in the performance of the contract, but is using an external
CSP that is FedRAMP compliant to store, process, or transmit any
covered defense information for the contract, the contractor only needs
to ensure that the CSP reports cyber incidents to the contractor so the
contractor can comply with its reporting requirements to the
Government.
Response: DFARS clause 252.204-7012 was amended to require that the
CSP should be FedRAMP ``Moderate'' compliant, not simply FedRAMP
compliant (as there are CSPs that are only FedRAMP ``Low'' compliant,
which is not sufficient for covered defense information protection).
The clause also requires that the external
[[Page 72995]]
CSP meets the cyber incident reporting, malicious software, media
preservation and protection, access to additional information and
equipment necessary for forensic analysis, and cyber incident damage
assessment requirements at paragraphs (c) through (g) of the clause.
Comment: One respondent suggested that CSPs should only be
responsible for reporting incidents that result in an actual, or
reasonably suspected, unauthorized disclosure of customer data, adding
that if reporting requirements are scoped to customer data only, then
the 72-hour reporting window is reasonable.
Response: Cyber incidents that impact the environment could have an
impact on the CSP's security accreditation and DoD data, which is the
reason that all incidents that are on shared services and
infrastructure should be reported.
Comment: One respondent commented that the reporting requirements
in DFARS clause 252.239-7010 fail to recognize the unique role of CSPs,
stating that commercial CSPs and their customers typically agree to
abide by strict privacy and access-to information controls which
normally include limiting provisions that prevent CSPs from accessing
customer information without prior consent and from providing customer
data to third parties or providing third parties access to customer
data. The respondent suggested that these limitations, in which only
the customer would know whether an incident impacts a particular
customer's data and whether there are additional reporting
requirements, drive the need for a two-step reporting requirement that
allows the customer who has full knowledge of the data that is stored
in the cloud and the applicable classifications of such data to make
the ultimate determination of any reporting obligations to the
Government.
Response: As any cyber incident to the shared infrastructure can
have an adverse impact on DoD data, the CSP must report any cyber
incident to the shared infrastructure to DoD. That may require
modifications to their commercial terms of service to allow for that.
In addition, communication between the Government and the contractor
(whether CSP or not) is vital; any specific requirements, or
interpretations of requirements, should be negotiated as part of the
service level agreement.
Comment: Several comments suggested that DFARS 252.239-7010, Cloud
Computing Services, sets forth a number of requirements that commercial
cloud infrastructure (i.e., infrastructure as a service (IaaS))
providers will not be able to sign up to (as prime contractors or
subcontractors), because compliance with those requirements are outside
of their control; compliance with those requirements falls within the
control of the managed services providers, account owners, lead systems
engineers, or prime contractors (the ``primes'') running DoD workloads
and storing ``Government data'' and ``Government-related data'' in the
cloud infrastructure. One comment suggested that the DIBNet cyber
reporting requirements should not apply to IaaS providers, but to the
prime using the cloud, stating that although IaaS providers will notify
the primes of security breaches, they will not have insight into the
nature of the data the primes are storing and processing in the
infrastructure, or know whether a breach results in a ``cyber
incident,'' as that term is defined in the clause.
Response: The reporting requirement in DFARS 252.239-7010 requires
the prime to report all cyber incidents that are related to the cloud
computing service provided under the contract. In cases where the CSP
is the prime contractor, the provider is required to report the
incident to DoD. If the provider (acting as a prime) does not have
insight into the nature of the data being stored or processed, any
breach would be considered a cyber incident given the potential impact
it could have on the information or the information system.
Because the IaaS providers deliver shared services, any cyber
incident on the shared infrastructure and services would be the
responsibility of the IaaS provider and they are obligated to report
those incidents.
9. Workforce Training
Comment: One respondent asked about DoD plans to train the
workforce to consistently apply the requirements for handling covered
defense information.
Response: DoD will engage across both Government and industry to
educate and raise awareness of the importance of protecting covered
defense information. The Better Buying Power 3.0 initiative includes
efforts to educate our workforce on the value and best practices for
system security and efforts to communicate the importance of
cybersecurity across DoD and to the Defense Industrial Base. Efforts to
improve technological superiority will be in vain if effective
cybersecurity is not practiced throughout the product lifecycle.
Defense Acquisition University, in coordination with education
counterparts in the Intelligence Community and Defense Security
Service, is working to develop education and training to increase
workforce understanding of the value and best practices for covered
defense information protection.
C. Other Changes
The following additional changes are made in the final rule:
1. Definitions. Several definitions already included in the rule
are added to or removed from certain subparts based on their usage in
the text, to include ``compromise,'' ``information system,'' ``media,''
``operationally critical support,'' ``spillage,'' and ``technical
information.''
2. Incident Report Number. DFARS 204.7302(b) and 252.204-
7012(m)(2)(ii) are amended to clarify that the incident report number
is automatically assigned by DoD.
