On October 21, 2016, the Department of Defense (“DoD”) issued a final rule (the “final rule”) codifying the specific actions DoD contractors and subcontractors must take to adequately safeguard “covered defense information” (“CDI”) and to report and respond to cyber incidents on “covered contractor information systems,” including those leveraging the cloud. The final rule updates several provisions of the Defense Federal Acquisition Regulation Supplement (“DFARS”) including two significant interim clauses DoD issued in late 2015: DFARS 252.239-7010 (“Cloud Computing Services”) and DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) (herein referred to as the “interim clauses”). The interim clauses largely overhauled DoD’s scheme for information security on contractor systems, including cloud-based systems. This Client Alert comes as the latest in a series of alerts members of our team have made as the Government continually updates its approach to information and data security to counter increasingly dangerous cyber-risks.
Following the interim rulemaking, many Federal contractors and subcontractors were surprised by the interim clauses, which came without notice or opportunity to comment. The contractor community also had mixed-to-negative reactions to the interim clauses because they imposed new, seemingly burdensome security controls, required contractors to “rapidly report” cyber incidents to DoD within 72 hours of discovery, and required contractors to observe a host of seemingly burdensome forensic preservation requirements. They also struggled with the broad applicability of the clauses, which applied to any “contractor information system” handling a broad universe of data and information DoD termed “covered defense information” or “CDI.” In addition, many commercial cloud service providers (“CSP”) expressed concern that the clauses imposed standards more invasive and burdensome than what they had developed in the commercial marketplace.