The Department of Defense has issued an interim rule amending the Defense Federal Acquisition Regulation Supplement to add requirements for contractors to report network penetrations. The rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system, or on a contractor’s ability to provide operationally critical support. The rule is intended to streamline the reporting process for DoD contractors and to minimize duplicative reporting processes. Cyber incidents involving classified information on classified contractor systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual (see DoD–M 5220.22).
The clause at DFARS 252.204–7012 is renamed ‘‘Safeguarding Covered Defense Information and Cyber Incident Reporting’’ and the scope of the clause is expanded to cover the safeguarding of covered defense information and require contractors to report cyber incidents involving this new class of information as well as any cyber incident that may affect the ability to provide operationally critical support. The rule also adds a new provision at DFARS 252.204–7008, “Compliance with Safeguarding Covered Defense Information Controls,” to ensure that offerors are aware of the requirements of clause DFARS 252.204–7012, and a new clause at DFARS 252.204–7009, “Limitations on the Use and Disclosure of Third-Party Contractor Reported Cyber Incident Information,” to protect information submitted to DoD in response to a cyber incident.
In addition, the rule implements DoD policies and procedures for contracting for cloud computing services. The DoD Chief Information Officer issued a memo on December 15, 2014, entitled ‘‘Updated Guidance on the Acquisition and Use of Commercial Cloud Computing Services’’ to clarify DoD guidance when acquiring commercial cloud services. The DoD CIO also released a Cloud Computing Security Requirements Guide Version 1, Release 1 on January 13, 2015, for cloud service providers to comply with when providing DoD with cloud services.
The rule implements these new policies in the DFARS to ensure uniform application when contracting for cloud services. Specifically, the rule adds a new subpart at DFARS 239.76, “Cloud Computing,” as well as a new provision, at DFARS 252.239–7009, “Representation of Use of Cloud Computing,” and a new clause, DFARS 252.239–7010, “Cloud Computing Services,” to provide standard contract language for the acquisition of cloud computing services, including access, security and reporting requirements. Comments on this interim rule, identified by DFARS Case 2013-D018, are due by October 26, 2015.