From: Defense Acquisition Regulations System, Department of Defense (DoD) via Federal Register
48 CFR Parts 202, 204, 212, 239, and 252 [Docket No. DARS-2015-0039] RIN 0750-AI61 Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)
ACTION: Interim rule.
-----------------------------------------------------------------------
SUMMARY: DoD is issuing an interim rule amending the Defense Federal
Acquisition Regulation Supplement (DFARS) to implement a section of the
National Defense Authorization Act for Fiscal Year 2013 and a section
of the National Defense Authorization Act for Fiscal Year 2015, both of
which require contractor reporting on network penetrations.
Additionally, this rule implements DoD policy on the purchase of cloud
computing services.
DATES: Effective August 26, 2015.
Comment date: Comments on the interim rule should be submitted in
writing to the address shown below on or before October 26, 2015 to be
considered in the formation of a final rule.
SUPPLEMENTARY INFORMATION:
I. Background
This interim rule requires contractors and subcontractors to report
cyber incidents that result in an actual or potentially adverse effect
on a covered contractor information system or covered defense
information residing therein, or on a contractor's ability to provide
operationally critical support. DoD is working to establish a single
reporting mechanism for DoD contractor reporting of cyber incidents on
unclassified information systems. This rule is intended to streamline
the reporting process for DoD contractors and minimize duplicative
reporting processes. Cyber incidents involving classified information
on classified contractor systems will continue to be reported in
accordance with the National Industrial Security Program Operating
Manual (see DoD-M 5220.22 available at http://www.dtic.mil/whs/directives/corres/pdf/522022m.pdf).
The rule revises the DFARS to implement section 941 of the National
Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 (Pub. L.
112-239) and section 1632 of the NDAA for FY 2015. Section 941 of the
NDAA for FY 2013 requires cleared defense contractors to report
penetrations of networks and information systems and allows DoD
personnel access to equipment and information to assess the impact of
reported penetrations. Section 1632 of the NDAA for FY 2015 requires
that a contractor designated as operationally critical must report each
time a cyber incident occurs on that contractor's network or
information systems.
In addition, this rule also implements DoD policies and procedures
for use when contracting for cloud computing services. The DoD Chief
Information Officer (CIO) issued a memo on December 15, 2014, entitled
``Updated Guidance on the Acquisition and Use of Commercial Cloud
Computing Services'' to clarify DoD guidance when acquiring commercial
cloud services (See memo here: http://iase.disa.mil/cloud_security/Pages/docs.aspx). The DoD CIO also released a Cloud Computing Security
Requirements Guide (SRG) Version 1, Release 1 on January 13, 2015, for
cloud service providers to comply with when providing the DoD with
cloud services (See SRG here: http://iase.disa.mil/cloud_security/Pages/index.aspx). This rule implements these new policies developed
within the DoD CIO memo and the SRG in the DFARS to ensure uniform
application when contracting for cloud services across the DoD. The
combination of the two statutes as well as the cloud computing policy
will serve to increase the cyber security requirements placed on DoD
information in contractor systems and will help the DoD to mitigate the
risks related to compromised information as well as gather information
for future improvements in cyber security policy.
II. Discussion and Analysis
Leave a Reply