3. NIST SP 800-171. DFARS 252.204-7008(c) is amended to clarify in
the notice to offerors, the requirement to implement the NIST SP 800-
171 that is in effect at the time the solicitation is issued or as
authorized by the contracting officer.
4. Malicious Software. DFARS 252.204-7012(d) is amended to
specifically direct the contractor to not send malicious software to
the contracting officer.
5. Access. DFARS 239.7602-1 is amended to provide the same list
provided at DFARS 252.239-7010(i)(3) of activities in which the
contractor is required to provide records and facility access.
D. Additional Information
Defense Procurement and Acquisition Policy (DPAP) Program
Development and Implementation (PDI) provides answers to frequently
asked questions at http://www.acq.osd.mil/dpap/pdi/network_penetration_reporting_and_contracting.html. The answers to
these general questions are intended to assist with understanding and
implementing the requirements of this rule.
III. Applicability to Contracts at or Below the Simplified Acquisition
Threshold and for Commercial Items, Including Commercially Available
Off-the-Shelf Items
The rule created two new provisions and two new clauses as follows:
(1) DFARS 252.204-7008, Compliance with Safeguarding Covered Defense
Information Controls; (2) DFARS 252.204-7009, Limitations on the Use or
Disclosure of Third-Party Contractor Information; (3) DFARS 252.239-
7009, Representation of Use of Cloud Computing; and (4) DFARS 252.239-
7010, Cloud Computing Services.
[[Page 72996]]
Additionally, the rule amended the existing DFARS clause 252.204-7012,
Safeguarding Covered Defense Information and Cyber Incident Reporting.
The objectives of the rule are to improve information security for
DoD information stored on or transiting contractor information systems
as well as in a cloud environment. The rule implements section 941 of
the NDAA for FY 2013 (Pub. L. 112-239), section 1632 of the NDAA for FY
2015, and section 325 of the Intelligence Authorization Act of FY 2014
(Pub. L. 113-126). Additionally the rule implements DoD CIO policy for
the acquisition of cloud computing services. The only clause within
this rule that is implementing the statutory requirements is clause
252.204-7012, which already applied to acquisitions below the
simplified acquisition threshold (SAT) and to commercial items,
including commercially available off-the-shelf items (COTS). The
following addresses the applicability of the new statutory requirements
in DFARS clause 252.204-7012.
A. Applicability to Contracts at or Below the SAT
41 U.S.C. 1905 governs the applicability of laws to contracts or
subcontracts in amounts not greater than the simplified acquisition
threshold (SAT). It is intended to limit the applicability of laws to
such contracts or subcontracts. 41 U.S.C. 1905 provides that if a
provision of law contains criminal or civil penalties, or if the FAR
Council makes a written determination that it is not in the best
interest of the Federal Government to exempt contracts or subcontracts
at or below the SAT, the law will apply to them. The Director, DPAP, is
the appropriate authority to make comparable determinations for
regulations to be published in the DFARS, which is part of the FAR
system of regulations.
B. Applicability to Contracts for the Acquisition of Commercial Items,
Including COTS Items
41 U.S.C. 1906 governs the applicability of laws to contracts for
the acquisition of commercial items, and is intended to limit the
applicability of laws to contracts for the acquisition of commercial
items. 41 U.S.C. 1906 provides that if a provision of law contains
criminal or civil penalties, or if the FAR Council makes a written
determination that it is not in the best interest of the Federal
Government to exempt commercial item contracts, the provision of law
will apply to contracts for the acquisition of commercial items.
Likewise, 41 U.S.C. 1907 governs the applicability of laws to
commercially available off-the-shelf (COTS) items, with the
Administrator for Federal Procurement Policy the decision authority to
determine that it is in the best interest of the Government to apply a
provision of law to acquisitions of COTS items in the FAR. The
Director, DPAP, is the appropriate authority to make comparable
determinations for regulations to be published in the DFARS, which is
part of the FAR system of regulations.
C. Applicability Determination
The Director, DPAP, has determined that it is in the best interest
of the Government to apply the requirements of section 941 of the
National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013,
section 1632 of the NDAA for FY 2015, and section 325 of the
Intelligence Authorization Act of FY 2014 (Pub. L. 113-126) to
contracts at or below the SAT and to contracts for the acquisition of
commercial items, for clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting. However, the clause
prescription is amended in the final rule to exempt use in
solicitations and contracts that are solely for the acquisition of COTS
items.
The necessity to protect covered defense information is the same
across all contract types for all dollar values. The harm that could
result from the loss or compromise of covered defense information is
the same under a FAR part 12 contract that is under the SAT as it would
be under any other contract. Recent high-profile breaches of Federal
information show the need to ensure that information security
protections are clearly, effectively, and consistently addressed in
contracts. Failure to apply this rule to contracts with covered defense
information may cause harm to the Government which could directly
impact national security. Therefore, exempting contracts below the SAT
or for the acquisition of commercial items (excluding COTS items) from
application of the statutes would severely decrease the intended effect
of the statutes and increase the risk of mission failure.
