DoD’s Implementation of Network Penetration Reporting and Contracting for Cloud Services

On December 15, 2015, the Defense Procurement and Acquisition Policy (DPAP) office held an industry day to brief vendors on the implementation of DFARS Case 2013-D018 concerning “Network Penetration Reporting and Contracting for Cloud Services.” Having coincidentally published a post on DFARS Clause 252.204-7012 on that same date, it made sense to me to recap the information presented during the DPAP’s industry day in order to clarify how the DoD intends to implement the new rules. Vendors working with the DoD are encouraged to review the entire briefing as only a few key points are discussed here.

Application of the New Rule – DPAP authorities discussed how the new rules work with rules currently in place to protect defense information. DFARS Subpart 204.73, published in November 2013, applies to contracts and subcontracts requiring the “safeguarding of unclassified controlled technical information resident on or transiting through contractor unclassified information systems.” The new DFARS Clause 252.205-7012 augments DFARS Subpart 204.73 to include “covered defense information” that resides in or transits through covered contractor information systems.”

Covered defense information consists of “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” This information is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract” and includes controlled technical information, information critical for operational security, “information whose export could reasonably be expected to adversely affect U.S. national security and nonproliferation objectives, and “any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies (e.g., privacy, proprietary business information).”

Minimum Security Protections – Vendors are required to comply with the requirements of NIST SP 800-171, “Protecting Controlled Unclassified Information on Nonfederal Information Systems and Organizations.” Industry apparently voiced concerns over the time it would take to engineer multifactor authentication into their systems, which is a requirement for SP 800-171 compliance. The DPAP announced therefore that if offerors anticipate additional time will be necessary to implement derived security requirement 3.5.3 in NIST SP 800-171, they will be given 9 months from the date of contract award to make the necessary changes.

The key things to note here are a) that security requirement 3.5.3 of NIST SP 800-171 makes multifactor authentication the de facto baseline security standard for the DoD and b) that contract awardees must inform the contracting officer of the time they need to implement multifactor authentication in order to be granted the up-to-9-month grace period.  

Requirements for Subcontractors – Lastly, the DPAP made clear that DFARS Clause 252.204-7012 applies to subcontractors as well as prime contractors even though a “subcontractor need only provide adequate security when the effort will involve a covered contractor information system,” meaning when the subcontractor’s system “will process, store, or transmit covered defense information.” Primes are responsible for ensuring that all relevant subcontractor systems are in compliance.

The need for multifactor authentication is obvious in this age of high-profile cyber breaches. Still, one cannot help but wonder if in the near-term this rule doesn’t benefit large FedRAMP+ compliant infrastructure providers at the expense of smaller providers who will now be required to invest in multifactor authentication for their systems. For those vendors the cost of doing business with the Department of Defense just went up.