New standardized cybersecurity compliance requirements are inbound. In early October 2023, the Federal Acquisition Regulation (FAR) Council issued a proposed rule (Proposed Rule) to standardize cybersecurity requirements across federal agencies for unclassified Federal Information Systems (FIS). This blog, the first in a series, addresses why government contractors should familiarize themselves with these requirements as non-compliance could affect contract eligibility and payment, as well as exposure to False Claims Act (FCA) liability.[1]
Contractual cybersecurity requirements for unclassified FIS are currently based on agency-specific policies and regulations and often result in inconsistent cybersecurity requirements across federal contracts. The Proposed Rule would:
- provide a standard minimum set of cybersecurity requirements for FIS that can be applied consistently across the federal government;
- add a new subpart to the FAR under Part 39, as well as two new contract clauses; and
- apply to contracts at or below the Simplified Acquisition Threshold (SAT) as well as contracts for commercial products and commercial services.
Applicability
From the outset, the Proposed Rule only affects contractors that implement, operate, or maintain a FIS for the federal government. A FIS is defined as a “discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information” that is used or operated by an agency, a contractor of an agency, or another organization on behalf of an agency. For the purposes of the Proposed Rule, there are two types of FIS: (i) FIS that use non-cloud computing services and (ii) FIS that use cloud computing services. Further, if the contract calls for a FIS that uses both non-cloud and cloud computing services, contractors will need to comply with the requirements that apply to each FIS, as applicable.
FIS Using Non-Cloud Computing Services
The Proposed Rule contains several notable requirements for contracts involving FIS using non-cloud computing services. First, agencies will be required to identify in the contract the Federal Information Processing Standard (FIPS) Publication 199 impact level of the FIS, as well as any necessary security and privacy controls for the FIS. In the same vein, if the FIPS impact level is designated by the agency as moderate or high, contractors will need to conduct—at least annually—cyber threat hunting and vulnerability assessments, and annual independent assessments of the security of each FIS. The results from these assessments must be shared with the contracting officer. Moreover, if a third-party assessment organization is retained to perform these assessments, contractors will be required to enter into confidentiality agreements with these third-party organizations to prevent any unauthorized disclosure of government data. Further, the proposed clause, FAR 52.239–YY Federal Information Systems Using Non-Cloud Computing Services, would require contractors to provide the government full and timely access to their systems, facilities, and personnel in order to determine whether the contractor implemented the necessary security safeguards.
The Proposed Rule would require contractors develop, update, and maintain several types of plans, lists, and strategies for each non-cloud FIS. The rule would also require contractors to develop, review, and update, if appropriate, a system security plan (SSP) to support authorization of all applicable FIS. Contractors will be expected to develop a continuous monitoring strategy for the FIS and provide it to the agency. Lastly, contractors will need to develop and maintain a list of the physical locations of all operational technology equipment included within the boundary of the non-cloud FIS. Indeed, this list must be detailed enough to allow the government to positively locate and track any movement of the equipment during contract performance.
FIS Using Cloud Computing Services
Many of the requirements for contracts with FIS involving cloud computing services are similar to those identified above. Rather than hashing through the same requirements, we will mention notable differences.
In addition to the FIPS impact level identified in the contract, the agency will also be required to identify the relevant Federal Risk and Authorization Management Program (FedRAMP) authorization level. The contractor will then be required to implement and maintain the security and privacy safeguards in accordance with the corresponding FedRAMP level, engage in continuous monitoring activities, and provide certain continuous monitoring deliverables. Further, in the event a FIS using cloud computing services is categorized as having FIPS Publication 199 high impact, contractors will need to ensure that all government data is maintained within the United States or its outlying areas.
The remaining requirements are similar to those for non-cloud FIS, including limiting access to and use of data, handling cyber incidents in accordance with the relevant FAR contract clause being developed concurrently (FAR Case 2021–017) and permitting government access to systems and facilities.
Indemnification
One of the significant similarities between the two contract clauses is the inclusion of an indemnification clause. In particular, all contractors with either clause in their contracts must indemnify the government against any liability arising out of the performance of the contract incurred as the result of the contractor’s unauthorized introduction of:
- copyrighted material to which the Contractor has no rights or license that may infringe on the copyright interest of others;
- information subject to a right of privacy; or
- any libelous or other unlawful matter into government data.
By signing the contract, all firms agree to waive any and all defenses that may be asserted. Moreover, contractors will be required to indemnify the government against any liability arising out of the performance incurred due to the contractor’s potential or actual unauthorized disclosure of trade secrets, copyrighted materials, contractor bid or proposal information, source selection information, classified information, Controlled Unclassified Information, information subject to a right of privacy or publicity, personally identifiable information, or any record as defined in 5 U.S.C. 552a.
Key Takeaways
As it relates to this Proposed Rule, contractors should:
- determine if they do in fact operate a FIS on behalf of a federal agency, if not, the Proposed Rule is not applicable;
- determine whether the FIS they operate for the federal government uses non-cloud computing services (on-prem) or uses cloud computing services; and
- review their current cybersecurity policies and compare those policies with the requirements in the proposed rule to determine whether they are in compliance.
An underlying theme running through the various cybersecurity requirements being implemented across the federal government is that while risk of noncompliance is high, we have yet to see broad-range enforcement. Indeed, there have been a limited number of False Claims Act cases brought by whistleblowers but little else. It is possible that these contractual compliance requirements buried in solicitations go unnoticed by most or there is still too much confusion or ambiguity in them for the government officials to want to strictly enforce them. However, all it takes is one agency, one contracting officer, or one individual to strictly enforce the requirements in these clauses. Once that occurs, the legal implications and liability for contractors will be significant, ‘making or breaking’ a company’s survival.
If you believe your business will be impacted by these new requirements, comments for the proposed rule are due February 2, 2024, and can be submitted here. If you have questions about the proposed requirements surrounding FIS contracts involving cloud computing services and how to prepare for compliance with them, or any other cybersecurity questions, please contact Cy Alba, Joe Loman, Daniel Figuenick, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups.
Stay tuned to the second installment of this blog series where we discuss a related rule that would require federal contractors share information about cyber threats and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency.
____________________
Looking for practical insights on gaining a competitive advantage through a deeper understanding of the government’s compliance requirements? Check out PilieroMazza’s podcasts “GovCon Live!” and “Clocking in with PilieroMazza.”
[1] The proposed rule expressly provides that “compliance with these requirements is material to eligibility and payment under Government Contracts.” As such, the government is clearly expressing that the FCA is at play here. Contractors will continue to face greater exposure to FCA liability as the federal government continues to roll out new cybersecurity rules and obligations