For the same reasons expressed in the preceding paragraph, DoD
applied the following provisions and clauses to acquisitions below the
SAT and to the acquisition of commercial items, excluding COTS items:
(1) DFARS 252.204-7008, Compliance with Safeguarding Covered Defense
Information Controls; (2) DFARS 252.204-7009, Limitations on the Use or
Disclosure of Third-Party Contractor Information; (3) DFARS 252.239-
7009, Representation of Use of Cloud Computing; and (4) DFARS 252.239-
7010, Cloud Computing Services.
IV. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is not a significant regulatory action and, therefore, was not
subject to review under section 6(b) of E.O. 12866, Regulatory Planning
and Review, dated September 30, 1993. This rule is not a major rule
under 5 U.S.C. 804.
V. Regulatory Flexibility Act
A final regulatory flexibility analysis (FRFA) has been prepared
consistent with the Regulatory Flexibility Act, 5 U.S.C. 601, et seq.
The FRFA is summarized as follows:
This final rule expands on the existing information safeguarding
policies in the Defense Federal Acquisition Regulation System (DFARS),
which were put in place in November 2013 (78 FR 69273), by requiring
contractors to report cyber incidents to the Government in a broader
scope of circumstances.
The objective of this rule is to implement section 941 of the
National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013
(Pub. L. 112-239), section 1632 of the National Defense Authorization
Act (NDAA) for Fiscal Year (FY) 2015, and DoD CIO policy for the
acquisition of cloud computing services, in order to improve
information security for DoD information stored on or transiting
contractor information systems, as well as in a cloud environment.
The significant issues raised by the public in response to the
initial regulatory flexibility analysis are as follows:
Comment: Respondents expressed concern that the estimated of the
total number of small businesses impacted by the rule is too low and
that the rule does not allow for alternative standards or exemption for
small business due to potentially burdensome costs of compliance.
[[Page 72997]]
Response: As there is no database collecting the number of
contractors receiving covered defense information it is difficult to
determine how many contractors are required to implement the security
requirements of clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting. Further, without adding a new
information collection requirement to prime contractors it is not
possible to determine how many subcontractors are in possession of
covered defense information. Based on the respondent's analysis of the
number of small entities, as prime contractors and as subcontractors,
that may be affected by the rule the DoD estimate of small entities
affected by this rule has been revised, to increase the number.
The cost of compliance with the requirements of this rule is
unknown as the cost is determined based on the make-up of the
information system and the current state of security already in place.
If a contractor is already in compliance with the 2013 version of the
clause 252.204-7012, then the changes necessary to comply with the new
rule are not as significant. For a new contractor that has not been
subject to the previous iteration of the 252.204-7012 clause and is now
handling covered defense information the cost could be significant to
comply. The cost of compliance is allowable and should be accounted for
in proposal pricing (in accordance with the entity's accounting
practices). Though it is not a change specific to small entities the
security requirements as amended in this rule are found in National
Institute of Standards and Technology (NIST) Special Publication (SP)
800-171, ``Protecting Controlled Unclassified information in Nonfederal
Information Systems and organizations,'' to replace a table based on
NIST SP 800-53. The security requirements in NIST SP 800-171 are
specifically tailored for use in protecting sensitive information
residing in contractor information systems and generally reduce the
burden placed on contractors by eliminating Federal-centric processes
and requirements and enabling contractors to use systems they already
have in place with some modification instead of building a new system.
Recommendations made by public comment to allow for alternative
application of the rule for small entities include: An exemption for
small entities, delaying application to small entities until costs are
further analyzed, and creating a different set of security requirements
for small entities. While all of these paths were considered, they were
rejected as conflicting with the overarching purpose of this rule which
is to increase the security of unclassified information that DoD has
determined could result in harm if released. Regardless of the size of
the contractor or subcontractor handling the information, the
protection level of that information needs to be the same across the
board to achieve the goal of increased information assurance.
The Chief Counsel for Advocacy of the Small Business Administration
submitted a response to the second interim rule. The response
reiterated the concerns brought by one of the public comments and
provided suggestions for alternative application of the rule for small
businesses:
Comment: The SBA Office of Advocacy suggested that DoD has
underestimated the number of small businesses affected by this
rulemaking, and recommended that DoD include small businesses serving
as prime contractors and as subcontractors in their estimation of the
number of impacted small entities. This respondent also commented that
the cost of compliance with the rule will be a significant barrier to
small businesses engaging in the Federal acquisition process, adding
that many small businesses will be forced to purchase services and
additional software from outside or third-party vendors in order to
provide ``adequate safeguards'' for covered defense information and to
adequately assess and evaluate their information systems and security
controls.
