Certain Defense Department contractors in possession of unclassified yet nonpublic information would become subject to National Institute of Standards and Technology cybersecurity standards under a proposed rule change to the Defense Acquisition Regulation Supplement published in the Federal Register June 29.
Under the proposed rule, the DoD would set up two standards of cybersecurity that private sector contractors would have to contractually affirm an ability to implement: A “basic” standard for any contractor in possession of nonpublic DoD data, and an “enhanced” standard for other contractors. The requirement would apply at least to first-tier subcontractors; the discussion of the rule printed in the Federal Register says the requirement would “be passed down through the supply chain.”
The enhanced standard would apply to contractors in possession of critical program information (under DoD Directive 5200.39 [.pdf]); critical information (under DoD 5205.02 [.pdf]); any information with a controlled access designation such as “sensitive but unclassified;” data subject to export controls under International Traffic in Arms Regulations and Export Administration Regulations; technical data; anything exempt from the Freedom of Information Act; and, personally identifiable information.
Contractors under the enhanced security standard would have to implement cybersecurity standards codified by NIST in Special Publication 800-53 (.pdf)–not all of them, just 58 of the standards enumerated in the document.
Enhanced security standard contractors would also come under a reporting requirement whereby they could have to report any cyber incident affecting DoD information with 72 hours of its occurrence. DoD policy would be that a “properly reported” cyber incident “shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards,” the proposed rule states.
The basic standard would apply to information exempt from disclosure under FOIA or not yet released to the public.
Basic standard contractors would have a far-less onerous set of requirement to adhere to under the proposal rule, such as attesting that employees don’t access DoD information on public computers, and that storage media is sanitized before disposal.
The DoD acknowledges that small businesses are more likely to be affected by the rule than large Defense contractors, since most large contractors handling sensitive information already have information assurance controls and could implement 800-53 standards with minimal additional cost.
About 76 percent of DoD small business contractors would be required to implement the enhanced standard, the Pentagon estimates.
Comments are due by the end of August 29.