*This is the second post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post defines key terms relating to new DoD cyber security regulations.
The regulations introduce several new key terms. Some of the terms appear vague and may impose more of a burden than anticipated on the more than 10,000 contractors that are subject to the rules, of which less than half are small businesses. Here are some examples:
- A “compromise” is defined as any disclosure of information to an unauthorized person or in violation of a security policy of a system, in which authorized intentional or unintentional disclosure, modification, destruction, or loss of an object or the copying of information to unauthorized media may have occurred. DFARS 252.204-7010(a). An example of a common violation of a security policy may be an employee’s copying of information onto a thumb drive to work on out of the office when company policy prohibits copying such information. This type of a violation will now result in a reportable event.
- A “cyber incident” means actions taken through the use of computer networks that result in a compromise or “an actual or potentially adverse effect” on an information system and/or the information residing therein. DFARS 252.204-7012(a). What is a reportable “potentially adverse” effect on an information system? Is a cyber incident that is stopped by a firewall, before the loss of the information’s confidentiality, access, or integrity, potentially adverse? The notice suggests that a reportable incident requires penetration of a network, but the definition suggests a much broader reporting obligation.
- “Covered defense information” means unclassified information that is (i) provided to the contractor by or on behalf of DoD in connection with the performance of the contract or (ii) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and (i) controlled technical information; (ii) critical information (for operations security); (iii) export controlled; or (iv) “any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government-wide policies (e.g., privacy, proprietary business information). DFARS 252.204-7012(a). Contractors, especially those that are small businesses, will likely have to rely on experienced attorneys and consultants to keep them informed of the numerous obligations imposed under new “laws, regulations, and Government-wide policies,” unless those are enumerated and identified.
These are just a few examples, and more will likely be raised in the comments to the regulations.
Submitting Comments to DoD
A copy of the new regulations is available here, and was published at 80 Federal Register 51739 (Aug. 26, 2015).
Comments on the regulations are due October 26, 2015. They can be submitted through regulations.gov or by email to email@example.com and must include the title for the Federal Register document (DFARS Case 2013-DO18).
For more information on achieving compliance with the new regulations or submitting comments, you may contact the author Bill Wagner. Bill holds the CIPP/G, CIPP/US, CPCU designations, is a member of the Sedona Conference Working Groups on Data Security and Privacy Liability, and Electronic Document Retention and Production, and serves as a Steering Committee Member to DRI’s Government Enforcement and Corporate Compliance Committee.