Response: The final rule clarifies that the protections are not
required when contracting solely for COTS items, thereby reducing the
impact on some small business. The need to protect covered defense
information does not change when such information is shared with
nonfederal partners including small businesses. The cost of not
protecting covered defense information is an enormous detriment to DoD
resulting in a potential loss or compromise of such information,
adverse impacts to the DoD warfighting mission, and to the lives of
service men and women.
Comment: The SBA Office of Advocacy suggested that DoD has
underestimated the number of small businesses affected by this
rulemaking, and recommended that DoD include small businesses serving
as prime contractors and as subcontractors in their estimation of the
number of impacted small entities.
Response: As noted in response to the same public comment, DoD
revises the estimate to be 12,000 small business prime contractors and
any small business subcontractors that will be required to handle
covered defense information during performance of the subcontracted
work. There is currently no system to track when covered defense
information is present on contract or passed to subcontractors so this
estimate is not made with a high level of certainty.
Comment: The SBA Office of Advocacy commented that the cost of
compliance with the rule will be a significant barrier to small
businesses engaging in the Federal acquisition process, adding that
many small businesses will be forced to purchase services and
additional software from outside and third-party in order to provide
``adequate safeguards'' for covered defense information and to
adequately assess and evaluate their information systems and security
controls.
Response: While it is understood that implementing the minimum
security controls outlined in the DFARs clause may increase costs,
protection of unclassified DoD information is deemed necessary. The
cost to the nation in lost intellectual property and lost technological
advantage over potential adversaries is much greater than these
initial/ongoing investments. The value of the information (and impact
of its loss) does not diminish when it moves to contractors (prime or
sub, large or small). NIST SP 800-171 was carefully crafted to use
performance-based requirements and eliminate unnecessary specificity
and include only those security requirements necessary to provide
adequate protections for the impact level of CUI (e.g., covered defense
information).
Implementation of the NIST SP 800-171 security requirements will
provide significant benefit to the small business community in the form
of increased protection of their intellectual property. In addition,
defining one set of standards will help small businesses to avoid a
situation in which small business must adopt multiple standards and
rule sets as they navigate amongst the many different organizations
with which they do business. The addition of a new provision at DFARS
252.204-7008, Compliance with Safeguarding Covered Defense Information
Controls, ensures that the offeror is aware of the requirements of
clause 252.204-7012 and has time to bring their system into compliance
and negotiate the terms of the contract accordingly.
Comment: The SBA Office of Advocacy suggested that DoD consider
collaborating with universities or other companies, to provide low-cost
cybersecurity services to small
[[Page 72998]]
businesses, or providing a one-time subsidy to small businesses to help
cover the cost of initial consultations with third party vendors.
Response: There is no funding appropriation attached to compliance
with the rule so it is not feasible to create a program for compliance
or a one-time subsidy related to the new security requirements
associated with the rule. However, the costs associated with compliance
are allowable and should be considered in proposals on solicitations
including the 252.204-7008 provision and 252.204-7012 clause, when
covered defense information is present. The final rule is amended to
require the security requirements to be in place only when the covered
defense information is marked or identified in the contract, which
should cut down significantly on the number of contractors that
mistakenly assumed they were required to comply.
DoD has revised the estimate to be 12,000 small business prime
contractors; however, the number of small business subcontractors that
will be required to handle covered defense information during
performance of the subcontracted work cannot be accurately estimated.
Which small businesses will be required to comply, is entirely
dependent on the work that they perform and the unclassified
information involved. If they work solely in COTS items, then they will
be exempt from the security requirements.
This rule requires that contractors report cyber incidents to the
Government in accordance with DFARS clause 252.204-7012. An information
technology expert will likely be required to provide information
describing the cyber incident in the report, or at least to determine
what information was affected.
For the final rule the prescriptions for provision 252.204-7008 and
252.204-7012 are amended to exempt COTS items, to clarify that they do
not apply to contracts that are solely for COTS items. The final rule
will keep the subcontractor flowdown requirement as amended in the
second interim rule to only require the clause to flowdown when the
covered defense information has been provided to the subcontractor, and
this will significantly decrease the amount of small subcontractors
that are unnecessarily working toward compliance with the security
requirements of clause 252.204-7012.
VI. Paperwork Reduction Act
This rule contains information collection requirements that have
been approved by the Office of Management and Budget (OMB) under the
Paperwork Reduction Act (44 U.S.C. chapter 35) under OMB Control Number
0704-0478 entitled ``Enhanced Safeguarding and Cyber Incident Reporting
of Unclassified DoD Information Within Industry.''
List of Subjects in 48 CFR Parts 202, 204, 212, 239, and 252
Government procurement.
