US Department of Defense Regulations
DFARS Covered Defense Information Final Rule
On October 21, 2016, the U.S. Department of Defense (DoD) published the Final Rule as Defense Federal Acquisition Regulation Supplement (DFARS) Case 2013-018, entitled “Network Penetration Reporting and Contracting for Cloud Services.” This rule contains solicitation provisions and contract clauses for contract flow downs, safeguarding and disseminating Covered Defense Information (CDI) and reporting on cyber incidents related to that information. As the requirements, have evolved and changed since the November 2013 version, first draft, please be aware of the subtle differences in your active contracts.
The Oct 21, 2016 Final Rule follows several interim rules published in August 26, 2015 Interim Rule, and December 30, 2015 Interim Rule. Those were preceded by DFARS Case 2011-D039 titled Safeguarding of Unclassified Controlled Technical Information, released on November 18, 2013, which addressed the security requirements for safeguarding unclassified, controlled technical information (UCTI) on contractor systems. DFARS Case 2013-D018 amends the previous regulations and expands requirements specified in DFARS Case 2011-D039 and includes several amended and new clauses and provisions, one of which is DFARS Clause 252.204–7012.
DFARS Clause 252.204-7012 flows down in all new solicitations and contracts, including those using FAR part 12 procedures for acquisition of commercial items. The references below highlight the changes and new requirements.
(1) Covered defense information means unclassified controlled technical information (UCTI) or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
- (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
(2) Covered contractor information system means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
Two Use Cases
(1) Contractor owned or operated information systems where CDI resides or for covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government.
DFARS 204.73 Clause
- Provision 252.204-7008: “Compliance with Safeguarding Covered Defense Information Controls”
- Clause 252.204-7012: “Safeguarding Covered Defense Information and Cyber Incident Reporting”
- Clause 252.204-7000: “Disclosure of Information”
- On-prem networks and systems
- Corporate shared network
- Project, lab networks and/or air-gapped from corporate
- Cloud services acquired as an extension of Corporate network
(2) Contractor owned/operated information systems operated on behalf of the customer.
DFARS 239.76 Clause
- Provision 252.239-7009:”Representation of Use of Cloud Computing”
- Clause 252.239-7010: “Cloud Computing Services”
- Dedicated network and systems for contract/program
- Cloud services acquired by Customer and/or Company for government customer use
Contractors shall provide adequate security for all covered contractor information systems,
(1) operated on behalf of the customer
- Cloud Computing Services shall be subject to security requirements in clause 252.239–7010, and in accordance with the DoD Cloud Computing Security Requirements Guide (SRG).
- Any other (non-cloud computing) IT system or service shall be subject to security requirements elsewhere in the contract.
(2) not part of an information technology service or system operated on behalf of the Government
- The security requirements required by contract clause 252.204-7012, shall be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract.
- Implement the security requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (NIST 800-171 Rev1) that are in effect at the time the solicitation is issued or as authorized by the contracting officer “as soon as practical, but not later than December 31, 2017”.
- For all contracts awarded prior to October 1, 2017, the Contractor shall notify the DoD Chief Information Officer (CIO), via email at [email protected], within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award.
- Any variance from NIST 800-171 version in effect at the time of solicitation, shall be submitted in writing to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of—
- (A) Why a particular security requirement is not applicable; or
- (B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection.o If the DoD CIO has previously adjudicated the contractor’s requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract.
- If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
- Apply other information systems security measures when the Contractor reasonably determines that information systems security measures, in addition to those identified in paragraphs (b)(1) and (2) of this clause, may be required to provide adequate security in a dynamic environment or to accommodate special circumstances (e.g., medical devices) and any individual, isolated, or temporary deficiencies based on an assessed risk or vulnerability. These measures may be addressed in a system security plan.
Cyber incident reporting
Contractors must report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract. Rapidly report cyber incidents directly to DoD at https://dibnet.dod.mil within 72 hours of discovery and fill in all the required elements on that form. The individuals doing the reporting require a DoD-approved medium assurance certificate to report incidents.
Subcontractors must provide the incident report number from DoD (assigned automatically after submission of the Incident Collection Form) to the prime contractor (or next higher-tier subcontractor) as soon as practicable add Submit to Parsons here.
Contractors must conduct a review for evidence of compromise of CDI or ability to provide operationally critical support to DoD, isolate and submit malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer and applicable laws and regulations, preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days from the submission of the incident report, to allow DoD to request the media or decline interest. If DoD requires review, provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
Subcontractor flow down
Paragraph (m) of the DFARS 252.204-7012 clause must be flowed down, without alteration, except to identify the parties, in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information or operationally critical support, including subcontracts for commercial items.
Notify the Prime contractor (or next higher tier subcontractor) when submitting a request to vary from NIST SP-800-171 security requirements, and
provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD.
Parsons Implementation of DFARS For Subcontractors
Parsons as prime contractor will flow down these clauses and provisions to all teammates and subcontractors in support of DoD and handling CDI during the performance of the contract.
Parsons’ subcontractors are required to report cyber incidents directly to DoD at https://dibnet.dod.mil within 72 hours of detection under the mandatory reporting requirement first and then notify their Parsons’ Subcontract Administrator.
Follow Parsons process here. Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD.
DoD in conjunction with NIST Manufacturing Extension Partnership (MEP) has published a self-assessment guide on meeting DFARS requirements. The Handbook is intended to be a guide to assist U.S. manufacturers who supply products within supply chains for the DOD and who must ensure adequate security by implementing NIST SP 800-171 as part of the process for ensuring compliance with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
DFARS Case 2013-D018: Network Penetration Reporting and Contracting for Cloud Services
- October 2016 Final Rule
- December 2015 Interim Rule
- August 2015 Interim Rule
- DoD FAQ (Dated Jan 27,2017)
- Webinar from DoD, DHS and NIST
Program Guidance Information (PGI)
- DFARS PGI 204.73- Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS PGI 239.76-Cloud Computing
DoD Office of Small Business Programs Cybersecurity