Cybersecurity is emerging as an area of particular concern for all US federal government contractors, as well as contractors working on non-US public procurements. Even contractors that provide products and services that have nothing to do with the Internet, computers or software will find they are subject to cybersecurity requirements since they typically utilize, even if only internally, information technology systems or equipment in conducting their business and performing on federal government contracts.
President Barack Obama has declared cybersecurity an issue of significant national security concern. Contemporary with the press reports on high-level cyberattacks by the Chinese military against US interests, the Secretary of the Department of Homeland Security, Janet Napolitano, underscored the gravity of the current cybersecurity environment by warning of a possible “cyber 9/11.”
The February 12, 2013 Executive Order on Critical Infrastructure Cybersecurity
All US federal contractors must take note of the Executive Order (EO), “Improving Critical Infrastructure Cybersecurity,” issued by President Obama on February 12, 2013. (Read the EO) and DLA Piper’s Cybersecurity Law Alert, “What companies need to know about the Obama Administration’s Cybersecurity Order,” providing a preliminary assessment of the cybersecurity EO and actions for businesses to consider.
Through the EO, among other things, the President called for the establishment of a Cybersecurity Framework and increased information sharing. In addition, he directed the Secretary of Defense, Administrator of General Services and the Secretary of the Federal Acquisition Regulatory Council to provide recommendations on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” These recommendations are due by the middle of June 2013 and will likely will result in changes to the current federal public procurement system in the form of new rulemaking and additional requirements imposed on federal government contractors.
Existing regulations and requirements applicable to US federal contractors
The recent Executive Order on Critical Infrastructure Cybersecurity is not the first harbinger of change and evolution in the area of cybersecurity, nor even the first rulemaking on the subject. Rather, it is the latest in a litany of directives the US federal government has issued to respond to the increasing frequency and mounting severity of cyberattacks aimed at virtually every aspect of the IT infrastructure of the US economy, ranging from the banking and financial services sectors to the energy sector and even defense systems.
Federal Acquisition Regulation (FAR) Part 39, for example, has long addressed, at a high level, the acquisition of IT, requiring that civilian agencies use the Department of Commerce, National Institute of Standards and Technology (NIST) security configurations when acquiring IT. Similarly, though many contractors may be unaware of this requirement, FAR 52.239-1(b) discusses the government’s inspection rights and the requirement for contractors to allow the government to access its facilities in order to carry out an inspection program. The Privacy Act (5 U.S.C. § 552a) also impacts federal contractors’ IT systems in addressing cybersecurity issues, requiring that federal IT contracts properly address protection of privacy. A number of Federal Information Processing Standard (FIPS) and NIST guidelines address cybersecurity issues including cybersecurity risk management, contingency planning and most recently, risks associated with mobile and cloud computing technologies.
Another example of existing regulations on cybersecurity that have far-reaching implications for federal contractors – and significant compliance risks for contractors that lack a comprehensive strategy for cybersecurity – is the US. General Services Administration’s (GSA) contract requirement implemented through GSA Acquisition Regulation (GSAAR) 552.239-71(k). This relatively new, agency-unique requirement (read the rule) applies to unclassified IT resources and requires government contractors to submit an IT security plan that complies with the Federal Information Security Management Act (FISMA) and other federal laws and regulations.
GSA contracts that contain GSAAR 552.239-71(k) impose significant obligations upon contractors and subcontractors – ‒and corresponding transactional costs. This contract provision requires contractors to afford the GSA access to the contractor’s and subcontractors’ facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location. Such access is to be provided to the extent required in the judgment of the GSA in order to conduct an inspection, evaluation, investigation or audit, including vulnerability testing, to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data and to preserve evidence of computer crime.
Prudent contractors will be vigilant for contracts with this requirement and will review their subcontracts and similar arrangements to ensure an ability to comply with these requirements.
New cybersecurity requirements on the horizon
In addition to existing regulations and requirements, the federal government’s current activities to advance its proactive response to cybersecurity concerns include a variety of other new regulations and rulemaking aimed at curbing the cybersecurity threat.
