On August 11, 2015, the Office of Management and Budget (“OMB”) released a draft policy memo entitled “Improving Cybersecurity Protections in Federal Acquisitions.” The purpose of the memo is to provide federal agencies with guidance to implement stronger cybersecurity protections in federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provide access to Controlled Unclassified Information (“CUI”). OMB is seeking public comments and suggested revisions by September 10, 2015, and expects to issue the final guidance this fall. Cybersecurity requirements are likely to impact most federal contractors eventually, so you should review the proposed guidance and submit comments on the OMB website.
Of particular note, OMB’s memo indicates we are one step closer to cybersecurity contract clauses in the FAR. Part of OMB’s guidance is that federal agencies should clearly and effectively address cybersecurity issues in contracts with contractors. To do this, OMB has worked with other stakeholders to establish sample cybersecurity contract clauses. Additionally, OMB stated that the Federal Acquisition Regulatory Council will amend the FAR to provide for contract clauses that address the following four cybersecurity issues:
- Security Controls: For contractor information systems operated on behalf of a federal agency, the contractor must have sufficient security controls to meet the appropriate baseline in NIST SP 800-53. For CUI, OMB recommends the moderate baseline for confidentiality, adjusted as appropriate to fit the circumstances and applicable legal requirements. Additional requirements may be imposed based on agency review when a contractor is operating a system to process data from more than one agency, or where there are non-governmental customers such as cloud service providers. For contractors’ internal systems that are not operated on behalf of the government but incidentally contain CUI, agencies should generally require the contractor to meet the requirements of NIST SP 800-171 rather than NIST SP 800-53.
- Cyber Incident Reporting: A cyber incident is an action taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information contained in the system. OMB states that timely reporting of cyber incidents is critical, but does not specify what would constitute a timely report.
The upcoming FAR clauses addressing cyber incident reporting are expected to address what constitutes a cyber incident, the required timeline for reporting the incident, the information that needs to be included in the report, and where the report must be sent (i.e., to one POC at each agency identified in the contract). The FAR clauses will also likely detail the remedies available to the government when a contractor fails to report. The remedies would surely include at least those that address a breach of contract and adverse past performance evaluations, and could also include the potential for monetary fines and referral for suspension and debarment proceedings.
The FAR clauses will also likely differentiate between the reporting necessary for cyber incidents on systems operated on behalf of the government versus contractors’ internal systems. Contractors with systems operated on behalf of the government will likely need to report all known or suspected cyber incidents involving the loss of confidentiality, integrity, or availability of data. By contrast, contractors with CUI on their internal systems would likely need to report all cyber incidents involving the CUI, but would not need to report every known or suspected incident on their internal network.
- Information System Security Assessments: Based on OMB’s guidance, it is likely that FAR clauses and solicitation provisions will be implemented to require contractors to ensure adequate safeguards are in place through system risk assessments. For internal contractor systems, solicitations will soon contain provisions that require offerors to demonstrate, in their proposal, how they meet the requirements of NIST SP 800-171, including the security assessment for contractor internal systems.
Depending on the level of information at issue, the contractor may simply be asked to attest to its compliance, or it may be necessary for the contractor to include with its proposal a detailed description of its system security architecture, controls, and supporting test data. For contractor systems operated on behalf of the government, the FAR is expected to address circumstances under which an independent security assessment is necessary and when an agency may accept an independent third-party verification of the security assessment. The FAR is also likely to give the government access to contractor systems operated on behalf of the government to inspect, evaluate, investigate, or audit related to security incidents and periodic security reviews. Such contractors will also likely have to certify, prior to contract closeout, as to the proper sanitization of government files and information.
- Information Security Continuous Monitoring: There may be additional requirements imposed on contractors to meet or exceed information security continuous monitoring requirements, and the government may have the ability to perform the monitoring and scanning of contractor systems using tools and infrastructure of the government’s choosing. Contractor self-reporting of information security, vulnerabilities, and threats may no longer be sufficient, in OMB’s view. For systems not operated on behalf of the government, continuous monitoring is part of the security assessment requirements discussed above in accordance with NIST SP 800-171.
In addition to the looming FAR changes in these areas, OMB’s guidance also points out that GSA is taking the lead in developing a business due diligence sharing system. GSA has been working with agencies on a pilot program that uses public records, publicly available, and commercial subscription data to perform business due diligence analyses on contractors. Government agencies would be able to use this resource in assessing the cybersecurity risks presented by a contractor. It is likely that this information would impact continuation of contracts and past performance evaluations for future contracts. However, it is unclear what visibility contractors will have over the business due diligence analysis or whether contractors will have the ability to challenge the analysis or to publish contrasting information, similar to contesting a past performance evaluation in CPARS.
About the Author: Jon Williams is a partner with PilieroMazza and a member of the Government Contracts Group. He may be reached at jwilliams@pilieromazza.com