The Department of Defense’s DFARS Network Penetration and Contracting for Cloud Services rule continues to be problematic. That is why the IT Alliance for Public Sector (ITAPS) sent a letter to Department of Defense requesting the Department host a public technical forum to resolve the many questions and concerns identified by our industry in trying to implement a Final Rule.
The rule requires contractors to implement certain cybersecurity safeguards and report data breaches within 72 hours, which is a goal we all share, but it has been complicated by new security controls put forward by the National Institute of Standards of Technology (NIST SP 800-171) and by the adoption of data safeguarding requirements put forth by the National Archives and Records Administration.
After our last call for a meeting to help ameliorate the concerns that contractors have, DOD released a frequently asked question document some 25 pages long. This is a good indicator that companies and organizations are so perplexed by this regulation that they have this many questions, and demonstrates how much this public forum is needed, especially with the added complexity of the NIST rule.
In our letter, we recommend a collaborative forum with industry to create the processes and procedures required to implement a successful protection program. Such a forum couldaddress challenges that include:
- clarifying exactly what is meant by the terms “Covered Defense Information” and what responsibility DoD components have to designate all forms of CDI.
- identifying or clarifying what is meant by the qualifying phrase “by or on behalf of DoD in support of the performance of the contract.”
- Adjusting the DFARS to be risk managed and tailorable to allow contractors and subcontractors to comply through means distinct from SP 800-171, such as use of the NIST “Voluntary Cybersecurity Framework” or through adoption, for a transition phased period, of the more limited set of 15 safeguards required by the FAR “Basic Safeguarding” for less critical CDI and CUI.
- Clarifying what is meant by ’equivalent’ to FedRAMP, so that companies will know what cloud services they can use and the relationship to NIST 800-171 in order to assess what the cloud service provides and what the company may need to furnish to meet the required cybersecurity controls.
- Collaborating with industry to develop a model for a safe harbor from strict liability for a cyber incident perpetrated upon a contractor/subcontractor where those parties have performed in accordance with all of the contract and policy requirements, such as the safe harbor established by law for counterfeit electronic parts in the DoD supply chain.
A long-overdue meeting with the contracting community would go a long way to help clear up some of the fog and uncertainty that continues to surround the new rule. It would present an opportunity for the Defense Department to answer questions and provide guidance so that contractors can continue to perform on contracts and meet mission needs. Without the meeting, contractors will continue to struggle to understand the regulation, and its far-reaching impacts, of how a company or supplier protects its networks and data. But through a full collaborative dialogue with the goal of resolving these and other outstanding challenges, stakeholders can meet the compliance deadline at the end of the calendar year.