The United States Defense Department has published a final cybersecurity regulation concerning unclassified “controlled technical information.” See 78 Fed. Reg. 69,273 (Nov. 18, 2013) [pdf]. The objective of the regulation is to require contractors to maintain “adequate security” on unclassified information systems on which CTI may reside or transit and to implement detailed reporting requirements for “cyber incidents.” The final rule is narrower than the proposed regulation, which sought to safeguard unclassified DoD information generally. See 76 Fed. Reg. 38,089 (June 29, 2011) [pdf].
Definition of CTI
The final rule includes a new DFARS provision (DFARS 204.7300) and a DFARS contract clause (DFARS 252.204.7012), which impose new security measures and reporting requirements on contractors and subcontractors whose work involves unclassified “controlled technical information resident on or transiting through contractor information systems.”
The rule broadly defines CTI as “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” DFARS 204.7301.
The term “technical information” is further defined to mean “recorded information, regardless of the form or method of the recording, of a scientific or technical nature . . . .” See DFARS 252.227-7013. Examples of technical information include research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
While this is a broad definition, comments on the new rule limit its application to information requiring controls pursuant to DoD Instruction 5230.24 [pdf] and DoD Directive 5230.25 [pdf]. Contractors should not have to devote resources simply to the task of determining whether information is CTI or not.
“Adequate Security” requirements
The first requirement of the regulation is to provide “adequate security” for CTI that is resident on or transiting through contractor information systems. Adequate security is defined as protective measures that are “commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”
To provide “adequate security,” contractors must, at a minimum, implement controls specified by the National Institute of Standards and Technology. The clause provides a table of the mandated minimum NIST controls, which can be found in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations [pdf]. If the mandatory NIST controls are not implemented, the contractor must provide the Contracting Officer a written explanation of why the control is not applicable or how an alternative control achieves equivalent protection.
Notably, the implementation of the minimum NIST controls does not provide a contractor safe harbor from the consequences of a cyber incident because the rule requires a contractor to implement additional security measures when they are necessary in light of assessed risks or vulnerabilities.
Contractors must also impose the new contract requirement on their subcontractors. The new DFARS clause is designated a mandatory flowdown for all subcontracts, including subcontracts for commercial items. According to the comments accompanying the final rule, DoD intends to hold contractors responsible for subcontractor compliance.
Reporting a “cyber incident”
In addition to implementing security measures, the new rule requires contractors to report any “cyber incident” within 72 hours of discovery. “Cyber incident” is broadly defined: “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” Reportable cyber incidents include possible exfiltration, manipulation, or other loss or compromise of CTI from an unclassified information system. They also include any unauthorized access to an unclassified information system on which CTI is resident or transiting.
In addition to reporting a cyber incident, DFARS 252.204-7012(d)(4) requires contractors to take three additional steps:
- conduct a further review of its network to identify compromised computers, services, data, and user accounts;
- review data accessed during the incident to identify specific CTI; and
- preserve and protect images of known affected information systems and all relevant monitoring/packet capture data for at least 90 days.
If DoD initiates damage assessment activities within 90 days, it may request additional information regarding the cyber incident.
A contracting officer is required to consider the occurrence of a cyber incident in an overall assessment of the contractor’s compliance with safeguarding requirements. By itself, however, occurrence of a cyber incident is not evidence that the contractor failed to provide adequate safeguards. DFARS 204.7302(b)(2).