The Obama Administration is considering new cyber-security guidance that, together with new rules from other federal agencies, effectively would impose stringent new cyber-security requirements and reporting obligations on government contractors and sub-contractors.
In early August the Office of Management and Budget released draft guidance intended to improve cyber-security protections in federal acquisitions, which effectively would impose new security controls and reporting obligations on federal contractors. OMB’s guidance would apply to federal acquisition of products or services that “generate, collect, maintain, disseminate, store, or provides access to” controlled unclassified information (CUI) on behalf of the government, OMB said.
Comments on the guidance are due by Sept. 10, with final guidance expected this fall.
The draft guidance follows a proposed rule issued in May by the National Archives and Record Administration (NARA), the agency responsible for creating uniform categories and sub-categories of CUI to be used throughout the executive branch and defining how that information should be protected. As a starting point, the proposed rule defines 23 categories and 82 sub-categories of CUI and describes which of those categories requires special or additional safeguarding.
The OMB’s guidance and NARA’s proposed rule mark the start of more cyber-security standards to come, since they are likely to inform a new rule on CUI by the Federal Acquisition Regulation (FAR) Council, a cross-agency group that coordinates government procurement policy. That rule is expected in 2016.
“We anticipate in the coming months that the FAR Council is going to publish regulations that are going to more broadly apply cyber-security control requirements and reporting requirements on all federal acquisitions,” says Phillip Seckman, a partner with law firm Dentons.
The OMB guidance relies heavily on existing guidelines established by the National Institute of Standards and Technology, a unit of the Commerce Department that has little binding regulatory power but still carries much weight in these policy debates. Under the OMB guidance, for example, contractor information systems that operate on behalf of the government would have to comply with stringent requirements set forth in NIST’s Special Publication 800-53, which sets forth strict security and privacy controls for federal information systems and organizations.
“We anticipate in the coming months that the FAR Council is going to publish regulations that are going to more broadly apply cyber-security control requirements and reporting requirements on all federal acquisitions.”
Phillip Seckman, Partner, Dentons
In contrast, a contractor that will be providing a product or service for the government on a contractor’s own internal system will be subject to less stringent controls—set forth in NIST 800-171. Issued in June, NIST 800-171 prescribes a less onerous set of requirements on contractors for protecting CUI residing on non-federal information systems and organizations. “At a minimum, contractors should test their system against the requirements in NIST 800-171,” says Mary Elizabeth Bosco, a partner with law firm Holland & Knight.
The OMB guidance would apply broadly to both prime contractor and sub-contractor information systems containing CUI related to federal acquisitions. “This is a bellwether for anybody that does work with the government,” says Lawrence Prosen, a partner with law firm Thompson Hine. Prime contractors and sub-contractors should take this as a signal that they need to start now to get their systems up to current security expectations, he says.
The good news: “Most of the large government contractors that do a large percentage of their work with the government already have systems that can be brought into compliance fairly quickly,” Bosco says.
Some companies contracting with the Department of Defense, for example, that deal specifically with “unclassified controlled technical information” already are required to implement a host of cyber-security compliance and reporting requirements. “The large, federal prime contractors that have been doing business with DoD are likely not going to have to do a whole lot,” Seckman says.
The biggest compliance burden will fall on small to mid-sized contractors that likely will need to revamp their security systems. Foremost, they will need to take a look at their contracts to figure out which cyber-security compliance requirements they’ll have to follow.
Below is an excerpt from the OMB’s cyber-security gudiance.
2. Cyber Incident Reporting
For purposes of this guidance, “cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Cyber incident reporting requirements for systems operated on behalf of the government and contractors’ internal systems are similar. The only distinction is that the reporting of cyber incidents affecting a contractor’s internal system is limited to incidents affecting CUI, not every cyber incident affecting the contractor system.
Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data is critical to the Government’s ability to determine appropriate response actions and minimize harm from incidents. During the Councils’ consultation with agencies, it was determined that agency contracts often lack language governing when and how contractors are required to report information security incidents when they occur and when and how contractors should provide notification of breaches to affected individuals and third parties. At a minimum, agency contractual language regarding incident reporting shall include the following:
Language to indicate that a cyber incident that is properly reported by the contractor shall not, but itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI;
The definition of what constitutes a cyber incident;
The required timeline for first reporting to the agency;
The types of information required in a cyber incident report to include: company and point of contact information, contract information, the type of information compromised;
The contractor shall send only one report to each agency POC identified in the contracts, not a report for each contract from that agency. The report may contain information required by other agencies, so one report may satisfy the requirements of multiple agencies; and
Specific government remedies if a contractor fails to report according to the agreed upon contractual language.
