On Friday, October 21, 2016, the Department of Defense (DoD) issued a final rule implementing changes to its December 2015 interim rule on DoD contractor cyber incident reporting and cloud computing. See our earlier reporting on the 2015 interim rule here. The final rule is effective upon the publication date, October 21, 2016. DoD has also issued a separate final rule for the Defense Industrial Base (DIB) Cybersecurity (CS) Activities program, effective November 3, 2016, that applies the same cyber incident reporting requirements to entities with other, non-procurement DoD agreements (e.g., contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement). See our post on that DIB final rule here.
The final rule includes a number of significant changes in response to public comments received on the interim rule. Although we will be releasing a more detailed analysis shortly, some key highlights of the final rule are:
- Mirroring the recent Defense Industrial Base Cybersecurity Activities (DIB CS) final rule, the definition of “covered defense information” (CDI) in the Defense Federal Acquisition Regulation Supplement (DFARS) has been revised to include Unclassified Controlled Technical Information (UCTI) and all other types of Controlled Unclassified Information (CUI) on the CUI Registry. See our earlier analysis of the CUI final rule here.
- In response to public comments, DoD has amended the rule to exclude solicitations and contracts for the acquisition of Commercial-off-the-shelf (COTS) items.
- The final rule also amends DFARS clause 252.204–7000, Disclosure of Information, to clarify that fundamental research is exempt from the coverage of the rule (i.e., fundamental research, by definition, does not involve any CDI).
- The rule has been amended to clarify that when a DoD contractor is not itself providing cloud computing services in the performance of the contract, but intends to use an external cloud service provider (CSP) to store, process, or transmit any CDI for the contract, then that external CSP must meet security requirements “equivalent to” those established by the government for the FedRAMP Moderate baseline at the time of award.
For additional information about this topic, please contact the authors of this posting or the Hogan Lovells attorney with whom you work.