December 30, 2015
Goodbye 2015, Bring On 2016!
In today's bulletin we review DoD's second interim rule, issued this morning, that implements cybersecurity requirements on government contractors. As we approach the final days of 2015, we want to wish you all a safe and joyous end of the year, and a Happy and Prosperous New Year!
Mark Amadeo
This morning the U.S. Department of Defense (DoD) issued an interim rule that amends a prior interim rule issued on August 26, 2015 implementing sections of the National Defense Authorization Act for Fiscal Year 2013 and the National Defense Authorization Act for Fiscal Year 2015 (collectively, the NDAA). Those NDAA sections and the prior DoD interim rule required cleared contractors to report penetrations of networks and information systems and to allow DoD personnel access to equipment and information to assess the impact of reported penetrations; additionally contractors designated as operationally critical were required to report each time a cyber incident occurs on the contractor's network or information systems. Lastly, the prior interim rule implemented DoD policies and procedures for use when contracting for cloud computing services and required compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and organizations.”
On December 14, 2015, DoD held a public meeting to address industry concerns over implementation of the interim rule.
Consequently, in this morning’s interim rule, DoD amended DFARS to allow additional time for contract offerors to implement the security requirements specified by NIST SP 800-171, which will be required to be in place not later than December 31, 2017. DFARS also is amended to require contractors to notify the DoD Chief Information Officer (CIO) of any NIST SP 800-171 security requirements that are not implemented at the time of contract award, within 30 days of contract award. The second interim rule also makes the following additional changes:
Comments are due on February 29, 2016.
We will monitor closely these developments and will write more on DoD’s cybersecurity requirements in the coming months.