For many years now, U.S. Department of Defense (“DoD”) contractors have been subject to special cybersecurity requirements and reporting obligations relating to “cyber incidents” that affect “covered defense information.” While civilian agencies have long required “basic” cybersecurity protections to be in place, and some have imposed incident reporting and enhanced security requirements, that has generally been the exception rather than the rule. Contractors who long enjoyed this “status quo” should be ready to face a deluge of new cybersecurity requirements that affect both DoD and civilian contractors.
As announced in President Biden’s May 12, 2021 Executive Order 14028 (Improving the Nation’s Cybersecurity), cybersecurity threats in all forms remain a national security priority. Accordingly, on October 3, 2023, the Federal Acquisition Regulatory Council (“FAR Council”) proposed two sets of changes to the Federal Acquisition Regulation (“FAR”): (1) FAR Case No. 2021-0017 (Cyber Threat and Incident Reporting and Incident Sharing); and (2) FAR Case No. 2021-0019 (Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems). These rules, as proposed, would have profound implications on almost all civilian and DoD contractors. Indeed, with regard to the first proposal, the government estimates that 75% of federal contractors would be impacted by the rule. State and local governments might also look to these rules for guidance. This alert addresses each set of rule changes in turn.
I. FAR Case No. 2021-0017 (Cyber Threat and Incident Reporting and Incident Sharing)
DoD contractors are familiar with the security, reporting, and other requirements under Defense Federal Acquisition Regulation Supplement (“DFARS”) rule 252.204-7012 and civilian agency and DoD contractors both are already subject to the basic security requirements under FAR 52.204-21. However, the newly proposed FAR cybersecurity rule would escalate compliance risks significantly beyond those already currently in place.
As proposed, the rule would require a lightning-quick, eight-hour turnaround for disclosing security incidents (which besides cybersecurity intrusions, includes likely or actual legal violations, security policies and procedures, and the unauthorized transfer of classified information or controlled unclassified information) and apply to all contractors where “information and communications technology” (or “ICT”) is used or provided by the contractor in the performance of a contract. ICT is defined in a broad and vague manner that is likely to rope in huge swaths of the federal contracting marketplace.[1] The rule, as proposed, would apply to all contracts; there are no exceptions for contracts below the simplified acquisition threshold, those for commercial products or services, or even for commercial off-the-shelf contracts. In addition, the rule includes flow down obligations to subcontractors that use ICT and reciprocally to their subcontractors that do the same.
As mentioned in passing above, under the proposed rule, contractors will only have eight hours from the discovery of an actual or potential security incident to report the incident to the Cybersecurity and Infrastructure Security Agency (“CISA”), with updates every 72 hours until the matter has been resolved. The rule does not provide guidance on determining what is a potential intrusion nor does it explain how the proposed timing and reporting requirements will integrate with DoD and other agency specific contract clauses. However, as proposed, contractors will be required to certify that they have “submitted in a current, accurate, and complete manner, all security incident reports required” in order to be eligible to receive future contracts.
In addition, the proposed rule proposes two more material obligations on contractors. First, the rule would require contractors to maintain an updated software bill of materials (“SBOM”) and provide a copy of these materials for each piece of computer software used in contract performance, irrespective of whether a security incident is involved. Second, the proposed rule contemplates sharing information with the contracting officer, CISA, and/or the FBI in connection with a security response to access the contractor’s personnel and facilities, including the obligation to allow the government to conduct an investigation and forensic analyses.
Contractors, lawyers, and consultants familiar with reporting under current DoD cybersecurity rules are aware that these rules can create a whole garden of thorny issues and risks. These questions often arise in the middle of extremely challenging and rapidly developing situations. This new proposed rule could make matters worse by layering new general/civilian requirements on top of existing DoD requirements, and again failing to define key terms such as “potential” security incidents. On the other hand, sometimes vagueness is preferable to misguided clarity. Two things are clear – first, the rule as proposed would subject a multitude of federal contractors to costs and risks they should take very seriously, and second, contractors would be well advised to have policies and practices in place to guide them through current and developing cybersecurity requirements. We also suggest that companies and associations who may be justifiably alarmed by the proposed rule to consider commenting on them by December 4, 2023, and consider proposing alternatives to the offending requirements and definitions that will promote clarity and realism while still meeting federal requirements.
II. FAR Case No. 2021-0019 (Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems)
Pursuant to this proposed rule, the FAR Council is proposing to clarify the appropriate FIPS-99 and FedRAMP security authorization levels that contractors will need to implement and follow when developing, operating, implementing, or maintaining a federal information system (“FIS”). The proposed rule should benefit contractors who perform such work in at least some ways because it could provide more clarity in determining the level or standard of care to apply to safeguard FIS requirements. However, if companies have not provided this level of care in the past, this may result in increased costs that will need to be considered, and, if possible, recovered.
The proposed rule sets forth different criteria for cloud versus non-cloud systems (i.e., FedRAMP), but the intent is similar, including subcontractor flow downs on covered prime contracts. Notably, the proposed rule would impose obligations on contractors to indemnify the government for any liability “arising out of the performance of this contract…” and specifically mentions the contractor’s loss of government data, introduction of certain types of information into government data, or the contractor’s unauthorized disclosure of such information. Notably, under the indemnity change, it no longer appears that contractors will be able to rely upon a negligence defense against government claims. Any contractor who works with a FIS should consider carefully the potentially catastrophic liabilities this indemnity could impose upon them – or which an agency that is the subject of a cyberattack may claim that it imposes upon them. Contractors should consider commenting upon this aspect of the proposed rule as well as other issues, such as how this would apply to contracts and relationships that include some level of liability protection for contractors or subcontractors under FAR and DFARS clauses or specially negotiated provisions. Contractors should also consider their insurance protections and any costs associated with compliance.
III. Conclusion
It is premature to fully gauge the impact of the FAR Council’s proposals as comments on these rules will not close until December 4, 2023. However, these high priority proposals are the latest (but unlikely the last) indicia of the speed with which the government is proceeding to shore up its cybersecurity infrastructure. At this time, the rules, as proposed, raise more questions than they answer, but it is clear that they will have a substantial impact on contractors, which among other things, may include forming specialized incident response teams, developing new policies and practices, maintaining detailed records on the company’s IT infrastructure, developing strategies to protect the company’s IP and trade secrets and those of others, properly coordinating and managing the scope and parameters of any audits, inspections, or investigations (especially by law enforcement), and assessing the potential risks imposed by these rules under the False Claims Act. Finally, cybersecurity is necessary, but someone must pay for all of this, and it will ultimately be the American taxpayer. Every company should have a plan for how it is going to avoid getting “stuck” paying for the new rules without being able to pass on those costs, or at least a fair share of them, to their customers. Companies that find ways to comply with the new rules efficiently will have an edge.
[1] The term broadly includes any information technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content.