The U.S. Department of Defense (DOD) has issued an advanced notice of proposed rulemaking regarding amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that would add new data protection requirements for unclassified DOD information used or handled by contractors. See 75 F.R. 9563 (March 3, 2010). The proposed amendments would create a two-tiered system of data security requirements, as well as an obligation to notify the DOD of security incidents.
The two tiers of data security requirements are described as “basic safeguards” and “enhanced safeguards,” both of which require “adequate security.” Under the proposed rules, “adequate security” would mean: “protection measures … commensurate with the risks (i.e., consequences and their probability) of loss, misuse, or unauthorized access to or modification of information.” 75 F.R. at 9566.
Basic safeguards are required for any unclassified DOD information. The required protections would include:
§ prohibiting the posting of any DOD information on websites unless they are restricted to users that provide user ID/password, digital certificate, or similar credentials;
§ using the “best level of security and privacy available” for transmissions of any DOD information transmitted via email, text messaging, and similar technologies;
§ transmitting any DOD information via telephone or fax only when reasonably assured that access is limited to authorized recipients;
§ protection of all DOD information by at least one physical (e.g., locked container) or electronic (e.g., user/password restriction) barrier;
§ sanitization of media in accordance with NIST protocols prior to disposal;
§ implementation of regularly updated malware protection and software patches/upgrades;
§ limiting sharing of any DOD information to third parties that have a “need to know;” and
§ contractually obligating all subcontractors to abide by the proposed regulations.
Enhanced safeguards apply to unclassified DOD information that meets one or more of the following criteria:
§ Critical Program Information (as defined in DOD Instruction 5200.39);
§ data designated for withholding under the FOIA program (as described in DOD Directive 5400.07);
§ data bearing current or prior controlled access/dissemination designations (e.g., For Official Use Only, Limited Distribution, and Proprietary);
§ technical data, software, or other information subject to DOD Directive 5230.24; and
See 75 F.R. at 9566 – 67.
In addition to the basic safeguards listed above, contractors would be obligated to implement the following measures for data subject to enhanced safeguard requirements:
§ reporting any “cyber intrusion incident” to DOD, which includes any event involving unauthorized access to DOD information or an “advanced persistent threat” (meaning a “proficient, patient, determined, and capable adversary”);
§ cooperate with and provide support for DOD investigations of reported cyber intrusion incidents;
§ encryption when transmitting DOD information across wireless networks (by either encrypting the wireless connection itself or the individual files transmitted across such connections);
§ encryption of DOD information stored on laptops, mobile devices, and removable media;
§ monitoring and control of network traffic through mechanisms such as firewalls and or intrusion detection/prevention systems; and
§ implementation of an information security program consistent with NIST Special Publication 800-53.
With regard to the “cyber intrusion incident” reporting requirements, “advanced persistent threats” appear to be reportable without regard to whether such a threat actually results in unauthorized access to DOD information. Attempted advanced persistent threats may be reportable events. In addition, covered contractors may be obligated to comply with all reporting, support, and cooperation requirements for incidents reported by their subcontractors.
With regard to cross-compliance with HIPAA, it appears that entities which are already compliant with the HIPAA Security Rule would not be required to make substantial changes to their existing safeguards for protected health information with the exception of adding procedures for reporting “cyber intrusion incidents” to, and cooperating with resulting investigations by, DOD.
The public comment period ends on May 3, 2010. DOD has scheduled a public meeting to discuss the proposed regulations on April 22, 2010 from 8:00 AM to 4:00 PM (EST). Attendees are expected to register two weeks in advance (thus, by April 8, 2010).