Many of these upcoming requirements will also directly impact the public procurement system and federal government contractors. For example, there is a currently proposed amendment to the FAR that addresses cybersecurity. The “Basic Safeguarding of Contractor Information Systems” rule (read the proposed rule) contains new requirements for safeguarding contractor information systems that contain non-public information provided by, or generated for, the government.
The new proposed requirement will apply to all US federal solicitations and contracts, including commercial item contracts, and will flow down to all lower-tier subcontractors where applicable. The proposed rule addresses unclassified information held, transiting or processed on contractor information systems. Under the proposed rule, contractors are barred from accessing protected information on computers that do not have access control; will be required to protect information both electronically (i.e., via password and login) and physically (i.e., via locked container); and must provide current malware protection services. While many of these requirements are already common practices for many, if not most, federal contractors, the proposed FAR rule will still have transactional implications in the form of the documentation or other proof that contractors will need to provide in order to confirm that their IT systems meet the requirements.
Additionally, the proposed rule will require contractors to add these aspects of their operations to the gamut of their contractor compliance program. It remains to be seen, however, how this new rule will be enforced – will agency personnel have the right to inspect a contractor’s IT system? How will violations be adjudicated and enforced?
Cybersecurity: not just for US public procurements any more
Cybersecurity is also a significant issue for contractors working outside of the United States on European Union and other non-US. public procurement matters. For example, the EU Commission has published its proposal for a European cybersecurity strategy, together with a draft directive for consideration by the EU Parliament. Contractors can find more information on the EU initiatives in DLA Piper’s Cybersecurity Law Alert “EU releases cybersecurity strategy.”
Practical considerations for US federal contractors
For government contractors, awareness of, and compliance with, the existing and new rules addressing cybersecurity is of paramount importance for many reasons. Contractors must be on top of evolving cybersecurity requirements to remain competitive for new contract awards and to maintain a competitive advantage for the award of new task orders or purchase orders under existing contracts.
A few example of practical pointers towards this end include:
All contractors should, as a practical matter, adhere to certain best practices. For example, contractors are well advised to develop a relationship with local law enforcement officials in case a cybersecurity breach occurs. To this point, every contractor should have an emergency plan in place that describes how to respond to a cyberattack, including a system for contacting impacted parties (such as the government or higher-level contractors).
When responding to solicitations, contractors should carefully review any cybersecurity requirements and should consider expressly addressing the firm’s approach to the requirement, including all “value add” features or other favorable discriminators in the proposal.
Contractors should constantly track cybersecurity legislation, planning ahead for full corporate compliance.
When dealing with prime or subcontracts, contractors should review all disclosure requirements, noting any responsibilities related to cybersecurity breaches.
Contractors should also bear in mind common-sense precautions:
When travelling overseas, particularly to destinations infamous for economic and industrial espionage, contractor employees should use a “clean” laptop and smartphone. Always keep in mind the very real state-sponsored efforts aiming to compromise or acquire your sensitive intellectual property and proprietary information.
At all times, contractor employees should use social media and social networking technology responsibly. Refrain from posting information that discloses proprietary and confidential matters or otherwise has potential industrial espionage value. Never disclose security clearances or other information in an online profile or online résumé - you may be hanging a target on yourself for adversaries seeking competitive intelligence.
Check on state and local government programs that may provide monetary, tax-relief and other incentives to contractors who make investments in cybersecurity. For example, Maryland Governor Martin O’Malley’s recently released proposed Fiscal Year 2014 budget seeks to provide funding to support private investment in the cybersecurity industry. Most notably, the budget proposal would provide US$3 million for a new refundable state tax credit, the CyberMaryland Investment Incentive Tax Credit Program, to generate investment in early-stage cybersecurity businesses in Maryland. See DLA Piper’s State and Local Tax Alert
, “Maryland Proposes Tax Credit to Support Investment in Cybersecurity Industry.”
As the threat of cyberattacks continues to grow, the number and complexity of cybersecurity regulations are likely to increase considerably. For government contractors, understanding the requirements, and implementing practical and cost-effective approaches to meet them, will be an increasingly formidable challenge.
For further information please contact Fern Lavallee or send a request to firstname.lastname@example.org.
YOU MAY ALSO ENJOY
DLA Piper's evolving library of writing on the latest developments in cybersecurity law.