Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204-7012 August 16, 2016 Christian Ortego Senior Counsel
DFARS Cybersecurity Rule Evolution of a Rule Covered Contractor Information Systems NIST Standards Reporting Requirements The content discussed in this presentation is provided for informational purposes only and does not constitute legal advice or counsel. For legal advice or counsel related to issues discussed herein, please consult your attorney.
Evolution of a Rule – DFARS 252.204-7012 November 2013 – initial rule August/September 2015 – major change December 2015 – major change Rule Evolved as DoD Received Comments/Feedback from Industry
Evolution of a Rule – DFARS 252.204-7012 November 2013 – initial rule Established Concepts for: Information Technology System Standards Reporting Requirement for Cyber Incidents Applied to “cleared contractors” and Systems that store or transmit Unclas Controlled Technical Information Rule Evolved as DoD Received Comments/Feedback from Industry
Evolution of a Rule – DFARS 252.204-7012 September 2015 – updated standards/expanded scope Amended Standards from NIST SP 800-53 to SP 800- 171 (DoD CIO must approve exceptions and alternative measures) Expanded scope of information to “covered defense information” from unclas controlled tech info Expanded regulatory coverage to all contractors and subcontractors 72 Hour Incident Reporting Requirement to both: DoD Higher Tier Contractor September Change Greatly Broadened Scope of Rule
Evolution of a Rule – DFARS 252.204-7012 December 2015 – current rule Extended Deadline to meet NIST SP 800-171 to December 31, 2017 Report areas of non-compliance to DoD CIO Same scope of information covered as September rule Required Inclusion in all DoD Contracts Mandatory Flowdown to all Subcontractor Tiers December Change Maintained Rule but Extended NIST Standards Deadline
Covered Contractor Information Systems Current Rule: Systems owned or operated by, or for, a contractor and that processes, stores or transmits: “Covered Defense Information” which is: Controlled Technical Info Critical Information Export Controlled Info; or “Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information).” The type of information subject to safeguarding and the additional reporting obligations are not the interim rule’s only material changes. Under the previous regime, contractors were only required to report cyber incidents affecting UCTI. The interim rule, on the other hand, requires contractors to report any cyber incidents affecting (i) covered defense information (a broader category of data than UCTI), (ii) contractor information systems that contain covered defense information, and/or (iii) information that affects the contractor’s ability to provide operationally critical support. For example, under the interim rule, the reporting requirement would be triggered by a cyber incident that affects the contractor’s information system housing covered defense information, even if the information itself was not affected. “Covered Information Systems” is Broad Concept
Over 100 Items Included in the Standards NIST Standards Current Rule: NIST SP 800-171 Deadline to meet NIST SP 800-171 is as soon as possible but NLT December 31, 2017 Covers a variety of factors: Access control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk and Security Assessments System and Communication Protection System and Information Integrity http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf Over 100 Items Included in the Standards
Reporting Requirements Current Rule – Two Main Requirements 1. Report to DoD CIO within 30 days of contract award from HII/NNS/Ingalls: YES or NO: In compliance with NIST Standards If NO: must report areas of non-compliance to DoD CIO 2. Report Cyber Incidents within 72 Hours to BOTH DoD (through http://dibnet.dod.mil/) and NNS/Ingalls The Reporting Requirements are in effect upon award of a contract with the clause (i.e. the December 2017 deadline DOES NOT change the reporting requirements) Reporting Requirements are in Effect Now
Questions? Questions?