Implications of cyber clauses in contracts.

• Author: Cassidy, Susan B.
• Position: Government Contracting Insights

On Aug. 26 and Dec. 30, the Department of Defense issued interim rules that greatly expanded the obligations imposed on defense contractors for safeguarding covered defense information and for reporting cybersecurity incidents.

It is especially important for contractors to address compliance now because a government-wide federal acquisition rule is expected later this year and similar requirements are likely to be imposed outside of the Defense Department.

[ILLUSTRATION OMITTED]

Here are some key issues for contractor consideration:

* Determine if covered defense information is present on IT systems: Under the interim rules, covered defense information is defined very broadly into four categories: controlled technical information; critical information; export controlled information; and a "catch all" provision that includes any information--marked or otherwise identified in the contract --that requires safeguarding or dissemination controls pursuant to "law, regulations and government-wide policies." Given the breadth of these definitions, it is likely that most contracts will have covered defense information associated with them, but such an analysis is the first step. Unless a contractor's IT systems are segregated between defense and commercial data, once a contractor accepts the Defense Federal Acquisition Regulation (DFARS) clause and covered defense information is present on its IT systems, the requirements of the interim rules will apply.

* Register for a Defense Department-approved medium assurance certificate: This is necessary to file a cyber incident report. Additional information about registration can be found at http://iase.disa.mil/pki/eca/Pages/index.aspx.

* Watch for modifications to existing contracts: Some defense contractors already have accepted the November 2013 version of the DFARS clause, which covered a narrower set of defense information and imposed different security controls than the NIST Special Publication (SP) 800-171 controls imposed by the interim rules. In the absence of a contract clause that expressly authorizes the contracting officer to revise, add or delete a clause without the contractor's consent, the Defense Department should not be able to impose the new DFARS clause unilaterally. That being said, once a contractor accepts the new version of the clause in just one agreement, it may be in the contractor's interest to amend earlier contracts so that its IT systems are not subject to differing...