Close X
Attorney Spotlight

How did Mike DeAgro's experience co-founding a nonprofit advocacy organization lead to a career in the legal field? Find out more>


Close X


Search our Experience

Experience Spotlight

Envision to Sell to KKR for $9.9 Billion

We represented Envision Healthcare Corporation (NYSE: EVHC) in its definitive agreement to sell to KKR in an all-cash transaction for $9.9 billion, including debt. KKR will pay $46 per Envision share in cash to buy the company, marking a 32 percent premium to the company's volume-weighted average share price from November 1, when Envision announced it was considering its options. The transaction is expected to close the fourth quarter of 2018. Read more

Envision Healthcare

Close X

Thought Leadership

Enter your search terms in the relevant box(es) below to search for specific Thought Leadership.
To see a recent listing of Thought Leadership, click the blue Search button below.

Thought Leadership Spotlight

Six Things to Know Before Buying a Physician Practice spotlight

Dermatology, ophthalmology, radiology, urology…the list goes on. Yet, in any physician practice management transaction, there are six key considerations that apply and, if not carefully managed, can derail a transaction. Download the 6 Things to Know Before Buying a Physician Practice to keep your physician practice management transactions on track.

Click here to download the guide.

GovCon Blog: DoD Contractors Beware – New Network Penetration Reporting and Cloud Services Requirements Are Here


August 28, 2015

On August 26, 2015, the Department of Defense ("DoD") issued an interim rule, effective immediately, that revises network security requirements applicable to DoD contractors and introduces new cloud computing provision that reflect current DoD policy. The interim rule, which implements sections of the FY13 and FY15 National Defense Authorization Acts, comes on the heels of the massive breach of Office of Personnel Management systems that compromised the personal data of more than 21 million federal employees. The new and revised requirements apply to cyber incidents on unclassified information systems – breaches of classified systems will continue to be reported in accordance with the National Industrial Security Program Operating Manual. The interim rule also implements DoD policies and procedures applicable to the procurement of contracting for cloud computing services.

The rule includes five contract clauses relevant to contractors and subcontractors providing cloud computing to DoD or who are handling controlled unclassified DoD information on their systems. All five apply to commercial item contracts.

First, DFARS 252.204-7008, "Compliance With Safeguarding Covered Defense Information Controls," requires that offerors provide an explanation of any intended deviations from the National Institute of Standards and Technology security requirements applicable to protecting controlled unclassified information on non-federal systems and authorizes a representative of the DoD Chief Information Officer to approve or disapprove the requested deviation.

Second, DFARS 252.204-7009, "Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information," puts in place protections for information reported to the government and subsequently provided to contractors for the purpose of obtaining advice or technical assistance.

Third, DFARS 252.204-7012, renamed "Safeguarding Covered Defense Information and Cyber Incident Reporting," expands safeguarding and reporting requirements. The clause, which must be flowed down to subcontractors at all levels, establishes minimum "adequate security" standards for covered defense information on covered contractor information systems, and mandates that contractors and subcontractors at any tier that have covered defense information on unclassified systems investigate and rapidly report "cyber incidents." "Cyber incidents" are defined as "actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein." The clause further provides that cyber incident reports "shall be treated as information created by or for DoD." Contractors also must discover and isolate malicious software in connection with a reported cyber incident "in accordance with instructions provided by the contracting officer"; preserve all affected information systems for at least 90 days to allow DoD to request the media; provide DoD access to "additional information or equipment that is necessary to conduct a forensic analysis"; and other potentially onerous obligations.

Finally, the proposed rule introduces two cloud computing provisions, DFARS 252.239-7009, "Representation of Cloud Computing" and DFARS 252.239-7010, "Cloud Computing Services." The first requires that an offeror represent whether it anticipates the use of cloud computing services in the performance of the contract or any subcontract. The second imposes certain cloud computing requirements, restrictions on the use of government data and reporting obligations, among other requirements.

These new provisions, particularly the revised reporting requirement, raise a number of questions and challenges. For example, by reporting a cyber incident a contractor may be providing the government with evidence that it failed to adequately safeguard covered defense information. Also, reporting may require the contractor or subcontractor to disclose proprietary information not typically disclosed outside of the company, even to the government. While the new provisions include protections for contractor information, those protections may be little comfort to an affected contractor. Contractors also may be faced with overlapping disclosure obligations, as data breaches that are reportable to DoD may also trigger state level reporting requirements.

Perhaps the most important question raised by the new provisions relate to the cost and impact of a cyber incident. DFARS 252.204-7012 requires far more than reporting. It mandates that a contractor investigate in accordance with a contracting officer's instructions, preserve systems for up to 90 days to allow DoD to determine whether it wishes to take possession of media and provide information and equipment to support a forensic analysis if such analysis is deemed necessary. While some of these obligations already existed, the expansion of these requirements will likely pose a challenge for commercial contractors, both in terms of the cost and the impact on commercial operations. And it is an open question as to whether corporate entities in possession of covered DoD information have the capability or capacity to deter and detect cyber attacks increasingly orchestrated and conducted by nation states.

Ultimately, the interim rule is a positive step toward the development of safeguards necessary to protect our government’s sensitive information from cyber attacks. But the formalization of these requirements will force DoD and the contracting community to address a number of challenging questions about the burdens these requirements will impose on the contracting community and the sufficiency of contractual obligations to address threats posed by other nations.

Comments are due or before October 26, 2015.

Read more about government contracts on

Related Professionals

Related Services


Visiting, or interacting with, this website does not constitute an attorney-client relationship. Although we are always interested in hearing from visitors to our website, we cannot accept representation on a new matter from either existing clients or new clients until we know that we do not have a conflict of interest that would prevent us from doing so. Therefore, please do not send us any information about any new matter that may involve a potential legal representation until we have confirmed that a conflict of interest does not exist and we have expressly agreed in writing to the representation. Until there is such an agreement, we will not be deemed to have given you any advice, any information you send may not be deemed privileged and confidential, and we may be able to represent adverse parties.