Contracting advocates say the final version of Pentagon regulations governing how to protect unclassified information housed on contractor systems is much narrower and clearer than an earlier version of the rule that had generated concerns.
The regulation requires companies to take precautions to secure certain data and report cyber intrusions that result in the loss of certain unclassified Pentagon information.
But the new version limits the covered information to unclassified controlled technical information, meaning technical data, computer software and other technical information, rather than a much broader set of information.
“This does apply to all contractors at all levels of subcontracting,” said Ronald D. Lee, a partner who specializes in government contracting and national security at Arnold & Porter. “It’s something that the entire contractor base needs to sit up and be aware of.”
The Defense Department’s top acquisition official last month said the rule will help ensure that adversaries don’t have access to the military’s technical information.
“Defense contractors throughout the department’s supply chain have been targeted by cyber criminals attempting to steal unclassified technical data,” Frank Kendall said in a statement. “We cannot continue to give our potential adversaries the benefits in time and money they obtain by stealing this type of information.”
Contracting advocates and attorneys had criticized an earlier version of the regulation, arguing it was far too vague and would create a significant cost burden for companies.
“The rule has changed substantially and for the better,” said Alan Chvotkin, executive vice president and counsel at the Professional Services Council, an industry group.
Elizabeth A. Ferrell, a partner at McKenna Long & Aldridge who specializes in government contracting, said the regulation is now far more narrow.
“There should be no guessing that the contractor has to do about whether information is covered or not covered,” she said.
Though contractors had expressed concern that implementing these standards would be time consuming and expensive, the Pentagon, in the rule, says the standards are needed.
“The final rule was drafted with the aim of minimizing the burden of compliance on contractors while implementing the necessary safeguarding requirements,” the rule said.
Still, Ferrell said the regulation will likely take a greater toll on smaller companies, which are less likely to already be conforming to the standards.
“The big [prime contractors] already have more sophisticated cybersecurity protections in place,” she said. “Larger companies more easily are equipped to spend the money and the resources to put these kinds of protection mechanisms in place. It’s a harder impact on a small business.”