Blogs

Posted on Thursday, April 19, 2018

DoD Sheds More Light on Compliance with DFARs Cyber Clause

On April 2, 2018, DoD issued an extensive new set of Frequently Asked Questions (FAQs) regarding implementation of the DFARs Cybersecurity Clause (252.204-7012), NIST 800-171 and the Cloud Computing Clauses (252.229-7009 & -7010), which shed considerable light on what the Department expects and will expect from these contractors.

Over the next few weeks, we’ll cover some of the key takeaways from the FAQ. In this article, we’ll discuss what is and is not included in the definition of Covered Defense Information (“CDI”). Because the cybersecurity clause is found in close to 90% of DoD contracts, many contractors need to know the details of CDI and what they have to do with it.

The regulations define “Covered Defense Information” as unclassified controlled technical information or… Controlled Unclassified Information (CUI) that is:

(1)        Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or

(2)        Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

Controlled Defense Information really does include what contractors create in the performance of a contract.  No, the Department does not have to give CDI to you or mark it for your internal information used in a contract to become CDI.

  • Much attention has been placed on subsection (1) above which places a duty on the government to identify or mark CDI that is provided to the contractor under the contract.
  • Many stakeholders read the Director of DPAP’s guidance memorandum on implementation of this clause, dated September 21, 2017, as confirming that if CDI will result from a contract, the CO must “mark or otherwise identify [the CDI] in the contract.”
  • Some read subsection (2) out of the definition and decided not to worry about what CDI is, believing that the contract will spell it out.
  • The new FAQs make clear the error of these ways. In several answers (Q&A 29 & 30), DoD makes clear that under subsection (2) of the definition, CDI includes Controlled Unclassified Information, or CUI, that is “developed, used or stored by the contractor in the performance of the contract.”

That means contractors must affirmatively know and identify CDI.  That also means they need to have a good grasp of Controlled Unclassified Information (CUI):

  • The FAQ states that the value of the new cyber clause is that it applies both to DoD-related CUI (as defined under the new NARA CUI rule) and DoD contract information so as to avoid a separate safeguarding clause for DoD CUI.
  • By referencing the CUI Registry, any change in the registry automatically changes the DoD cyber clause.
  • In several places, the FAQs confirm that the duty to recognize and safeguard CDI “collected, developed, received, transmitted, used or stored” by the contractor in performing the contract” is the contractor’s obligation and, if there is a question, contractors should query dibcsia@mail.mil for assistance. DoD promises prompt response to those questions.

Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the April 2018 Monthly Insights newsletter. To sign up for Monthly Insights, please click here.

Steve Britt is a Partner at Berenzweig Leonard LLP. Steve leads the firm’s Cybersecurity Law practice and can be reached at SBritt@BerenzweigLaw.com.