Jennifer L. Hawes,
Editor, Defense Acquisition Regulations System.
Accordingly, the interim rule amending 48 CFR parts 202, 204, 212,
239, and 252, which was published at 80 FR 51739 on August 26, 2015,
and the interim rule amending 48 CFR part 252, which was published at
80 FR 81472 on December 30, 2015, are adopted as final rules with the
following changes:
0
1. The authority citation for 48 CFR parts 202, 204, 239, and 252
continues to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
PART 202--DEFINITIONS OF WORDS AND TERMS
202.101 [Amended]
0
2. Amend section 202.101 by removing the definition of ``media''.
PART 204--ADMINISTRATIVE MATTERS
204.7300 [Amended]
0
3. Amend section 204.7300(a) by removing ``security controls'' and
adding ``security requirements'' in its place.
0
4. Amend section 204.7301 by--
0
a. In the definition of ``covered contractor information system'',
removing ``an information system'' and adding ``an unclassified
information system'' in its place;
0
b. Revising the definition of ``covered defense information'';
0
c. Adding, in alphabetical order, the definition for ``media'';
0
d. Removing the definition of ``operationally critical support''; and
0
e. Amending the definition of ``rapid(ly) report(ing)'' by removing
``Rapid(ly) report(ing)'' and adding ``Rapidly report'' in its place.
The revisions and addition read as follows:
204.7301 Definitions.
* * * * *
Covered defense information means unclassified controlled technical
information or other information (as described in the Controlled
Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or
dissemination controls pursuant to and consistent with law,
regulations, and Governmentwide policies, and is--
(1) Marked or otherwise identified in the contract, task order, or
delivery order and provided to the contractor by or on behalf of DoD in
support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by
or on behalf of the contractor in support of the performance of the
contract.
* * * * *
Media means physical devices or writing surfaces including, but not
limited to, magnetic tapes, optical disks, magnetic disks, large-scale
integration memory chips, and printouts onto which covered defense
information is recorded, stored, or printed within a covered contractor
information system.
* * * * *
0
5. Amend section 204.7302 by--
0
a. Revising paragraphs (a) and (b);
0
b. In paragraph (c), removing ``The Government acknowledges that
information shared by the contractor under these procedures may'' and
adding ``Information shared by the contractor may'' in its place;
0
c. Revising paragraph (d); and
0
d. In paragraph (e), removing ``providing forensic analysis services,
damages assessment services,'' and adding ``forensic analysis, damage
assessment,'' in its place; and removing ``use and disclosure'' and
adding ``use and disclosure of reported information'' in its place.
The revisions read as follows:
204.7302 Policy.
(a) Contractors and subcontractors are required to provide adequate
security on all covered contractor information systems.
(b) Contractors and subcontractors are required to rapidly report
cyber incidents directly to DoD at http://dibnet.dod.mil.
Subcontractors provide the incident report number automatically
assigned by DoD to the prime contractor. Lower-tier subcontractors
likewise report the incident report number automatically assigned by
DoD to their higher-tier subcontractor, until the prime contractor is
reached.
(1) If a cyber incident occurs, contractors and subcontractors
submit to DoD--
(i) A cyber incident report;
(ii) Malicious software, if detected and isolated; and
[[Page 72999]]
(iii) Media (or access to covered contractor information systems
and equipment) upon request.
(2) Contracting officers shall refer to PGI 204.7303-4(c) for
instructions on contractor submissions of media and malicious software.
* * * * *
(d) A cyber incident that is reported by a contractor or
subcontractor shall not, by itself, be interpreted as evidence that the
contractor or subcontractor has failed to provide adequate security on
their covered contractor information systems, or has otherwise failed
to meet the requirements of the clause at 252.204-7012, Safeguarding
Covered Defense Information and Cyber Incident Reporting. When a cyber
incident is reported, the contracting officer shall consult with the
DoD component Chief Information Officer/cyber security office prior to
assessing contractor compliance (see PGI 204.7303-3(a)(3)). The
contracting officer shall consider such cyber incidents in the context
of an overall assessment of a contractor's compliance with the
requirements of the clause at 252.204-7012.
* * * * *
0
6. Amend section 204.7304 by--
0
a. In paragraph (a), adding the phrase ``, except for solicitations
solely for the acquisition of commercially available off-the-shelf
(COTS) items'' to the end of the sentence;
0
b. In paragraph (b), removing ``contracts for services'' and adding
``contracts, including solicitations and contracts using FAR part 12
procedures for the acquisition of commercial items, for services'' in
its place; and
0
c. In paragraph (c), adding the phrase ``, except for solicitations and
contracts solely for the acquisition of COTS items'' to the end of the
sentence.
PART 239--ACQUISITION OF INFORMATION TECHNOLOGY
0
7. Amend section 239.7601 by adding, in alphabetical order, definitions
for ``information system'' and ``media''; and removing the definition
of ``spillage''.
