When last we left the Department of Defense, they had issued a rather wide-reaching interim DFARS rule addressing cybersecurity practices, data retention, and cloud services purchasing guidance. Now, effective October 2, 2015, before the ink can dry on those nascent rules (comments are due October 26, 2015), the DoD has applied them to the once-voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) activities by revising the regulations (32 C.F.R. Part 236). That’s right, what was once entitled a “voluntary” program is now a mandatory program and just in time for a host of data retention and cyber-reporting requirements!
The revised regulations, found here, all but mirror the interim DFARS rule in terms of definitions and requirements and serve further to establish a mandatory, single cyber incident reporting mechanism for the reporting of incidents occurring on unclassified DoD contractor systems. However, the regulations expressly note that the reporting mechanisms it establishes do not abrogate a contractor’s reporting requirements for other types of controlled unclassified information (CUI) (e.g., personally identifiable information (PII), budget or financial information). Accordingly, it is imperative that DoD contractors and subcontractors – like all commercial companies – know what data they possess, understand the cybersecurity reporting requirements attached to that data, know the regulators to whom they must report any incidents (e.g., DoD, FTC, SEC, FCC), and, perhaps most importantly, have the right internal data security plan, procedures and personnel able to report and respond in the manner demanded.
Background
For the uninitiated, until last Friday (October 2, 2015), the DIB Cybersecurity and Information Assurance (CS/IA) program was a voluntary, public-private cybersecurity partnership created by the DoD in October 2013. Its purpose was to enhance and supplement DIB network defenses in the hopes of protecting DoD data, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness. It solicited participants by promoting “a collaborative environment” where participants can “share actionable cyber threat information that may be used to bolster cybersecurity posture.” It also promised “[a]ccess to government classified cyber threat information” and “[t]echnical assistance from the DoD Cyber Crime Center (DC3) including analyst-to-analyst exchanges, mitigation and remediation strategies, and best practices” to further those goals.
The Scope of the New Regulations
With the revised regulations, however, the DIB CS/IA has morphed into something of a hybrid, a combination of both mandatory requirements and voluntary memberships, that DoD contractors should understand and carefully consider.
The new regulations echo the new DFARS interim rule by requiring “all DoD contractors to rapidly report cyber incidents involving covered defense information on their covered contractor information systems or cyber incidents affecting the contractor’s ability to provide operationally critical support.” This cyber reporting requirement will be found in all agreements that contemplate “covered defense information” residing on or transiting through a contractor’s information systems. To this end, the significant definitions in the regulations also echo the new definitions in the interim rule, namely the terms “compromise” (disclosure of information or violation of a system security policy), “covered defense information” (generally consisting of controlled technical information, OpSec information, export restricted information, and other information identified as sensitive and provided by DoD), “cyber incident” (the loosely defined “compromise or an actual or potentially adverse effect” on an information system), and the broadly defined “media.” But, to be clear, when the regulation says “all DoD contractors” it refers to any individual or organization “outside the U.S. Government who has accepted any type of agreement or order to provide research, supplies, or services to DoD, including prime contractors and subcontractors.” It is not voluntary and prime contractors are required to flow down the cyber incident reporting requirements of this part to their subcontractors, as appropriate.
The Rapid Reporting Requirement
In summary, the regulation requires that when a contractor or subcontractor discovers a “cyber incident” (and recall this includes probable activity), the contractor shall:
(1) Review for evidence of compromise of covered defense information including
a. Identify compromised computers, servers, specific data, and user accounts;
b. Analyze covered contractor information system(s) that were part of the cyber incident; and
c. Analyze other network systems that may have been accessed as a result of the incident.
(2) Possess or obtain a DoD-approved medium assurance certificate to report cyber incidents (with information allegedly available here: http://iase.disa.mil/pki/eca/certificate.html); and
(3) Report the incident in the format required “within 72 hours of discovery at http://dibnet.dod.mil, which may include:
a. Company name
b. Company point of contact information (address, position, telephone, email)
c. Data Universal Numbering System (DUNS) Number
d. Contract number(s) or other type of agreement affected or potentially affected
e. Contracting Officer or other type of agreement point of contact (address, position, telephone, email)
f. USG Program Manager point of contact (address, position, telephone, email)
g. Contact or other type of agreement clearance level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
h. Facility CAGE code
i. Facility Clearance Level (Unclassified, Confidential, Secret, Top Secret, Not applicable)
j. Impact to Covered Defense Information
k. Ability to provide operationally critical support
l. Date incident discovered
m. Location(s) of compromise
n. Incident location CAGE code
o. DoD programs, platforms or systems involved
p. Type of compromise (unauthorized access, unauthorized release (includes inadvertent release), unknown, not applicable)
q. Description of technique or method used in cyber incident
r. Incident outcome (successful compromise, failed attempt, unknown)
s. Incident/Compromise narrative
t. Any additional information
However, submitting the report is not the final act. Contractors and subcontractors are also on the hook to
-
Submit malicious software discovered and isolated by the contractor to the DoD Cyber Crime Center (DC3) for forensic analysis;
-
Preserve and protect images of known affected information after a cyber incident and all relevant monitoring/packet capture data for at least 90 days from submission of the cyber incident report to allow DoD to request the media or decline interest; and
-
If so requested, provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis; which may include providing all of the damage assessment information gathered in response to the breach with paragraph (e) of this section.
Voluntary Membership Remains
While the DoD made the reporting requirement mandatory, the revised regulations elected to continue a voluntary participation element through a cyber-information sharing program. Under this program, eligible contractors may elect to execute a standardized agreement, referred to as a Framework Agreement (FA), to share cybersecurity information with DoD and other participants. The Framework Agreement, of course, will include additional terms and conditions above and beyond those addressed in the regulations and aspires to promote threat and situational awareness across the DIB, or at least to those who choose to participate in this program.
So it’s official. DoD contractors and subcontractors have been drafted into a fight to secure and defend their country’s data from the looming threats of cyber criminals and cyber-terrorists. While we all know that there are a lot of risks out there, it is important for contractors to remember that there are just as many here at home – only here they are waiting in contract clauses and circling in regulatory definitions. To that end, all contractors need to plan accordingly – IN ADVANCE OF AGREEING TO GOVERNMENT REQUIREMENTS – if they expect to do business in accordance with the regulations being imposed by all executive agencies. For these draftees, knowledge, not strength, is the key to make it through what is sure to be a very rough “boot camp” experience.