The GovCon Bulletin™
DoD Amends Cybersecurity Rule, Extends Compliance Deadline
December 30, 2015
Goodbye 2015, Bring On 2016!
In today's bulletin we review DoD's second interim rule, issued this morning, that implements cybersecurity requirements on government contractors. As we approach the final days of 2015, we want to wish you all a safe and joyous end of the year, and a Happy and Prosperous New Year!
This morning the U.S. Department of Defense (DoD) issued an interim rule that amends a prior interim rule issued on August 26, 2015 implementing sections of the National Defense Authorization Act for Fiscal Year 2013 and the National Defense Authorization Act for Fiscal Year 2015 (collectively, the NDAA). Those NDAA sections and the prior DoD interim rule required cleared contractors to report penetrations of networks and information systems and to allow DoD personnel access to equipment and information to assess the impact of reported penetrations; additionally contractors designated as operationally critical were required to report each time a cyber incident occurs on the contractor's network or information systems. Lastly, the prior interim rule implemented DoD policies and procedures for use when contracting for cloud computing services and required compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and organizations.”
On December 14, 2015, DoD held a public meeting to address industry concerns over implementation of the interim rule.
Consequently, in this morning’s interim rule, DoD amended DFARS to allow additional time for contract offerors to implement the security requirements specified by NIST SP 800-171, which will be required to be in place not later than December 31, 2017. DFARS also is amended to require contractors to notify the DoD Chief Information Officer (CIO) of any NIST SP 800-171 security requirements that are not implemented at the time of contract award, within 30 days of contract award. The second interim rule also makes the following additional changes:
- The subcontractor flowdown requirements in DFARS provision 252.204-7009 and clause 252.204-7012 are amended to require, when applicable, inclusion of the clause without alteration, except to identify the parties.
- The subcontractor flowdown requirement in DFARS clause 252.204-7012 is further amended to limit the requirement to flow down the clause only to subcontractors where their efforts will involve covered defense information or where they will provide operationally critical support.
- DFARS clause 252.204-7012 is amended to remove the requirement for DoD CIO acceptance of alternative but equally effective security measures prior to award.
Comments are due on February 29, 2016.
We will monitor closely these developments and will write more on DoD’s cybersecurity requirements in the coming months.