The additions read as follows:
239.7601 Definitions.
* * * * *
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
Media means physical devices or writing surfaces including, but not
limited to, magnetic tapes, optical disks, magnetic disks, large-scale
integration memory chips, and printouts onto which information is
recorded, stored, or printed within an information system.
0
8. Amend section 239.7602-1 by--
0
a. In paragraph (a), removing ``the DoD'' and adding ``DoD'' in its
place;
0
b. Revising paragraph (b);
0
c. In paragraph (c) introductory text, removing ``provided in the
purchase request--'' and adding ``provided by the requiring activity:''
in its place;
0
d. In paragraph (c)(1), removing the semicolon and adding a period in
its place;
0
e. In paragraph (c)(2), removing ``CDRL, SOW task'' and adding ``DD
Form 1423, Contract Data Requirements List; work statement task;'' in
its place; and removing the semicolon at the end of the second sentence
and adding a period in its place;
0
f. Removing paragraphs (c)(3) and (6);
0
g. Redesignating paragraphs (c)(4) and (5) as paragraphs (c)(3) and
(4);
0
h. In the newly redesignated paragraph (c)(3), removing the semicolon
and adding a period in its place; and
0
i. In the newly redesignated paragraph (c)(4), removing ``litigation,
eDiscovery, records management associated with the agency's retention
schedules,''; and removing ``activities; and'' and adding
``activities.'' in its place.
The revision reads as follows:
239.7602-1 General.
* * * * *
(b)(1) Except as provided in paragraph (b)(2) of this section, the
contracting officer shall only award a contract to acquire cloud
computing services from a cloud service provider (e.g., contractor or
subcontractor, regardless of tier) that has been granted provisional
authorization by Defense Information Systems Agency, at the level
appropriate to the requirement, to provide the relevant cloud computing
services in accordance with the Cloud Computing Security Requirements
Guide (SRG) (version in effect at the time the solicitation is issued
or as authorized by the contracting officer) found at http://iase.disa.mil/cloud_security/Pages/index.aspx.
(2) The contracting officer may award a contract to acquire cloud
computing services from a cloud service provider that has not been
granted provisional authorization when--
(i) The requirement for a provisional authorization is waived by
the DoD Chief Information Officer; or
(ii) The cloud computing service requirement is for a private, on-
premises version that will be provided from U.S. Government facilities.
Under this circumstance, the cloud service provider must obtain a
provisional authorization prior to operational use.
* * * * *
239.7602-2 [Amended]
0
9. Amend section 239.7602-2(a) by removing ``DoD Instruction 8510.01,
Risk Management Framework (RMF) for DoD Information Technology (IT)''
and adding ``DoD Instruction 8510.01'' in its place.
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
10. Amend section 252.204-7000 by--
0
a. Removing the clause date of ``(AUG 2013)'' and adding ``(OCT 2016)''
in its place; and
0
b. Revising paragraph (a)(3) to read as follows:
252.204-7000 Disclosure of information.
* * * * *
(a) * * *
(3) The information results from or arises during the performance
of a project that involves no covered defense information (as defined
in the clause at DFARS 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting) and has been scoped and
negotiated by the contracting activity with the contractor and research
performer and determined in writing by the contracting officer to be
fundamental research (which by definition cannot involve any covered
defense information), in accordance with National Security Decision
Directive 189, National Policy on the Transfer of Scientific, Technical
and Engineering Information, in effect on the date of contract award
and the Under Secretary of Defense (Acquisition, Technology, and
Logistics) memoranda on Fundamental Research, dated May 24, 2010, and
on Contracted Fundamental Research, dated June 26, 2008 (available at
DFARS PGI 204.4).
* * * * *
252.204-7008 [Amended]
0
11. Amend section 252.204-7008 by--
0
a. Removing the clause date of ``(DEC 2015)'' and adding ``(OCT 2016)''
in its place;
0
b. In paragraph (a), removing ``and covered defense information, are''
and adding ``covered defense information, cyber incident, information
system, and technical information are'' in its place.
0
c. In paragraph (b), removing ``252.204-7012, Covered Defense
Information and Cyber Incident Reporting,'' and adding ``252.204-7012''
in its place;
[[Page 73000]]
0
d. In paragraph (c) introductory text, removing ``(IT)''; and removing
``252.204-7012(b)(1)(ii)'' and adding ``252.204-7012(b)(2)'' in its
place;
0
e. In paragraph (c)(1), removing ``(see http://dx.doi.org/10.6028/NIST.SP.800-171),'' and adding ``(see http://dx.doi.org/10.6028/NIST.SP.800-171) that are in effect at the time the solicitation is
issued or as authorized by the contracting officer'' in its place; and
0
f. In paragraph (c)(2)(i) introductory text, removing ``that is in
effect'' and adding ``that are in effect'' in its place.
