The export control regulations are difficult enough to understand in their own right. But for companies that are also involved in defense contracting, whether as prime contractors or subcontractors, the export control regulations occasionally intersect with additional requirements of the Defense Federal Acquisition Regulations Supplement ("DFARS"), making compliance much more difficult.

For instance, consider the following three scenarios:

  1. Company A learns its IT service provider employs multiple Indian national employees that have potential access to Company A's networks where export-controlled data resides.
  2. At Company B, a mislabeled file containing export-controlled drawings is inadvertently uploaded to a foreign vendor through a File Transfer Protocol ("FTP") site.
  3. The new human resources manager at Company C discovers that a company employee, who has access to export-controlled information through unlimited company server access, is a Chinese citizen.

In all these situations, a savvy export compliance professional will know that an export or "deemed export" of controlled technical data or technology may have taken place. The competent export compliance professional will immediately restrict further uncontrolled access to the export-controlled data, alert management, conduct the necessary internal review, and determine, with the help of legal counsel as necessary, whether a voluntary self-disclosure ("VSD") with the applicable export control agency is advisable. But what if Companies A, B, and C are all defense contractors or subcontractors? Will the savvy, competent export control professional realize that, pursuant to DFARS, a "cyber incident" may have occurred? The occurrence of a cyber incident requires almost immediate (i.e., 72 hours) reporting to the Department of Defense ("DoD"). Unlike the filing of a VSD with an export control agency, the DoD cyber incident reporting requirement is mandatory, which complicates matters in situations where an ITAR or BIS VSD is being contemplated.

On October 21, 2016, DoD published a final rule requiring defense contractors to become compliant with the National Institute of Standards and Technology ("NIST") Special Publication ("SP") 800-171 by December 31, 2017.1 This portion of the final rule received most of the publicity within the defense contractor community, and Torres Law published an article on the subject.2 However, DFARS 252.204-7012, as amended by the final rule, now includes a requirement for a contractor subject to the regulation to submit a mandatory report, within 72 hours, of the discovery of a cyber incident that affects covered contractor information systems or covered defense information. There is a lot to unpack here, and it is necessary to first clarify the multiple defined terms in the requirement.

  • Cyber incident: actions taken through the use of computer networks that result in a "compromise" or an actual or potentially adverse effect on an information system and/or the information residing therein;
  • Compromise: disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred;
  • Covered Defense Information ("CDI"): unclassified controlled technical information or other information, as described in the Controlled Unclassified Information ("CUI") Registry at http://www.archives.gov/cui/registry/category-list.html, 3 that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
    1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
    2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and
  • Covered Contractor Information Systems: an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.4

To illustrate a typical cyber incident: A hacker, either foreign or domestic, infiltrates, or "compromises," a defense contractor's internal servers, or "covered contractor information system," that contains drawings and blueprints developed pursuant to the performance of the contract, which are "CDI." Still, none of the three scenarios outlined at the beginning of the article were traditional cyber-attacks, but the definition of compromise includes the "disclosure of information to unauthorized persons" and a DoD 72-hour reporting requirement could be triggered. If the disclosure to unauthorized persons occurs "through the use of computer networks," then a cyber incident has occurred, even if the disclosure was unintentional. But as previously explained, a cyber incident must only be reported to DoD if it involves CDI or a contractor's network that contains CDI, or if the cyber incident affects the contractor's ability to perform operationally critical requirements of the contract.5 Importantly, CDI could include data controlled under the International Traffic in Arms Regulations ("ITAR) or the Export Administration Regulations ("EAR"), triggering potential ITAR/EAR VSDs depending on the facts of the case and other considerations. Note that not all CDI is export-controlled and needs protections from foreign persons (e.g., HIPPA).

After the contractor determines that a covered cyber incident has occurred, the contractor will have to conduct a review of its network for evidence regarding the compromise of CDI. This review can include the identification of compromised computers, servers, specific data, and user accounts.

After conducting this internal review, or during the review if the 72-hour deadline is approaching, the contractor must report the cyber incident to DoD at https://dibnet.dod.mil/portal/intranet/. A DoD-approved medium assurance certificate is required to access the reporting module, so allow for some delay prior to being able to submit the report. Information to be provided in the report includes:

  • Company name, point of contact, and Data Universal Numbering System ("DUNS") number;
  • Government contract number(s), contracting officer, and U.S. Government program manager point of contact;
  • Contract and facility clearance level and facility CAGE code;
  • Information regarding the actual cyber incident and the CDI involved; and
  • A narrative explanation of the incident.

DoD has provided guidance in Frequently Asked Questions ("FAQs") recommending that contractors provide an incomplete cyber incident report rather than delaying submission to obtain all necessary information.6 Contractors disclosing cyber incidents that involve export-controlled information should also consider whether a VSD submission to the appropriate agency is also warranted. If so, this information can be included in the cyber incident report.

Upon receiving the cyber incident report, DoD will provide the submitting contractor with an incident report number. The contractor should be prepared to cooperate with any additional forensic investigations DoD may conduct as part of its damage assessment process. The goal of the damage assessment is for DoD to determine the scale of the impact of the cyber incident on CDI and any further implications of the incident. The assessment may look into the adequacy of the contractor's cybersecurity measures and whether required controls were in place at the time of the incident.

