View Rule

The Department of Defense (DoD) is issuing an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 and section 1632 of the NDAA for FY 2015, both of which require contractor reporting on network penetrations. Section 941 requires cleared defense contractors to report penetrations of networks and information systems and allows DoD personnel access to equipment and information to assess the impact of reported penetrations. Section 1632 requires that a contractor designated as operationally critical must report each time a cyber-incident occurs on that contractor’s network or information systems. The rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor's ability to provide operationally critical support. This rule also implements policy on the purchase of cloud computing services. The revisions to this rule will be reported in future status updates as part of DoD's retrospective plan under Executive Order 13563, completed in August 2011. DoD's full plan can be accessed at: http://www.regulations.gov/#!docketDetail;D=DOD-2011-OS-0036.

Statement of Need:

DoD is required to implement in the DFARS a requirement for contractors to report network penetrations. Additionally, the DoD Chief Information Officer (CIO) released a Cloud Computing Security Requirements Guide on January 13, 2015, which cloud service providers must comply with when providing cloud services to DoD.

Summary of the Legal Basis:

This rule is required under the authorities of section 941 of the NDAA for FY 2013 (Pub. L. 112-239) and section 1632 of the NDAA for FY 2015 (Pub. L. 113-291).

Alternatives:

No viable alternatives were identified, as this rule implements section 941 of the NDAA for FY 2013 and section 1632 of the NDAA for FY 2015, as well as the guidance established by the DoD CIO on security requirements for cloud computing.

Anticipated Costs and Benefits:

Cost benefits or burdens associated with this rule are not available. The objective of the rule is to improve information security for DoD information stored on or transiting through contractor systems as well as in a cloud environment. The rule will reduce the vulnerability of DoD information via attacks on its systems and networks and those of DoD contractors. This rule improves national security benefiting both the Government and contractors. This rule is likely to have a cost impact on all contractors that have covered defense information on their information systems. The cost impact of the rule will vary in relation to the capabilities of each affected contractor to adapt their systems to meet the new security controls. The benefits of the rule would be the potential decrease in the loss or compromise of covered defense information; however, this benefit across DoD is not susceptible to being quantified or measured. Ultimately, DoD anticipates significant savings to taxpayers by improving information security for DoD information that resides in or transits through contractor systems and a cloud environment.

Risks:

Recent high-profile breaches of Federal information show the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts. Failure to implement this rule may cause harm to the Government through the compromise of covered defense information or other Government data, or the loss of operationally critical support capabilities, which could directly impact national security.