DOD Cybersecurity Final Rule Explained

November 15, 2016

Cybersecurity Update: DoD Releases Long-Awaited Final Rule

Source: Inside Government Contracts, Susan Cassidy, Michael Wagner and Julia Lippman, October 25, 2016

On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November 2013, two interim rules published in August 2015 and December 2015, and years of comments and experience by DoD and its contractors.  The new Rule materially alters the predecessor rule in a number of respects and clarifies several important issues relating to contracting for cloud computing services.

Key substantive changes include the following:

  • Adds new definitions or clarifies existing definitions for “covered defense information,” “covered contractor information system,” “export control,” the “other” category of CDI, and “operationally critical support.”
  • Directs that DFARS provisions 252.204-7008 and 252.204-7012 should not be used in solicitations and contracts “solely” for commercial-off-the-shelf (COTS) items.
  • Amends DFARS 252.204-7000 to clarify that fundamental research, by definition, does not involve any CDI.


Contact your nearest PTAC to learn more about government contracting.


Keep up to date follow us on Twitter, LinkedIN or Facebook!

 For help with Government Contracting: contact your nearest Procurement Technical Assistance Center (PTAC). Funded through Cooperative Agreements between the U.S. Department of Defense and state and local governments/institutions, PTACs provide free and low-cost assistance in virtually all areas of government contracting.