0
12. Amend section 252.204-7009 by--
0
a. Removing the clause date of ``(DEC 2015)'' and adding ``(OCT 2016)''
in its place; and
0
b. In paragraph (a)--
0
i. Revising the definition of ``covered defense information''; and
0
ii. Adding, in alphabetical order, the definitions for ``information
system'', ``media'', and ``technical information''.
The revision and additions read as follows:
252.204-7009 Limitations on the use or disclosure of third-party
contractor reported cyber incident information.
* * * * *
(a) * * *
Covered defense information means unclassified controlled technical
information or other information (as described in the Controlled
Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html) that requires safeguarding or
dissemination controls pursuant to and consistent with law,
regulations, and Governmentwide policies, and is--
(1) Marked or otherwise identified in the contract, task order, or
delivery order and provided to the contractor by or on behalf of DoD in
support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by
or on behalf of the contractor in support of the performance of the
contract.
* * * * *
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
Media means physical devices or writing surfaces including, but is
not limited to, magnetic tapes, optical disks, magnetic disks, large-
scale integration memory chips, and printouts onto which covered
defense information is recorded, stored, or printed within a covered
contractor information system.
Technical information means technical data or computer software, as
those terms are defined in the clause at DFARS 252.227-7013, Rights in
Technical Data--Noncommercial Items, regardless of whether or not the
clause is incorporated in this solicitation or contract. Examples of
technical information include research and engineering data,
engineering drawings, and associated lists, specifications, standards,
process sheets, manuals, technical reports, technical orders, catalog-
item identifications, data sets, studies and analyses and related
information, and computer software executable code and source code.
* * * * *
0
13. Amend section 252.204-7012 by--
0
a. Removing the clause date of ``(DEC 2015)'' and adding ``(OCT 2016)''
in its place;
0
b. In paragraph (a)--
0
i. Removing the definition of ``contractor information system'';
0
ii. In the definition of ``covered contractor information system''
removing ``an information system'' and adding ``an unclassified
information system'' in its place;
0
iii. Revising the definition of ``covered defense information'';
0
iv. Adding, in alphabetical order, the definition for ``information
system'';
0
v. In the definition of ``media'', removing ``which information is
recorded'' and adding ``which covered defense information is recorded''
in its place; and removing ``within an information system'' and adding
``within a covered contractor information system'' in its place;
0
vi. In the definition of ``rapid(ly) report(ing)'', removing
``Rapid(ly) report(ing)'' and adding ``Rapidly report'' in its place;
and
0
vii. In the definition of ``technical information'', removing ``Rights
in Technical Data-Non Commercial Items'' and adding ``Rights in
Technical Data--Noncommercial Items'' in its place;
0
c. Revising paragraph (b);
0
d. In paragraph (c)(1) introductory text, removing ``critical support''
and adding ``critical support and identified in the contract'' in its
place;
0
e. Revising paragraph (d); and
0
f. Revising paragraph (m).
The revisions and addition read as follows:
252.204-7012 Safeguarding covered defense information and cyber
incident reporting.
* * * * *
(a) * * *
Covered defense information means unclassified controlled technical
information or other information, as described in the Controlled
Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or
dissemination controls pursuant to and consistent with law,
regulations, and Governmentwide policies, and is--
(1) Marked or otherwise identified in the contract, task order, or
delivery order and provided to the contractor by or on behalf of DoD in
support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by
or on behalf of the contractor in support of the performance of the
contract.
* * * * *
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
* * * * *
(b) Adequate security. The Contractor shall provide adequate
security on all covered contractor information systems. To provide
adequate security, the Contractor shall implement, at a minimum, the
following information security protections:
(1) For covered contractor information systems that are part of an
information technology (IT) service or system operated on behalf of the
Government, the following security requirements apply:
(i) Cloud computing services shall be subject to the security
requirements specified in the clause 252.239-7010, Cloud Computing
Services, of this contract.
(ii) Any other such IT service or system (i.e., other than cloud
computing) shall be subject to the security requirements specified
elsewhere in this contract.
(2) For covered contractor information systems that are not part of
an IT service or system operated on behalf of the Government and
therefore are not subject to the security requirement specified at
paragraph (b)(1) of this clause, the following security requirements
apply:
(i) Except as provided in paragraph (b)(2)(ii) of this clause, the
covered contractor information system shall be subject to the security
requirements in National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171, ``Protecting Controlled Unclassified
Information in Nonfederal Information Systems and Organizations''
(available via the internet at http://dx.doi.org/10.6028/NIST.SP.800-171) in effect at the time the solicitation is issued or as authorized
by the Contracting Officer.
