Tag: DOD

DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-2008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.”  While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule. 

DFARS 252.204-7012 requires prime contractors and their subcontractors to employ “adequate security” measures to protect “covered defense information.” Specifically, contractors must adhere to the security requirements in the version of NIST SP 800-171 that is in effect “at the time the solicitation is issued or as authorized by the Contracting Officer,” or employ alternative security measures approved in writing by an authorized representative of the DOD Chief Information Officer. Special Publication 800-171 describes fourteen families of basic security requirements. As described in section 2.2 of 800-171, each of these fourteen families has “derived security requirements,” which provide added detail of the security controls required to protect government data. These basic requirements are based on FIPS Publication 200, which “provides the high level and fundamental security requirements” for government information systems. The derived requirements are taken from the security controls contained in NIST Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations.” Among those derived requirements is one for “multifactor authentication for local and network access.”

DoD contractors and subcontractors should be aware of what the class deviation does and does not change:

  1. Effective immediately, DoD contractors and subcontractors are required to comply with the clauses at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (DEVIATION 2016-O0001) (OCT 2015) and DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls (DEVIATION 2016-O0001) (OCT 2015), in lieu of the clauses that were issued as part of the August 26th interim rule.
  2. Under the new clauses, DoD contractors (and subcontractors, through the prime contractor) may notify the contracting officer that they need up to 9 months (from the date of award or the date of a modification incorporating the new clauses) to comply with the requirements for “multifactor authentication for local and network access” in Section 3.5.3 of NIST SP 800-171.
  3. The revised clauses apply to all DoD contracts and subcontracts, including those for the acquisition of commercial items.
  4. The class deviation only impacts non-cloud contractor information systems that are not operated on behalf of the government (e.g., contractor internal systems).
  5. DoD contractors and subcontractors that cannot meet the specific requirements of NIST 800-171, including the requirements of Section 3.5.3, may still seek authorization from DoD to use “[a]lternative but equally effective security measures.”
  6. With the exception of the targeted changes to DFARS 252.204-7012 and DFARS 252.204-7008 (i.e., affording contractors up to 9 months to comply with Section 3.5.3 of NIST 800-171, provided they notify the contracting officer), all other requirements introduced by the August 26th interim rule remain in effect.
  7. Non-cloud contractor information systems that are operated on behalf of the government remain “subject to the security requirements specified [in their contracts].”
  8. The class deviation does not impact DoD cloud computing contracts, which remain subject to DFARS 252.239-7010, Cloud Computing Services.

Ensuring Compliance With the Revised DFARS Clauses and NIST SP 800-171 Section 3.5.3

During the solicitation phase of a procurement subject to the revised DFARS clauses, DoD contractors and subcontractors should engage technical experts to determine whether they would need additional time to satisfy the NIST requirements for multifactor authentication. If a contractor determines that additional time is needed, and is later awarded a contract subject to the new requirements, then the contractor should immediately notify the contracting officer in writing and should ensure that all subsequent communications with the government are adequately documented.

Upon providing such notice, contractors will have up to nine months (from the date of contract award or modification incorporating the revised clauses) to comply with Section 3.5.3 of NIST SP 800-171, which requires contractors to: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” See NIST SP 800-171, Section 3.5.3 (emphasis added). Section 3.5.3 is a derived requirement of the basic security requirement in section 3.5 for identification and authentication. Section 3.5.3 of NIST SP 800-171 notes that:

  • “Multifactor authentication” requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic device, token); or (iii) something you are (e.g., biometric). The requirement for multifactor authentication does not require the use of a federal Personal Identification Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. Rather, “[a] variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokes (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials. See id., n. 22.
  • “Local access” is any access to an information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

“Network access” is any access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Article By Susan B. CassidyAlejandro L. SarriaPatrick Stanton & Catlin M. Meade of Covington & Burling LLP
© 2015 Covington & Burling LLP

DOD Issues Interim Rule Addressing New Requirements for Cyber Incidents and Cloud Computing Services

On August 26, 2015, the Department of Defense (DoD) issued an interim rule that imposes expanded obligations on defense contractors and subcontractors with regard to the protection of “covered defense information” and the reporting of cyber incidents occurring on unclassified information systems that contain such information.  Nearly three years in the making, this interim rule replaces the DoD’s prior Unclassified Controlled Technical Information (“UCTI”) Rule, imposing new baseline security standards and expanding the information that is subject to safeguarding and can trigger the reporting requirements.  Additionally, the interim rule implements policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.

Article By Susan B. CassidyAlejandro L. SarriaPatrick Stanton & Catlin M. Meade of Covington & Burling LLP

© 2015 Covington & Burling LLP

Department of Defense Contractors Agree to Pay the U.S. Government $5.5 Million for Allegedly Supplying the Military with Low-Grade Batteries for Humvee Gun Turrets Used in Iraq; Minnesota Whistleblower to Receive $990,000

tz logo 2

On September 16, 2014, the Department of Justice (DOJ) announced that Department of Defense (DOD) contractors, M.K. Battery, Inc. (M.K. Battery), East Penn Manufacturing Company (East Penn), NPC Robotics, Inc. (NPC), BAE Systems, Inc. (BAE) and BAE Systems Tactical Vehicle Systems LP (BAE) had agreed to a settlement of $5.5 million for allegedly violating the False Claims Act (FCA) by selling the U.S. Military substandard batteries for Humvee gun turrets used on military combat vehicles in Iraq. Minnesota whistleblower, David McIntosh, former employee of M.K. Battery, will receive $990,000 which represents his share of the settlement for reporting fraud against the government – in this case misrepresentation of a vital product supplied to the DOD.

A gun turret is a weapon mount that protects the crew or mechanism of a projectile-firing weapon and at the same time lets the weapon be aimed and fired in many directions. Sealed acid batteries are used as a backup to turn the turrets on the Humvees in the event that the engine gives out.  According to Mr. McIntosh, and unbeknownst to the Army, the manufacturing process of the batteries was allegedly changed from the original design presented to the DOD, consequently cutting the battery’s life span by as much as 50 percent and potentially putting U.S. Troops in harm’s way.  Mr. McIntosh, from Stacy, Minnesota, who at the time was employed by M.K. Battery as a regional sales representative, brought his concerns to top company officials at M.K. Battery.  However, in 2007 after numerous unsuccessful attempts to convince M.K. Battery that its decision to cut costs on these batteries could be hazardous to U.S. Troops, especially during combat, Mr. McIntosh alerted the DOD to this matter.  Three month later, M.K. Battery fired Mr. McIntosh.

Shortly thereafter, Mr. McIntosh and his attorneys filed the lawsuit under the whistleblowersprovisions of the False Claims Act, which is one of the most effective methods that the government has implemented for combating fraud. Under the FCA, any person, who knows of an individual or company that has defrauded the federal government, can file a “qui tam” lawsuit to recover damages on the government’s behalf.  Mr. McIntosh filed this particular lawsuit on behalf of himself and the Department of Defense. Additionally, a whistleblower who files a case against a company that has committed fraud against the government, may receive an award of up to 30 percent of the settlement. In this case, Mr. McIntosh’s share of $5.5 million is approximately 18 percent of the settlement.

ARTICLE BY

Whistleblower Practice Group
OF
Tycko & Zavareei LLP
© 2014 by Tycko & Zavareei LLP