In 2007, a preeminent American defense contractor first
reported cyber attacks emanating from China. Four years later, upon a visit by
then Secretary of Defense Robert Gates, the Chinese Air Force revealed a
fighter jet unnervingly similar to the one manufactured by the hacked American
contractor. More recently, the FBI reported in July 2015 that hackers accessed
the personnel files and security clearances of over 22 million federal
employees and contractors.
Accordingly, the Department of Defense (DOD) moved to
strengthen the Defense Federal Acquisition Regulation Supplement (DFARS)
concerning cybersecurity. The interim rule alters the contractual duties of
government contractors and subcontractors in a significant manner. Thus, every
government contractor and subcontractor ought to consider the following 5
highlights of the interim rule. (1) Seriousness. The regulation is effective immediately. The DOD invoked “urgent and compelling reasons” to impose the change without the typical comment period. The comment period before final form remains open until October 26, 2015, however.
(2) Scope. First, the interim rule requires “adequate
security” from “unauthorized access and disclosure,” an imposition yet undetermined
in breadth. Second, the addition compels contractors to report to the DOD any
cyber incident “adverse or potentially adverse” to the contractor’s information
technology (IT) systems. The scope of what defines “adverse or potentially
adverse” is unknown. Once a contractor or subcontractor reports an incident,
the company must make all affected “media” available to government inspection.
This includes physical devices such as laptops and cell phones as well as paper
archives.
The DOD did clarify that the rule includes contracts for
commercial items. Likewise, it covers non-confidential and proprietary
information. Regulations applicable to confidential data remain unchanged.
(3) Speed. The new regulation requires contractors and
subcontractors to report cyber incidents within 72 hours of the attack. The contractors owe their report to the DOD
while the subcontractor must account to the prime contractor and to the DOD.
Fortunately, though, the DOD will not consider such reporting, by itself, as
evidence that a company has failed the rule’s security requirements.
(4) Savings? The DFARS modifications are similar in language
and intent to those of another federal agency, one created specifically for IT
security. As such, the interim rule is “tailored for use in protecting
sensitive information residing in contractor information systems,” which could
indicate potential savings for certain companies. Other companies, however,
especially those without IT departments or IT experts, could experience
increased costs. The DOD even admits that some 10,000 small businesses will
require the help of IT experts to decipher cyber incidents, to determine the
information affected, and to author the government report.
(5) Service impact. Many contractors and subcontractors are
moving their IT services to cloud computing. The interim rule applies to cloud
computing, too. In fact, it compels companies to monitor their cloud to confirm
the appropriate “administrative, technical, and physical safeguards.”
The broad nature of these DOD security requirements necessitates a precise and professional approach for government contractors. Vandeventer Black's Construction and Government Contracts Team attorneys are poised to help navigate those needs for our clients. Please visit the firm's website to learn more about the firm and our professionals at www.vanblacklaw.com.
Mac and Linux much safer than PC.
ReplyDelete