On December 30, partially in response to industry concerns voiced during its December 14 public meeting, DoD issued a new interim rule further revising the August 26, 2015 Network Penetration and Cloud Computing Rule interim rule, which originally had obliged many defense contractors immediately to implement a new set of security standards for their unclassified networks. Comments are due on or before February 26, 2016. A copy of the new interim rule is available here. The rule is being issued without public comment because DoD recognizes that contractors are at risk of not being able to comply with the terms of contracts that require the handling of covered defense information.
This second interim rule amends DFARS provision 252.204–7008, Compliance with Safeguarding and Covered Defense Information Controls, and DFARS clause 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, to provide offerors additional time to implement the security requirements specified by NIST SP 800–171, which will be required to be in place not later than December 31, 2017. The clause is also amended to require contractors to notify the DoD Chief Information Officer (CIO) of any NIST SP 800–171 security requirements that are not implemented at the time of contract award, within 30 days of contract award. The status provided by the contractor to the DoD CIO on implementation of the NIST SP 800–171 security requirements will enable DoD to monitor progress across the Defense industrial base, identify trends in the implementation of these requirements and, in particular, identify issues with industry implementation of specific requirements that may require clarification or adjustment. Additionally, this information will inform DoD in assessing the overall risk to DoD covered defense information on unclassified contractor systems and networks.
The second interim rule makes the following additional changes:
- The subcontractor flowdown requirements in DFARS provision 252.204–7009 and clause 252.204–7012 are amended to require, when applicable, inclusion of the clause without alteration, except to identify the parties.
- The subcontractor flowdown requirement in DFARS clause 252.204–7012 is further amended to limit the requirement to flow down the clause only to subcontractors where their efforts will involve covered defense information or where they will provide operationally critical support.
- DFARS clause 252.204–7012 is amended to remove the requirement for DoD CIO acceptance of alternative but equally effective security measures prior to award.