August 9, 2020

Volume X, Number 222

August 07, 2020

Subscribe to Latest Legal News and Analysis

August 06, 2020

Subscribe to Latest Legal News and Analysis

DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-2008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.”  While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule. 

DFARS 252.204-7012 requires prime contractors and their subcontractors to employ “adequate security” measures to protect “covered defense information.” Specifically, contractors must adhere to the security requirements in the version of NIST SP 800-171 that is in effect “at the time the solicitation is issued or as authorized by the Contracting Officer,” or employ alternative security measures approved in writing by an authorized representative of the DOD Chief Information Officer. Special Publication 800-171 describes fourteen families of basic security requirements. As described in section 2.2 of 800-171, each of these fourteen families has “derived security requirements,” which provide added detail of the security controls required to protect government data. These basic requirements are based on FIPS Publication 200, which “provides the high level and fundamental security requirements” for government information systems. The derived requirements are taken from the security controls contained in NIST Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” Among those derived requirements is one for “multifactor authentication for local and network access.”

DoD contractors and subcontractors should be aware of what the class deviation does and does not change:

  1. Effective immediately, DoD contractors and subcontractors are required to comply with the clauses at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEVIATION 2016-O0001) (OCT 2015) and DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001) (OCT 2015), in lieu of the clauses that were issued as part of the August 26th interim rule.

  2. Under the new clauses, DoD contractors (and subcontractors, through the prime contractor) may notify the contracting officer that they need up to 9 months (from the date of award or the date of a modification incorporating the new clauses) to comply with the requirements for “multifactor authentication for local and network access” in Section 3.5.3 of NIST SP 800-171.

  3. The revised clauses apply to all DoD contracts and subcontracts, including those for the acquisition of commercial items.

  4. The class deviation only impacts non-cloud contractor information systems that are not operated on behalf of the government (e.g., contractor internal systems).

  5. DoD contractors and subcontractors that cannot meet the specific requirements of NIST 800-171, including the requirements of Section 3.5.3, may still seek authorization from DoD to use “[a]lternative but equally effective security measures.”

  6. With the exception of the targeted changes to DFARS 252.204-7012 and DFARS 252.204-7008 (i.e., affording contractors up to 9 months to comply with Section 3.5.3 of NIST 800-171, provided they notify the contracting officer), all other requirements introduced by the August 26th interim rule remain in effect.

  7. Non-cloud contractor information systems that are operated on behalf of the government remain “subject to the security requirements specified [in their contracts].”

  8. The class deviation does not impact DoD cloud computing contracts, which remain subject to DFARS 252.239-7010, Cloud Computing Services.

Ensuring Compliance With the Revised DFARS Clauses and NIST SP 800-171 Section 3.5.3

During the solicitation phase of a procurement subject to the revised DFARS clauses, DoD contractors and subcontractors should engage technical experts to determine whether they would need additional time to satisfy the NIST requirements for multifactor authentication. If a contractor determines that additional time is needed, and is later awarded a contract subject to the new requirements, then the contractor should immediately notify the contracting officer in writing and should ensure that all subsequent communications with the government are adequately documented.

Upon providing such notice, contractors will have up to nine months (from the date of contract award or modification incorporating the revised clauses) to comply with Section 3.5.3 of NIST SP 800-171, which requires contractors to: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” See NIST SP 800-171, Section 3.5.3 (emphasis added). Section 3.5.3 is a derived requirement of the basic security requirement in section 3.5 for identification and authentication. Section 3.5.3 of NIST SP 800-171 notes that:

  • “Multifactor authentication” requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic device, token); or (iii) something you are (e.g., biometric). The requirement for multifactor authentication does not require the use of a federal Personal Identification Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. Rather, “[a] variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokes (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. See id., n. 22.

  • “Local access” is any access to an information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

“Network access” is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

© 2020 Covington & Burling LLPNational Law Review, Volume V, Number 285


About this Author

Susan B. Cassidy, Government Contracts Attorney, Covington Burling, Law Firm

Susan Cassidy advises clients on the complex rules and regulations imposed on government contractors, with a special emphasis on the defense and intelligence sectors. She combines a sophisticated knowledge of the FAR and DFARS with the practical insight gained from senior in-house positions at both dedicated defense and commercial item contractors.

Ms. Cassidy conducts internal investigations for clients on wide array of government contracts and national security compliance issues. She regularly advises on FAR mandatory disclosure obligations and represents...

Alejandro L. Sarria, Covington Burling, litigation lawyer
Special Counsel

Alejandro L. Sarria is an experienced government contracts litigator and counselor. He represents civilian and defense contractors in litigation involving the federal government, including in contract disputes before the Boards of Contract Appeals (BCA) and U.S. Court of Federal Claims (COFC). Mr. Sarria also defends private contractors in high-profile tort cases arising out of military operations, national security programs, and environmental remediation projects.

In his counseling practice, Mr. Sarria advises government contractors on a range of federal procurement issues, including matters involving cost allowability, tort mitigation under federal insurance (FAR 52.228-7) and indemnity provisions (Public Law 85-804, 10 U.S.C. § 2354), TINA cost or pricing data, the Cost Accounting Standards (CAS), commercial items and GSA schedule contracting, subcontract flowdowns and formation, the Mandatory Disclosure Rule, the Anti-Deficiency Act, and the SAFETY Act.

202 662 5426
Patrick Stanton, litigation lawyer, Covington Burling

Patrick Stanton is an associate in the firm’s Washington, DC office and a member of the Government Contracts group.  He advises clients on a variety of contracting and procurement issues, including Federal Supply Schedule contracting compliance, domestic sourcing requirements, cost and pricing issues, and organizational conflicts of interest.

In addition to general counseling, Mr. Stanton has represented clients on bid protests before the Government Accountability Office and various state and federal agencies.  He has also worked on several internal investigations...

Catlin Meade, Cybersecurity lawyer, Covington

Catlin Meade advises clients across a broad range of cybersecurity and government contracts matters, including government and internal investigations, compliance with cybersecurity and data breach regulations, and SAFETY Act applications.

Representative Matters

  • Counsel to multiple companies in responding to data and cybersecurity incidents.
  • Advised a leading defense contractor on a multi-million-dollar prime-subcontractor dispute in connection with a NATO contract.
  • Key member of team that successfully represented a large government...