The specific requirements included in the contractual language shall be based on Federal law, OMB policies, NIST standards and guidelines, and other applicable standards and policies. This approach to reporting will promote timely and meaningful information sharing that allows both the contractor and the agency to work closely together to investigate the incident, identify affected individuals, quickly respond to the incident and take other appropriate actions as necessary.
In determining the appropriate timeline and reporting information, agencies shall comply with Federal law, relevant OMB policies, and NIST standards and guidelines. Agencies must also consider the sensitivity of the information stored by the contractor, the potential damage caused by delays in reporting, the requirements in the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) Federal Incident Notification Guidelines,7 or other risk factors, as deemed appropriate by an agency.
At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract. All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system, but the contractor does not have to report all known or suspected cyber incidents. In addition to reporting to the SOC, the contractor shall also report the security incident to the:
Contracting Officer (CO);
Contracting Officer Representative (COR);
Chief Information Security Officer (CISO); and
Senior agency official for privacy (SAOP).
From a practical standpoint, contractors will have to weave through a maze of potential rules, depending on the prime contracts or sub-contracts they receive. “You’re going to have to figure out the common denominator in terms of cyber-security compliance requirements,” Seckman says.
If contractors and their sub-contractors are performing a number of different contracts—each with different cyber-security requirements, but all on a shared information system—you’re going to have to adopt the more rigorous standards to ensure you’re in compliance, he says.
Beyond security controls, the OMB guidance also sets forth new reporting obligations in the event of a cyber-incident. Contractors that provide services for the government (as opposed to those that operate IT systems on behalf of the government) only have to report cyber-incidents that affect CUI, rather than every cyber-incident affecting the contractor’s system.
“At a minimum, contractual language shall ensure that all known or suspected cyber-incidents involving the loss of confidentiality, integrity, or availability of data for systems operated on behalf of the government are reported to the designated agency,” the OMB said.
As with the new security obligations, these new reporting requirements may prove burdensome for small to mid-size contractors that might not have the processes and procedures set up to identify a breach, Bosco says.
If a contractor fails to report an incident according to the language in the contract, the government may impose “remedies,” the OMB guidance says. It doesn’t describe exactly what those remedies might be, but they could range from withholding payment to reducing award fees or giving bad performance evaluations, Seckman says.
The draft guidance additionally requires monitoring of compliance with security measures. The OMB guidance expressly states that before an agency awards a contract, it will assess a bidder’s IT security systems. The agency can essentially require a contractor to hire a third party to assess its systems, or the government can come in and do the assessment itself, Bosco says.
Sub-contractor Due Diligence
Prime contractors ultimately will need to pass these new security and reporting requirements to their sub-contractors. That means prime contractors must decide what constitutes a reasonable amount of due diligence to perform on sub-contractors to ensure they’re in compliance too.
If a sub-contractor has a cyber-incident, it should have a clause in its sub-contract requiring that the incident be reported to the prime contractor, who can then report it to the government agency. “So the prime contractor needs to have some confidence that the sub-contractor has a monitoring capability to make them aware when they’ve had a cyber-incident,” Seckman says.
Prime contractors might also want to consider shortening the reporting time frame for their sub-contractors to provide enough time to assess the cyber-incident and report it to the government, Seckman adds. An indemnity policy is another idea worth considering, so that if the sub-contractor does experience a cyber-incident, the prime can protect itself when the government looks to the prime contractor to cover any damages sustained, he says.
As cyber-incidents grow more common (and more severe), government agencies likely will look more closely at a contractor’s past performance on IT security as they decide who gets future procurements, Seckman says. If you have frequent cyber-incidents, for example, that information could “haunt you” going forward. “That’s an additional incentive for contractors and sub-contractors to pay attention to this coming reality that everybody is going to need to get their cyber-house in order and be attentive to these requirements.”