August 16, 2022

Volume XII, Number 228


August 15, 2022

Subscribe to Latest Legal News and Analysis

Cybersecurity Update: DoD Releases Long-Awaited Final Rule

On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November 2013, two interim rules published in August 2015 and December 2015, and years of comments and experience by DoD and its contractors.  The new Rule materially alters the predecessor rule in a number of respects and clarifies several important issues relating to contracting for cloud computing services.

Key substantive changes include the following:

  • Adds new definitions or clarifies existing definitions for “covered defense information,” “covered contractor information system,” “export control,” the “other” category of CDI, and “operationally critical support.”

  • Directs that DFARS provisions 252.204-7008 and 252.204-7012 should not be used in solicitations and contracts “solely” for commercial-off-the-shelf (COTS) items.

  • Amends DFARS 252.204-7000 to clarify that fundamental research, by definition, does not involve any CDI.

  • Amends DFARS 252.204-7012 to:

    • Provide guidance on requests to vary from NIST SP 800-171 security controls and mandate that subcontractors notify the prime contractor (or next higher tier subcontractor) when submitting such a variance request;

    • Clarify that contractors must implement safeguarding requirements on all covered contractor information systems, not just those that support the performance of work on the contract;

    • Confirm that contractors are not required to implement any security requirements if an authorized representative of the DoD Chief Information Officer (CIO) has adjudicated a request to vary or determined that a security control is not applicable;

    • Require contractors to ensure that external cloud service providers (CSPs) used in performance of a contract to store, process, or transmit any CDI must: (i) meet security requirements equivalent to those established by the Government for FedRAMP moderate baseline; and (ii) comply with DFARS 252.204-7012’s reporting, protection, and access requirements; and

    • Clarify that the clause must be flowed down to subcontractors when CDI is necessary for performance of the subcontract.

  • Modifies DFARS 239.7602-1 to provide two exceptions where a contracting officer may award a contract to acquire cloud services from a CSP that has not been granted a provisional authorization by the Defense Information System Agency (DISA).

© 2022 Covington & Burling LLPNational Law Review, Volume VI, Number 299

About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents...

Mike Wagner, Covington, government contracts lawyer

Mike Wagner helps government contractors navigate high-stakes enforcement matters and complex regulatory regimes.

Mr. Wagner works closely with contractors across a range of industries to achieve the efficient resolution of regulatory enforcement actions and government investigations. He also conducts internal investigations of potential compliance issues, advises clients as to FAR mandatory disclosure requirements, and regularly represents clients in suspension and debarment proceedings.