Importantly, the requirements of DFARS 252.204-7012 do not apply only to government prime contractors. Section (m) of the DFARS clause specifically relates to subcontractors and requires prime contractors to flow-down DFARS 252.204-7012 in subcontracts involving CDI or for operationally critical support. In case of a cyber incident involving subcontractor systems, subcontractors are required to independently report the incident to DoD. Upon receipt of the cyber incident report number, the subcontractor must provide this number to the prime contractor, or the next higher-tier subcontractor, as soon as practicable.

The potential overlap between the export agencies and regulations and the new DoD reporting requirements can be daunting to say the least. The ITAR controls unclassified and classified technical data related to defense articles and defense services. In this context, the ITAR and the National Industrial Security Program Operating Manual ("NISPOM," under the Defense Security Service ("DSS"))7 share jurisdiction with regards to classified and unclassified data related to defense articles and services. Because of this shared jurisdiction, there has often been overlap or conflicting guidance received from the agencies. For example, in the past DSS has stated that a license is not required for classified items and defense services ignoring, for example, ITAR licensing requirements. Further, DSS recently appears to have expanded their authority to review unclassified ITAR-controlled information and documents as part of their audits. Similarly, pursuant to DFARS 252.204-7012, situations involving ITAR violations related to inadvertent technology transfers to foreign persons could now trigger the 72-hour DoD reporting requirement.

A problem arises, however, when export controlled data is involved because, as previously explained, export VSDs are "voluntary" submissions and there is no set time limit to submit a VSD. In other words, companies typically would review the facts and circumstances leading to the violations, confirm the applicability of the ITAR or EAR, and decide whether to submit an initial VSD. Although the export regulations permit the VSD process to be divided in two steps (i.e., an initial VSD followed by a final VSD oftentimes months after conducting a thorough review of the circumstances that led to the violations), in practice companies may need at least a couple of weeks to submit an initial VSD. This is especially important in cases involving complex product classifications impacting the export agencies' jurisdiction, or in larger companies where chains of command are complex and hierarchies for approval of VSD submissions move slowly. Companies now could potentially face a mandatory 72-hour DoD disclosure requirement and must consider whether failure to submit initial export VSDs concurrently or shortly thereafter could have negative repercussions.

***

Defense contractors and subcontractors, including those that work with export-controlled technology, should review their contracts and determine if DFARS 252.204-7012 was included or flowed-down. If the clause was included, the contractor is on notice to the 72-hour cyber incident reporting requirement. A contractor working with export-controlled information pursuant to a defense contract should determine whether any of that information has been marked by DoD, or the prime contractor, as CDI. If so, the contractor should have procedures in place to immediately escalate the discovery of a covered cyber incident to necessary IT, legal, and management personnel in order to comply with the 72-hour reporting requirement as well consider filing an initial VSD with the relevant export agency.

Footnotes

1 DFARS: Network Penetration Reporting and Contracting for Cloud Services, 81 Fed. Reg. 72,986 (Oct. 21, 2016) (to be codified at 48 C.F.R. Parts 202, 204, 212, 239, and 252), available at https://www.gpo.gov/fdsys/pkg/FR-2016-10-21/pdf/2016-25315.pdf.

2 See Justin Doubleday interview with Torres Law Managing Member Olga Torres for Contractors Wonder How DoD Will Enforce Supply Chain Security Requirements, Inside Defense, (Mar. 30, 2018), https://insidedefense.com/daily-news/contractors-wonder-how-dod-will-enforce-supply-chain-security-requirements (covering the difficulties of NIST 800-171 implementation).

3 Export-controlled information is included in the CUI Registry. The National Archives and Records Administration (NARA) is charged with implementing the program and overseeing agency actions to ensure compliance with Executive Order 13556 (Nov. 10, 2010). On May 17, 2018, DSS was designated as the lead agency for implementing procedures for oversight of CUI for the Defense Industrial Base. See Memorandum from Joseph Kernan, Under Secretary of Defense, Regarding Controlled Unclassified Information Implementation and Oversight of the Defense Industrial Base (May 17, 2018), available at https://static1.squarespace.com/static/596679b9f7e0ab2988eee76e/t/5b267fa8575d1f6f794a21c1/1529249705973/CUI+Implementation+Letter.pdf. DSS must publish a report six months from the publication of this memorandum, or November 17, 2018 addressing the following information: identification of resource constraints, additional policy required to support CUI oversight authority, and program improvement recommendations.

4 40 C.F.R. § 252.7012(a) (2018).

5 40 C.F.R. § 252.7012(c)(1) (2018).

6 Frequently Asked Questions (FAQs) - Implementation of DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services, Department of Defense Procurement Toolbox, Question 28, https://dodprocurementtoolbox.com/faqs/cybersecurity/frequently-asked-questions-faqs-dated-jan-27-2017-implementation-of-dfars-case-2013 (Jan. 27, 2017).

7 Kernan, supra note 3.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.