October 31, 2016
On November 3, 2016, a new final rule from the Department of Defense (DoD) will take effect, requiring covered contractors and subcontractors to report a broad range of cyber incidents within 72 hours.[1] As one of several recent announcements by DoD regarding cybersecurity requirements for contractors,[2] the rule underscores the importance to DoD of securing sensitive defense information in the possession of the private sector. DoD is not the only government agency where cybersecurity is a key priority: DoD’s announcement echoes recent rulemaking efforts by other federal, state, and local agencies.[3]
The rule applies to contractors and subcontractors that hold various types of unclassified controlled technical information or other safeguarded information, as well as contractors and subcontractors that provide “operationally critical support.”[4] DoD is still “developing procedures to ensure that contractors are notified when they are providing supplies or services designated as operationally critical support.”[5] Until then, contractors should ask their contracting officer for confirmation as to whether the rule applies to them or their subcontractors.[6]
The “cyber incidents” that trigger the rule’s reporting requirement are defined broadly as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”[7] Covered entities must “rapidly report” (within 72 hours) cyber incidents discovered on an unclassified information system that is owned or operated by or for a DoD contractor and which processes, stores or transmits covered defense information.[8] Such information is defined to include unclassified controlled technical information, as well as other information that requires safeguarding or dissemination controls.[9]
The rule’s reporting requirements are triggered when a covered entity discovers either a cyber incident involving covered defense information on its covered contractor information system, or a cyber incident affecting the contractor’s ability to provide operationally critical support.[10] When coupled with the broad definition of “cyber incident,” which includes even actions with a potentially adverse effect on an information system or its contents, DoD is likely to interpret these reporting requirements to require reports in response to a wide range of events. When the reporting requirements are triggered, the contractor must:
Subcontractors must report incidents directly to DoD, as well as to the prime contractor (or next higher-tier subcontractor).[12] In addition to mandatory reporting, the rule encourages voluntary reporting of cyber threat indicators and information that may help to “better counter threat actor activity.”[13]
When submitting required cyber incident reports, contractors are required to “obtain DoD-approved medium assurance certificates to ensure authentication and identification.”[14] DoD acknowledges the cost to contractors of doing so, but does not mention additional costs relating to the required response, reporting and preservation requirements associated with compliance. These costs may be significant.
The final rule clarifies that it applies to all “forms of agreements (e.g., contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement).”[15] The final rule is intended to be applied only prospectively, although DoD does note the option to modify preexisting agreements “when . . . appropriate.”[16]
The final rule acknowledges DoD’s obligation to protect contractor attributional/proprietary information submitted in compliance with this rule. But the rule places a burden on contractors to take steps to protect their own information, requiring that contractors mark attributional/proprietary information submitted to DoD “to the maximum extent practicable.”[17] DoD is authorized to use and release information it obtains through reports made pursuant to this rule for various purposes associated with defending against and preventing cyber threats.[18]
While the rule is intended in part to simplify contractors’ reporting of cyber incidents, the rule is not all-encompassing: contractors remain subject to other DoD cybersecurity requirements as well.[19] Indeed, on October 21, 2016, DoD adopted a separate final rule addressing contractor reporting on network penetrations.[20]
The publication of this new final rule provides an opportunity for contractors to reassess their cyber incident response plans so that required notifications can be timely made following any future incidents. Given the increasing frequency with which the federal government has pursued stiff penalties in enforcement actions for cybersecurity violations in other contexts – as evidenced by actions by the Department of Health and Human Services, Federal Trade Commission, Securities and Exchange Commission, and Consumer Financial Protection Bureau, among others – defense contractors would be well-served to ensure compliance with these requirements.
[1] 81 Fed. Reg. 68312; see 32 C.F.R. §§ 236.2, 236.4.
[2] See, e.g., 81 Fed. Reg. 72986.
[3] See, e.g., Gibson Dunn Client Alert, Federal Banking Regulators Announce New Proposed Cybersecurity Standards (Oct. 24, 2016), available at https://www.gibsondunn.com/federal-banking-regulators-announce-new-proposed-cybersecurity-standards/; Gibson Dunn Client Alert, New York State Department of Financial Services Announces Proposed Cybersecurity Regulations (Sept. 19, 2016), available at https://www.gibsondunn.com/new-york-state-department-of-financial-services-announces-proposed-cybersecurity-regulations/.
[4] 32 C.F.R. §§ 236.2, 236.4; see 81 Fed. Reg. 68317.
[5] 81 Fed. Reg. 68314.
[6] 81 Fed. Reg. 68314, 68315.
[7] 32 C.F.R. § 236.2.
[8] Id. § 236.2.
[9] Id.; see 81 Fed. Reg. 68317.
[10] Id. § 236.1.
[11] 32 C.F.R. § 236.4.
[12] Id.
[13] 32 C.F.R. § 236.4; see 81 Fed. Reg. 68317.
[14] 81 Fed. Reg. 68313.
[15] 81 Fed. Reg. 68317.
[16] 81 Fed. Reg. 68313.
[17] 32 C.F.R. § 236.4; see 81 Fed. Reg. 68313.
[18] 32 C.F.R. § 236.4.
[19] 68 Fed. Reg. 68314.
[20] 81 Fed. Reg. 72986.
The following Gibson Dunn lawyers assisted in the preparation of this client alert: Alexander Southwell, Karen Manos, Joseph West, Ryan Bergsieker, and Rustin Mangum.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For further information about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s Privacy, Cybersecurity and Consumer Protection or Government Contracts practice groups:
Privacy, Cybersecurity and Consumer Protection Group:
Alexander H. Southwell – Chair, New York (+1 212-351-3981, [email protected])
M. Sean Royall – Dallas (+1 214-698-3256, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Shaalu Mehra – Palo Alto (+1 650-849-5282, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Richard H. Cunningham – Denver (+1 303-298-5752, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Government Contracts Group:
Karen L. Manos – Chair, Washington, D.C. (+1 202-955-8536, [email protected])
Joseph D. West – Washington, D.C. (+1 202-955-8658, [email protected])
© 2016 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.