Final rule issued on cyber incident reporting.

Author:Cassidy, Susan B.
Position:Government Contracting Insights

The Department of Defense Oct. 4 issued a final cyber rule addressing mandatory cyber incident reporting requirements for companies that enter into "agreements" with the department. The rule also highlights the department's desire to encourage greater participation in the voluntary defense industrial base cybersecurity information sharing program. This rule is effective Nov. 3.

The department confirmed that the cyber rule was not retroactive and that contract specific requirements would take precedence over the rule's requirements. Thus, the language in current procurement contracts will continue to govern unless modified.

The department clarified the applicability of the cyber rule in some respects. Specifically, the it applies to "all forms of agreements (contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements and any other type of legal instrument or agreement)." Currently the defense federal acquisition regulations (DFARS) clauses at 252.204-7012 and 252.239-7009 apply only to procurement contracts. Thus, companies that enter into agreements beyond procurement contracts should expect to see terms and conditions implementing the requirements for reporting cyber incidents. When that will occur, however, remains unclear.

On the other hand, the cyber rule does not address whether certain entities--such as an internet service provider--qualify as subcontractors under the DFARS clauses. Lack of clarity in this area makes the flow down requirements for DFARS 252.204-7012 challenging for prime and subcontractors alike.

The cyber rule previewed revisions that the department made on Oct. 21 to the clauses in the DFARS that implement cybersecurity requirements for defense procurement contracts. For example, the definition of "covered defense information" was modified consistent with this cyber rule. Rather than the four categories of information that appeared in the December 2015 version of the clause, the October version defines covered defense information as any data in the "controlled unclassified information" registry that requires "safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government wide policies," so long as the information is either marked or identified in the contract, or received or created during performance of a contract.

Although reliance on the registry expands the scope of information that requires safeguarding, it also provides...

To continue reading