This article series is meant to provide crucial information to government contractors regarding the cybersecurity policies of the Unites States Government (“USG”). If you missed Part 1, it began the discussion with a review of FAR § 52.204-21 (the “Basic Rule”) and DFARS § 252.204-7008 (the “Compliance Clause”). Part 2 of the series introduced DFARS § 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting (the “CDI Clause”), and focused on one of the two primary elements of the clause: the requirement for contractors to provide Adequate Security. This Part 3 will address the second primary element of the clause: the Cyber Incident Reporting requirement, and discuss the remaining incidental requirements contained in the CDI Clause.
Cyber Incident Reporting Requirement
The Cyber Incident Reporting requirement in the CDI Clause essentially breaks down into two requirements: reviewing and reporting. These reviewing and reporting requirements are triggered any time the contractor discovers a “cyber incident.” According to the CDI Clause, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or potentially adverse effect on an information system and/or the information residing therein.” If a contractor discovers a cyber incident that affects either a contractor’s Covered IT System, the CDI contained on the Covered IT System, or the contractor’s ability to perform the requirements of the applicable contract that are designated as operationally critical support and identified in the contract, the contractor is required to take two steps.
First: the contractor is required to conduct a “Cyber Incident Review” for evidence that CDI was compromised. This includes identifying compromised computers, servers, specific data, and user accounts. The “Cyber Incident Review” will also include an analysis of the contractor’s Covered IT System that were part of the cyber incident, as well as any other systems on the contractor’s network that could have been accessed as a result. The purpose of this analysis is to identify any compromised CDI.
Concurrent with the “Cyber Incident Review,” the contractor is required to submit a “Cyber Incident Report” within 72 hours of the discovery of the cyber incident. The Cyber Incident Report is to be made to the DoD at the DoD’s reporting website (https://dibnet.dod.mil/portal/intranet/), which provides information on all elements required for the report. The “Cyber Incident Report” is to be treated as information created by or for the DoD, meaning that it may be releasable outside of the DoD. As part of the reporting requirement, contractors (or subcontractors) are required to acquire a DoD-approved “medium assurance certificate” to report cyber incidents.
Other Requirements of CDI Clause
In addition to the Adequate Security and Cyber Incident Reporting requirements, the CDI Clause contains several other requirements that must be adhered to by contractors:
- Malicious Software – If a contractor (or subcontractor) discovers and isolates malicious software in connection with a cyber incident, it is required to submit the malicious software to the DoD Cyber Crime Center. The malicious software is not to be sent to the Contracting Officer.
- Media Preservation and Protection – Following the discovery of a cyber incident, the contractor is required to preserve and protect images of all known affected IT systems as identified during the “Cyber Incident Review,” as well as all relevant monitoring/packet capture data, for at least 90 days from the submission of the Cyber Incident Report. This allows the DoD to request the media.
- Access to Additional Information or Equipment – If requested by the DoD, the contractor is required to provide the DoD with access to additional information or equipment that is necessary for the DoD to conduct a forensic analysis.
- Cyber Incident Damage Assessment Activities – If the DoD elects to conduct a damage assessment, the Contracting Officer will request that the contractor provide all damage assessment information gathered during the contractor’s Media Preservation activities.
- Marking of Attributional/Proprietary Information – The contractor is required, to the maximum extent practicable, to identify and mark attributional/proprietary information submitted to the USG. The USG will protect against unauthorized use or release of this information obtained from the contractor.
- Release of Attributional/Proprietary Information – Any attributional/proprietary information provided by the contractor to the USG that was not created by or for the DoD is authorized to be released outside of the DoD: (1) to entities with missions that may be affected by such information; (2) to entities that may be called upon to assist in the diagnosis, detection, or mitigation of cyber incidents; (3) to Government entities that conduct counterintelligence or law enforcement investigations; (4) for national security purposes; or (5) to a support services contractor directly supporting USG activities under a contract that includes FAR § 252.204-7009 (limitations on the use or disclosure of third-party Contractor Reported Cyber Incident Information). Any attributional/proprietary information provided by the contractor to the USG that was created by or for the DoD is authorized to be released outside of the DoD for any lawful government purpose or activity, including those enumerated in the previous sentence.
- Other Safeguarding or Reporting Requirements – While the requirements of the CDI Clause (and by extension, NIST SP 800-171) are quite extensive, adherence with those specific security requirements does not excuse a contractor from meeting security requirements required by the subject contract or other applicable statutes or regulations.
Requirement to Flow Down CDI Clause to Subcontractors
Given that CDI may be developed, received, transmitted, or stored in a subcontractor’s Covered IT System, it is not surprising that contractors are required to flow down the entire CDI Clause into any lower-tier subcontract, or similar agreement, that requires the subcontractor to perform operationally critical support that will involve CDI. This means the CDI Clause may be applicable to contractors all the way down the chain. Subcontractors (at any point in the chain) are required to notify the prime contractor (or next higher-tier subcontractor) when it submits a request to the Contracting Officer to vary from a NIST SP 800-171 security requirement. The CDI Clause also requires subcontractors to provide the prime contractor (or next higher-tier subcontractor) with the incident report number after filing a Cyber Incident Report.
The requirements of the Basic Clause and the CDI Clause are myriad, but compliance with the clauses are very likely to affect contractors doing business with the Federal Government. It is important for contractors to assess if any of their contracts contain either clause, or both, and conduct a robust analysis of whether their company policies and procedures are sufficient to meet the various security requirements of whichever cybersecurity clause is applicable. It is best practice for contractors to include the safeguarding and reporting requirements of the USG’s cybersecurity clauses as part of its internal code of ethics and conduct policies or programs.
More information on medium assurance certificates can be found at http://iase.disa.mil/pki/eca/Pages/index.aspx.
If you have questions about this or any other cybersecurity matter, please contact me firstname.lastname@example.org.
ABOUT BRYAN KING
Bryan King focuses his practice on federal contracting matters, including handling all aspects of bid protests and appeals. He has represented numerous government contractors before the U.S. Court of Federal Claims, Government Accountability Office (GAO), Small Business Administration (SBA) Office of Hearings and appeals, the Civilian and Armed Services Boards of Contract Appeals, and other government agencies on procurement related issues. Click here to learn more about Bryan and his practice.
ABOUT OFFIT KURMAN
Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.
You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.
MARYLAND | PENNSYLVANIA | VIRGINIA| NEW JERSEY | NEW YORK | DELAWARE | WASHINGTON, DC