On August 26, 2015, the U.S. Department of Defense (DoD) issued an interim rule that affects almost all government contractors. The interim rule requires government contractors to report “cyber incidents” that result in real or actual adverse effects on contractor information systems. The rule went into effect immediately.
The rule does not affect computer security involving classified material, but addresses penetrations of unclassified information systems that may store controlled technical information, export-controlled information, critical information, or other information that must be protected by federal law or regulation.
In addition, the interim rule addresses the use of cloud computing services.
The rule is required by the National Defense Authorization Act (NDAA) of 2013 and the NDAA of 2015.
Government contractors need to review the new rule and consult with their information technology (IT) personnel to determine what steps need to be taken. Because the rule directs that information be protected according to National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 instead of NIST SP 800-53, contractors may actually find the new rule a bit easier to implement. (DoD studies indicate that the new standard may reduce required tasks by as much as 30 percent.)
When responding to requests for quotations or proposals, contractors should expect to see questions or affirmations about whether cloud-computing services will be used in the performance of the contract.
By the way, before regulations are issued, a proposed rule is normally published and then a typical 30-day comment period follows before the (final) rule goes into effect. However, in this case, the DoD issued an interim rule, which went into effect immediately. Pursuant to 5 U.S.C. § 533, Federal agencies are allowed to issue interim rules that go into effect immediately when they have good cause. In justifying the interim rule, the announcement points to an urgent need to protect defense information and recent attacks on information systems operated by government contractors—systems that often store government information used in performance of contracts. The announcement also alludes to recent attacks on unclassified information systems operated by the government, such as the breach at the U.S. Office of Personnel Management.
You have until October 26, 2015, to comment on the interim rule before the DoD issues its final rule governing this area of information security.
See my earlier post about NIST SP 800-171.
Items on this web page are general in nature. They cannot—and should not—replace consultation with a competent legal professional. Nothing on this web page should be considered rendering legal advice.