We have written about cyber threats and cyber security before.  (For example, see this post.)  To our disappointment, such articles receive few hits.  The threat is real and requires thoughtful preparation in order to successfully defend against it.  Now, perhaps, our readers will consider the issue from a different angle, as DOD seems poised to make cyber security a matter of contract compliance.

On March 3, 2010 the DOD published an “Advance Notice of Proposed Rulemaking (ANPR) and notice of public meeting” in connection with DFARS Case 2008-D028, Safeguarding Unclassified Information.  See the Federal Register notice here.

The summary of the rule is as follows—

DoD is seeking comments from Government and industry on potential changes to the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for the safeguarding of unclassified information. The changes would add a new subpart and associated contract clauses for the safeguarding, proper handling, and cyber intrusion reporting of unclassified DoD information within industry. … This ANPR does not address procedures for Government sharing of cyber security threat information with industry; this issue will be addressed separately through follow-on rulemaking procedures as appropriate.

Among the potential changes being considered is the addition of two new DFARS contract clauses.  “DFARS 252.204–7XXX would require contractors to protect DoD information from unauthorized disclosure, loss, or exfiltration by employing basic information technology security measures, while DFARS 252.204–7YYY would require enhanced information technology security measures applicable to encryption of data for storage and transmission, network protection and intrusion detection, and cyber intrusion reporting.”  In addition, “A cyber intrusion reporting requirement is contemplated for enhanced protection to assess the impact of loss and to improve protection by better understanding the methods of loss.”

The ANPR states that a public meeting will be held on April 22, 2010 at NASA’s James W. Webb Memorial Auditorium in SE Washington, D.C.  (Details are in the Federal Register notice, link above.)  In lieu of speaking at the all-day meeting, you can submit written comments and answers to questions posed by the DAR Council.  At the meeting, “DoD is interested in receiving input regarding ‘‘best practices’’ for protecting networks and data, experience with any of the proposed safeguards, and an evaluation of its value.”  The rule drafters have provided 13 questions that they hope industry will answer, so help them craft the proposed rule.

Our take on this is that DOD and its contractors are in this together.  It was less than a year ago, in April of 2009, when the Wall Street Journal (among others) reported that “Computer spies have broken into the Pentagon's $300 billion Joint Strike Fighter project ….”  According to the story (found here)—

Computer systems involved with the program appear to have been infiltrated at least as far back as 2007, according to people familiar with the matter. Evidence of penetrations continued to be discovered at least into 2008. The intruders appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems, former officials said.

The intruders compromised the system responsible for diagnosing a plane's maintenance problems during flight, according to officials familiar with the matter.

So it seems entirely appropriate for the DOD to consider issuing basic standards of minimum cyber protection to its industrial base, and to require reporting (including root cause analyses) when network breaches occur and data is compromised.  And we applaud the opportunity offered industry to help shape the rule and its implementation.  We hope knowledgeable companies will help DOD craft a good rule that is easily implementable.

After that, companies will need to comply with the requirements of the new contract clauses, or else risk accusations of breach of contract (or worse).  Remember, when BAE Systems recently paid the U.S. Government $400 million, the fine was imposed for False Statements associated with certain representations and certifications made to the Government, and not necessarily for any other alleged wrongdoing.