(ii)(A) The Contractor shall implement NIST SP 800-171, as soon as
[[Page 73001]]
practical, but not later than December 31, 2017. For all contracts
awarded prior to October 1, 2017, the Contractor shall notify the DoD
Chief Information Officer (CIO), via email at [email protected],
within 30 days of contract award, of any security requirements
specified by NIST SP 800-171 not implemented at the time of contract
award.
(B) The Contractor shall submit requests to vary from NIST SP 800-
171 in writing to the Contracting Officer, for consideration by the DoD
CIO. The Contractor need not implement any security requirement
adjudicated by an authorized representative of the DoD CIO to be
nonapplicable or to have an alternative, but equally effective,
security measure that may be implemented in its place.
(C) If the DoD CIO has previously adjudicated the contractor's
requests indicating that a requirement is not applicable or that an
alternative security measure is equally effective, a copy of that
approval shall be provided to the Contracting Officer when requesting
its recognition under this contract.
(D) If the Contractor intends to use an external cloud service
provider to store, process, or transmit any covered defense information
in performance of this contract, the Contractor shall require and
ensure that the cloud service provider meets security requirements
equivalent to those established by the Government for the Federal Risk
and Authorization Management Program (FedRAMP) Moderate baseline
(https://www.fedramp.gov/resources/documents/) and that the cloud
service provider complies with requirements in paragraphs (c) through
(g) of this clause for cyber incident reporting, malicious software,
media preservation and protection, access to additional information and
equipment necessary for forensic analysis, and cyber incident damage
assessment.
(3) Apply other information systems security measures when the
Contractor reasonably determines that information systems security
measures, in addition to those identified in paragraphs (b)(1) and (2)
of this clause, may be required to provide adequate security in a
dynamic environment or to accommodate special circumstances (e.g.,
medical devices) and any individual, isolated, or temporary
deficiencies based on an assessed risk or vulnerability. These measures
may be addressed in a system security plan.
* * * * *
(d) Malicious software. When the Contractor or subcontractors
discover and isolate malicious software in connection with a reported
cyber incident, submit the malicious software to DoD Cyber Crime Center
(DC3) in accordance with instructions provided by DC3 or the
Contracting Officer. Do not send the malicious software to the
Contracting Officer.
* * * * *
(m) Subcontracts. The Contractor shall--
(1) Include this clause, including this paragraph (m), in
subcontracts, or similar contractual instruments, for operationally
critical support, or for which subcontract performance will involve
covered defense information, including subcontracts for commercial
items, without alteration, except to identify the parties. The
Contractor shall determine if the information required for
subcontractor performance retains its identity as covered defense
information and will require protection under this clause, and, if
necessary, consult with the Contracting Officer; and
(2) Require subcontractors to--
(i) Notify the prime Contractor (or next higher-tier subcontractor)
when submitting a request to vary from a NIST SP 800-171 security
requirement to the Contracting Officer, in accordance with paragraph
(b)(2)(ii)(B) of this clause; and
(ii) Provide the incident report number, automatically assigned by
DoD, to the prime Contractor (or next higher-tier subcontractor) as
soon as practicable, when reporting a cyber incident to DoD as required
in paragraph (c) of this clause.
* * * * *
0
14. Amend section 252.239-7010 by--
0
a. Removing the clause date of ``(AUG 2015)'' and adding ``(OCT 2016)''
in its place;
0
b. In paragraph (a)--
0
i. Adding in alphabetical order, definitions for ``compromise'' and
``information system''; and
0
ii. In the definition of ``media'', removing ``which covered defense
information'' and adding ``which information'' in its place; and
removing ``a covered contractor information system'' and adding ``an
information system'' in its place;
0
c. In paragraph (b)(2), adding the phrase ``, unless notified by the
Contracting Officer that this requirement has been waived by the DoD
Chief Information Officer'' to the end of the sentence; and removing
the semicolon and adding a period in its place;
0
d. In paragraph (d), removing ``submitted to the Department of
Defense'' and adding ``submitted to DoD'' in its place;
0
e. In paragraph (f), removing ``identified in paragraph (d) of this
clause'' and adding ``identified in the cyber incident report (see
paragraph (d) of this clause)'' in its place;
0
f. In paragraph (j), removing ``Local'' and adding ``local'' in its
place; and
0
g. In paragraph (l), removing the phrase ``the substance of''.
The additions read as follows:
252.239-7010 Cloud computing services.
* * * * *
(a) * * *
Compromise means disclosure of information to unauthorized persons,
or a violation of the security policy of a system, in which
unauthorized intentional or unintentional disclosure, modification,
destruction, or loss of an object, or the copying of information to
unauthorized media may have occurred.
* * * * *
Information system means a discrete set of information resources
organized for the collection, processing, maintenance, use, sharing,
dissemination, or disposition of information.
* * * * *
[FR Doc. 2016-25315 Filed 10-20-16; 8:45 am]
BILLING CODE 5001-06-P