In October 2023, the federal government released a Proposed Rule aimed at incorporating new cybersecurity reporting requirements into the Federal Acquisition Regulation (FAR). In this second installment of PilieroMazza’s blog series “Protecting Our Nation’s Data,” we discuss the Proposed Rule which seeks to implement Executive Order 14028 (EO 14028) and increase the exchange of information between contractors and the government regarding cyber threats and incident reporting. As the government continues to roll out new cybersecurity requirements, government contractors should understand these requirements, how they could affect current and future contracts, as well as greater exposure to False Claims Act (FCA) liability.[1] Please visit this link for the first blog in this series.
Security Incident Reporting Obligations
Notably, the Proposed Rule adds two new FAR clauses that will be required in all solicitations and contracts: (1) FAR 52.239-ZZ, Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology and (2) FAR 52.239-AA, Security Incident Reporting Representation.
A “security incident” will trigger many of the contractor’s reporting obligations. The clause defines a security incident as an actual or potential occurrence of:
- “[a]ny event or series of events which pose(s) actual or imminent jeopardy . . . to the integrity, confidentiality, or availability of information or an information system” or “a violation or threat of violation of law, security policies, security procedures, or acceptable use policies”;
- any discovery of malicious computer software on an information system; or
- a “[t]ransfer of classified or controlled unclassified information onto an information system non-accredited [not authorized] for the appropriate security level.”
All security incidents involving a product or service (including information or communications technology (ICT)) provided to the government must be reported to the Cyber Security and Infrastructure Security Agency (CISA) within 8 hours. The contracting officer needs to be notified when such a report is submitted to CISA. Thereafter, a contractor must update the submitted report every 72 hours until all relevant parties “have completed all eradication or remediation activities.” If malicious computer software is discovered in a security incident, malicious code samples or artifacts would need to be provided to CISA using the Malware Analysis Submission Form within 8 hours of discovery and isolation of the software.
In response to a security incident, the contracting officer, CISA, or the Federal Bureau of Investigation (FBI) can request contractors provide access to any relevant security incident information. The contractor will need to respond to such requests with all available information within 96 hours. Additionally, upon request, contractors will be required to provide access to additional information or equipment necessary to conduct a forensic analysis. Besides confirming the validity and legitimacy of said information request, the contractor will also need to “[i]mmediately notify” the contracting officer in writing of the information request.
Data Storage, Preservation, and Maintenance
Besides reporting requirements, FAR 52.239-ZZ also directs contractors to implement various data storage processes and defensive measures to bolster the nation’s supply chain security. Following a security incident, contractors will need to “collect and preserve . . . data and information relevant to security incident prevention, detection, response[,] and investigation” for 12 months in “active storage,” followed by 6 months in “active or cold storage.” The contracting officer may, at any time, request the data and “the Contractor shall promptly provide this data and information to the Government.” Examples of such data include network traffic data, full network flow, full packet capture, perimeter defense logs, telemetry, and system logs, among others. In addition, during the life of the contract and for at least 1 year thereafter, contractors must “develop, store and maintain” an up-to-date collection of customizations that differ from manufacturer defaults on devices, computer software, applications, and services for all information systems used in developing or providing an ICT product or service to the government.
FAR 52.239-ZZ further requires contractors develop and maintain a software bill of materials (SBOM) for “each piece of computer software used in performance of the contract,” conforming to those elements in the Minimum Elements for a Software Bill of Materials. The government specifically requested contractors comment on the development of this requirement, including:
- how SBOMs should be collected from contractors;
- what specific protections are necessary to protect information in contractors’ SBOMs; and
- challenges contractors may face in developing SBOMs.
One of the last major proposed requirements is that contractors need to increase their information sharing on cyber threat indicators. FAR 52.239-ZZ mandates contractors either (1) subscribe to the Automated Indicator Sharing (AIS) during contract performance or (2) participate in information sharing with the Information Sharing and Analysis Organizations (ISAOs) or Information Sharing and Analysis Centers (ISACs).
Representations and Flow-Downs
While FAR 52.239-AA does not contain as many requirements as FAR 52.239-ZZ, it does require contractors represent compliance with FAR 52.239-ZZ, including flow-down requirements, to lower-tier subcontractors. Indeed, both FAR clauses will need to be flowed down to subcontractors.
Under FAR 52.239-AA, offerors will be required to represent that all security incident reports required by existing government contracts were submitted in a “current, accurate, and complete manner.” Under existing contracts where ICT is used or provided in performance of a subcontract, all offerors further represent that they required every first-tier subcontractor to: (1) notify the offeror within 8 hours of discovery of a security incident (as required by paragraph (b) of FAR 52.239-ZZ) and (2) require the next lower-tier subcontractor to notify the offeror (i.e., the prime contractor), as well as the first-tier subcontractor within 8 hours of discovery of a security incident (as required by paragraph (b) of FAR 52.239-ZZ). Significantly, offerors must require that any subcontractor using or providing an ICT include this reporting requirement in every lower-tier subcontract, imposing this requirement on the entire supply chain of subcontractors.
Key Takeaways
- The Proposed Rule’s most significant development is the addition of new reporting requirements when a security incident occurs involving a product or service being provided on (or in support of) a federal government contract. Certain forms must be used depending on the type and substance of the security incident. Contractors are primarily required to report these events within 8 hours of discovery. Then, updates must be made if new information becomes available to the contractor every 72 hours thereafter. This requires contractors to be on top of any and all potential or actual threats to their information systems at all times. While such mechanisms are largely necessary to defend against the increasing threat of cyberattacks, they will force contractors to expend a significant amount of time and resources to ensure compliance with their contracts.
- Besides actually reporting and complying with any information requests from the relevant investigating parties, contractors will need to ensure they have the appropriate policies, processes, procedures, and systems to support data collection, preservation, and storage for months and even years after a security incident occurred. Many contractors have internal policies which call for the deletion or removal of information from their systems after a predetermined number of years. Contractors will need to review and update these internal policies and procedures to conform with the new requirements in FAR 52.239-ZZ.
- For prime contractors, it’s not merely enough to represent that you were complying with the reporting requirements in FAR 52.239-ZZ on all existing contracts. Under the Proposed Rule, offerors must represent that on any subcontract where ICT is being used or provided in support of a federal government contract, the 8-hour reporting requirement is imposed on all subcontractors at every tier. Not only will subcontractors have to report to CISA, but they will have to notify each prime contractor above it. Failure to comply with these obligations, and ensuring each subcontract contains similar requirements, could result in FCA liability as discussed above.
If you believe that your business will be impacted by these new requirements, comments are due February 2, 2024, and can be submitted here. Attorneys in PilieroMazza’s Cybersecurity & Data Privacy Group are closely monitoring developments that will impact government contractors. If you have questions about the proposed requirements surrounding the new cyber threat reporting requirements, or any other cybersecurity questions, please contact Cy Alba, Joe Loman, Daniel Figuenick, or another member of the Firm’s Government Contracts or Cybersecurity & Data Privacy practice groups.
___________________
Looking for practical insights on gaining a competitive advantage through a deeper understanding of the government’s compliance requirements? Check out PilieroMazza’s podcasts “GovCon Live!” and “Clocking in with PilieroMazza.”
[1] The proposed rule expressly provides that “compliance with these requirements is material to eligibility and payment under Government Contracts.” As such, the government is clearly expressing that the FCA is at play here. Contractors will continue to face greater exposure to FCA liability as the federal government continues to roll out new cybersecurity rules and obligations,