GOVERNMENT CONTRACTING INSIGHTS DEFENSE CONTRACTING
Implications of Cyber Clauses in Contracts
It is especially important for contractors to address compliance now because a government-wide federal acquisition rule is expected later this year and similar requirements are likely to be imposed outside of the Defense Department.
Here are some key issues for contractor consideration:
• Determine if covered defense information is present on IT systems: Under the interim rules, covered defense information is defined very broadly into four categories: controlled technical information; critical information; export controlled information; and a “catch all” provision that includes any information — marked or otherwise identified in the contract — that requires safeguarding or dissemination controls pursuant to “law, regulations and government-wide policies.” Given the breadth of these definitions, it is likely that most contracts will have covered defense information associated with them, but such an analysis is the first step. Unless a contractor’s IT systems are segregated between defense and commercial data, once a contractor accepts the Defense Federal Acquisition Regulation (DFARS) clause and covered defense information is present on its IT systems, the requirements of the interim rules will apply.
• Register for a Defense Department-approved medium assurance certificate: This is necessary to file a cyber incident report. Additional information about registration can be found at http://iase.disa.mil/pki/eca/Pages/index.aspx.
• Watch for modifications to existing contracts: Some defense contractors already have accepted the November 2013 version of the DFARS clause, which covered a narrower set of defense information and imposed different security controls than the NIST Special Publication (SP) 800-171 controls imposed by the interim rules. In the absence of a contract clause that expressly authorizes the contracting officer to revise, add or delete a clause without the contractor’s consent, the Defense Department should not be able to impose the new DFARS clause unilaterally. That being said, once a contractor accepts the new version of the clause in just one agreement, it may be in the contractor’s interest to amend earlier contracts so that its IT systems are not subject to differing security requirements.
• Assess IT security controls: The interim rules impose different requirements for contractor security controls depending on the type of system that is being provided to the government. If the contractor will be operating an IT system “on behalf of the government,” the controls must either meet those specified in the systems requirement guide for cloud systems or the unique requirements specified in the contract for a non-cloud system. For internal contractor systems that contain covered defense information, contractors must meet the security controls specified in SP 800-171. On Dec. 30, the Defense Department extended the time period that contractors have to implement SP 800-171 security controls until December 2017. But within 30 days of each contract award, contractors must either notify the chief information officer of any SP 800-171 security requirements that will not be implemented at the time of contract award, or gain approval for alternative but equally effective security measures from an authorized representative of the CIO.
• Contractors should determine if their IT systems do not meet the requirements in SP 800-171. The eventual submission to the government will address the vulnerabilities and associated mitigation strategies of a contractor’s IT systems. Given the significant legal risks that could result from a breach or other cybersecurity incident beyond contract performance issues, this document should be crafted under privilege and with great care. Such an analysis should avoid memorializing issues that might be of interest to U.S. regulators or potential third-party litigants. Further, to the extent that a subsequent cyber incident results from a vulnerability that was known to the contractor but not disclosed to the Defense Department, the document could subject a contractor to false statement, claim or breach allegations.
• Contractors should consider whether changes are needed to subcontracts, non-disclosure agreements and teaming agreements to address the requirements of the interim rules. These revisions should address security controls, reporting requirements, disclosure of contracting parties’ data to the government following a cyber incident, and protection of covered defense information and prime contractor information in the event of a subcontractor’s own cyber incident. The imposition of these obligations may affect a subcontractor’s willingness to contract, and this may encourage contractors to develop a broader array of potential teaming partners.
• Contractors should evaluate their existing processes and procedures impacted by the interim rules. In so doing, they need to consider issues beyond the obvious technical challenges imposed by the DFARS requirements.
Among the areas that contractors should evaluate: Notifying the Defense Department within 30 days of award of a covered contract of any SP 800-1717 security controls that the contractor has not yet implemented, or any alternative security controls that the contractor has substituted for such controls; accepting clauses from the government or prime contractors; imposing subcontractor flow down requirements; evaluating data that must be produced in the event of a cyber incident; overseeing subcontractor cyber incidents to ensure protection of covered defense information and the prime contractor’s proprietary data; updating non-disclosure and teaming agreements and subcontract templates; maintaining compliance with security requirements and tracking revisions to SP 800-171, 800-53 and SRG controls as applicable; and reporting of cyber incidents.
Susan B. Cassidy is a partner with Covington & Burling LLP in Washington, D.C. and specializes in government procurement law.
Topics: Defense Contracting