On October 21, 2016, the U.S. Department of Defense (DoD) published the Final Rule as Defense Federal Acquisition Regulation Supplement (DFARS) Case 2013-018, entitled “Network Penetration Reporting and Contracting for Cloud Services.” This rule contains solicitation provisions and contract clauses for contract flow downs, safeguarding and disseminating Covered Defense Information (CDI) and reporting on cyber incidents related to that information. As the requirements, have evolved and changed since the November 2013 version, first draft, please be aware of the subtle differences in your active contracts.
The Oct 21, 2016 Final Rule follows several interim rules published in August 26, 2015 Interim Rule, and December 30, 2015 Interim Rule. Those were preceded by DFARS Case 2011-D039 titled Safeguarding of Unclassified Controlled Technical Information, released on November 18, 2013, which addressed the security requirements for safeguarding unclassified, controlled technical information (UCTI) on contractor systems. DFARS Case 2013-D018 amends the previous regulations and expands requirements specified in DFARS Case 2011-D039 and includes several amended and new clauses and provisions, one of which is DFARS Clause 252.204–7012.
DFARS Clause 252.204-7012 flows down in all new solicitations and contracts, including those using FAR part 12 procedures for acquisition of commercial items. The references below highlight the changes and new requirements.
(1) Covered defense information means unclassified controlled technical information (UCTI) or other information (as described in the Controlled Unclassified Information (CUI) Registry) that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
(2) Covered contractor information system means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.
(1) Contractor owned or operated information systems where CDI resides or for covered contractor information systems that are not part of an information technology service or system operated on behalf of the Government.
DFARS 204.73 Clause
(2) Contractor owned/operated information systems operated on behalf of the customer.
DFARS 239.76 Clause
Contractors shall provide adequate security for all covered contractor information systems,
(1) operated on behalf of the customer
(2) not part of an information technology service or system operated on behalf of the Government
Contractors must report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract. Rapidly report cyber incidents directly to DoD at https://dibnet.dod.mil within 72 hours of discovery and fill in all the required elements on that form. The individuals doing the reporting require a DoD-approved medium assurance certificate to report incidents.
Subcontractors must provide the incident report number from DoD (assigned automatically after submission of the Incident Collection Form) to the prime contractor (or next higher-tier subcontractor) as soon as practicable add Submit to Parsons here.
Contractors must conduct a review for evidence of compromise of CDI or ability to provide operationally critical support to DoD, isolate and submit malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer and applicable laws and regulations, preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days from the submission of the incident report, to allow DoD to request the media or decline interest. If DoD requires review, provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
Paragraph (m) of the DFARS 252.204-7012 clause must be flowed down, without alteration, except to identify the parties, in any subcontracts or similar contractual instruments in which subcontract performance will involve covered defense information or operationally critical support, including subcontracts for commercial items.
Notify the Prime contractor (or next higher tier subcontractor) when submitting a request to vary from NIST SP-800-171 security requirements, and
provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD.
Parsons as prime contractor will flow down these clauses and provisions to all teammates and subcontractors in support of DoD and handling CDI during the performance of the contract.
Parsons’ subcontractors are required to report cyber incidents directly to DoD at https://dibnet.dod.mil within 72 hours of detection under the mandatory reporting requirement first and then notify their Parsons’ Subcontract Administrator.
Follow Parsons process here. Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD.
DoD in conjunction with NIST Manufacturing Extension Partnership (MEP) has published a self-assessment guide on meeting DFARS requirements. The Handbook is intended to be a guide to assist U.S. manufacturers who supply products within supply chains for the DOD and who must ensure adequate security by implementing NIST SP 800-171 as part of the process for ensuring compliance with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
DFARS Case 2013-D018: Network Penetration Reporting and Contracting for Cloud Services
Program Guidance Information (PGI)