If you are a contractor with the federal government, and if you are not already subject to regulations governing the security of your computer systems, you soon will be. On February 12, 2013, President Obama issued an Executive Order titled “Improving Critical Infrastructure Cybersecurity.” Section 8(e) of the Order gives DoD, GSA, and the Federal Acquisition Regulatory Council 120 days to make recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” The recommendations must also address steps to harmonize existing procurement regulations related to cybersecurity.
In order to assist in understanding how the actions outlined in the Executive Order could impact companies doing business with the federal government, this Client Alert summarizes the major cyber regulations already focusing on government contractors. It covers the existing GSA regulations, the proposed amendments to the Federal Acquisition Regulation (“FAR”), and the Defense FAR Supplement (“DFARS”), and the 2013 National Defense Authorization Act (“NDAA”) provisions. In addition to establishing minimum standards for cyber protection, these provisions offer opportunities for companies either to obtain procurement advantages or sell their products and services to the government.
GSA’S CYBERSECURITY REQUIREMENTS
GSA released its cyber regulations in January 2012. They apply to GSA contracts for IT supplies, services or systems which involve physical or electronic access to non-classified government information supporting GSA’s mission. The basic requirements are:
IT Security Plan: Covered contractors must submit an IT security plan to their contracting officers within 30 days of contract award. The plan must include a continuous monitoring program to detect cyber intrusions.
Security Authorization: Within six months of award, contractors must submit either a self-certification to, or a third-party validation of, compliance with the National Institute of Standards and Testing (“NIST”) Special Publication 800-37.
Notice and Access: GSA contractors must notify GSA each time an employee with access to GSA information leaves or is hired. GSA is also entitled to access to contractor and subcontractor personnel for the purpose of inspection, investigation or audit relating to cybersecurity regulation.
DOD PROPOSED REGULATIONS
DoD proposed cyber regulations in 2011. Its most recent regulatory agenda projects the regulations to be finalized this year. The regulations cover non-public, non-classified DoD information resident on or transitioning through a contractor’s systems. The proposed rules divide covered information into two subsets – basic and enhanced information-- with different protections applied to each.
Basic Information: This is non-public information (i.e., information not releasable under the Freedom of Information Act) used or generated in support of a DOD activity. Absent DOD’s determination that information is releasable, and with certain exceptions for audits and investigations, the proposed rules preclude contractors from releasing basic level information outside of their organizations or to employees or subcontractors who do not have a right to know the information.
In addition to this release restriction, the proposed rules identify specific, minimum protections for even “basic” information. These are:
Contractors cannot process government information on publicly-accessible computers or on company computers that do not have access control.
Contractors’ electronic transmission systems must provide “the best level of security and privacy available, given facilities, conditions, and environment.”
Voice data may only be transmitted when the user has reasonable assurance that access is limited only to authorized recipients.
When information is not being accessed, it must be protected by at least one physical barrier (e.g., lock or password).
Contractors must have procedures to clear information from devices before they are released or discarded.
Contractors must have minimum intrusion protections, including regularly updated malware and prompt application of security-related patches and upgrades.
Enhanced Information: The second category of covered information is “enhanced” information, which includes information designated by DOD as critical, information subject to the export control laws, information subject to DOD-specific FOIA directives, information designated as controlled information (such as “Official Use Only”), personal identification information, and certain technical information. To meet the enhanced protection requirements, a contractor’s security program will need to comply with the specific standards set forth in NIST Special Publication 800-53. Importantly, DOD’s proposal mandates reporting of cyber incidents affecting enhanced DOD information within 72 hours of discovery.
PROPOSED FAR REGULATIONS
A cyber amendment is also slated for the FAR. Once final, the new FAR clause will apply to contracts exceeding the simplified acquisition threshold ($150,000), including commercial acquisitions. The clause must be flowed down to subcontracts at any tier. The new clause, which will be in FAR Part 52.204, identifies seven basic safeguards for contractor information systems through which nonpublic information generated by or for the government either resides or transits. The basic safeguards identified in the proposed FAR amendment are similar to the ones governing DOD “basic” information:
Government information may not be processed on computers without access control or located in public areas. Similarly, government information cannot be posted on a public website. If posted to a web site, the site must control access either through user identification or password, user certificate or other technical means, and must provide protection via use of security technologies.
Electronic information may be transmitted only on systems that utilize technologies and processes that provide the best level of security and privacy available, given facilities, conditions and threat level.
Transmission by voice or fax may only occur when the sender has a reasonable assurance that access is limited to authorized recipients.
Systems must be protected by at least one level of physical barrier and one level of electronic barrier, such as lock and key in conjunction with a password, when not in the direct control of the individual user.
Media that is being released or discarded must be cleared and sanitized.
The contractor must provide at least the following means of intrusion protection: Current and regularly updated malware protection, such as anti-virus software and anti-spyware software; and prompt application of security-related upgrades and patches.
Information may only be transferred to those subcontractors with a contractual need to have the information and who employ the safeguards described in the clause.
These proposed requirements will require covered contractors to review not just their hardware and software systems, but their facilities, employee practices, record-keeping systems, and subcontract relationships in order to ensure compliance.
THE NATIONAL DEFENSE AUTHORIZATION ACT
The 2013 NDAA instructs the Secretary of Defense to establish procedures requiring certain government contractors to report to DoD when one of their networks or information systems is “successfully penetrated.” Contractors covered by this provision are those holding security clearances. The procedures are due within 90 days of the NDAA’s enactment, which was January 2, 2013.
The NDAA requires the reports to include: (1) a description of the technique or method used in the system penetration; (2) if discovered and isolated, a sample of the malicious software; and (3) a summary of information that was potentially compromised by the penetration. While contractors handling classified information already are required to report unauthorized access to classified information, the NDAA’s new reporting regime covers a broader spectrum of incursion as it presumably will cover external penetration of any of a cleared contractor’s computer systems. Under the new procedures, DoD will be able to obtain access to the contractor’s equipment or information for the purposes of conducting a forensic analysis, subject to appropriate protections for trade secrets, other confidential business information, and personal identification information.
In addition to establishing mandatory reporting of cyber incursions by cleared contractors, the 2013 NDAA contains opportunities for companies providing software, systems, and system engineering to DoD. For example, Section 932 requires DoD to develop a strategy to acquire open-architecture, next-generation, host-based cybersecurity tools and equipment in time for inclusion in the FY 2015 budget. Similarly, the agency is to develop a baseline software assurance policy for all major software systems, and it must prepare an analysis of available large-scale software database or data analysis tools and determine whether to acquire such tools from the private sector.
This year will bring significant Congressional and executive branch cybersecurity activity. For government contractors, the proposed FAR and DFARS regulations provide a roadmap to prepare for the requirements that are certain to come. There will also be business opportunities. President Obama’s Executive Order envisions procurement preferences for companies with robust cybersecurity policies and procedures in place. The NDAA signals new DoD system standards that will require the supply of innovative software and hardware solutions to the agency.