By Dietrich Knauth
Law360, New York (November 18, 2013, 8:35 PM EST) — The U.S. Department of Defense issued on Monday a final rule on contractors’ responsibilities for safeguarding unclassified technical data, paring down a cybersecurity rule that was criticized as being too broad when proposed in 2011.
The new rule requires contractors to take enhanced cybersecurity measures to protect DOD technical data. The cybersecurity measures are drawn from commonly used practices codified by the National Institute of Standards and Technology, including access control, awareness and training, contingency planning, and maintenance.
While the 2011 proposed rule would have required enhanced cybersecurity for a broader range of unclassified information provided by or developed for the DOD, the final rule is limited to unclassified technical documents related to DOD-funded research and development — including computer software and documents like engineering drawings, technical manuals, blueprints, data sets, studies and analyses — and to other technical information that could be used to produce, repair or modify any military or space equipment.
“After comments were received on the proposed rule it was decided that the scope of the rule would be modified to reduce the categories of information covered,” the DOD said. “This final rule addresses safeguarding requirements that cover only unclassified controlled technical information and reporting the compromise of unclassified controlled technical information.”
The change should be a welcome one for contractors, according to Elizabeth Ferrell, a partner in McKenna Long & Aldridge LLP’s government contracts practice.
“What we have now is just one small sliver of what was proposed in 2011,” Ferrell said. “It’s not a perfect rule, but it’s not as controversial as it was before.”
Some concerns remain for contractors, including the lack of a safe harbor for contractors who report breaches despite complying with the NIST standards, and some ambiguity in the definition of a cyberevent that must be reported, Ferrell said.
“Even though they’ve really narrowed this down, there are certain things that are still troubling from a contractor’s perspective,” Ferrell said.
The DOD said in the final rule that reported cyberincidents will not, by themselves, be considered evidence that a contractor had inadequate security, but flatly denied any safe harbor requests in the comments to the proposed rule, saying “the government does not intend to provide any safe harbor statements.”
While some commenters emphasized the costs of complying with additional cybersecurity steps, the DOD said that the NIST controls “represent mainstream industry practices” and that the DOD is willing to accept reasonable additional costs in exchange for better protection of its unclassified technical information.
In light of the new rule, contractors and subcontractors should quickly determine what data needs to be protected and asses their own compliance with the rule’s NIST standards, Ferrell said.
If contractors do not comply with the NIST standards, they should take steps to become compliant, or prepare to explain why the standards do not apply or why other protections provide adequate security, as allowed by the rule, according to Ferrell.
Published by Law360