cybersecurity challenges for government contractors

Transcription

1 24 Contract Management May 2012

2 Contract Management May

3 C ybersecurity is a hot topic these days for U.S. government contractors. While overall federal IT spending for 2013 is projected to decrease between 1 4 percent for the Department of Defense (DOD) and civilian agencies, federal investment in cybersecurity is expected to rise. Congress is actively debating enhanced cybersecurity legislation packages and IT specialists are furiously warding off the daily slog of hacks, worms, viruses, and intrusions. Recent high-profile attacks on commercial and government systems have heightened the industry-wide threat level, bringing increased scrutiny to attacks and efforts to evade them. 26 Contract Management May 2012

4 It goes without saying that the U.S. government s data and systems are a primary target of the hacker community, and government contractors are full partners in the government s cybersecurity efforts. Contractors must be invested in the government s holistic cybersecurity approach because contractors develop, operate, and maintain government systems and networks and frequently manage sensitive government data on their own networks. Contractor employees have ready access to sensitive government information, including personally-identifiable information (PII). Consequently, from a contract management perspective, contractors must be aware of a number of additional business and regulatory obligations that may impact contract compliance or the allocation of responsibility (and cost) in the event of a breach involving a government system or data. Seven of these issues are highlighted below. 1. What Does The Contract Say? There are surprisingly few uniform standards of care or cybersecurity requirements that apply to all government contracts. The Federal Acquisition Regulation (FAR) briefly addresses cyber issues in Part 39, but DOD recently acknowledged that the Defense FAR Supplement (DFARS) does not address safeguarding information on unclassified systems. 1 Instead, and primarily as a consequence of the patchwork controls implemented under the Federal Information Security Management Act, 2 cyber requirements vary by agency and contract. This fractured approach is by design it promotes maximum flexibility for agencies to tailor risk-based guidelines that match each agency s unique risk profile yet it nevertheless promotes an uneven contracting environment. For example, security requirements and standards of care are frequently incorporated into a contract s statement of work or performance work statement via line item references to various National Institute of Standards and Technology (NIST) standards or agency instructions or directions, and it is not uncommon for a contract to incorporate dozens of standards in this fashion. Contractors face risks if the operational team executing a contract is not familiar with those standards or if there are gaps between the standards of care that the contract requires and what the contractor delivers. If a contractor s failure to adhere to required standards of care creates or increases a system or network vulnerability that is exploited in a breach event, it is a recipe for a contractual headache (in addition to the practical problems that an intrusion brings). As a consequence, some contractors have found it useful to conduct a gap analysis on each of their IT contracts to ensure that they are meeting each of the standards incorporated into their contracts. 2. Do Your Company s Systems and Procedures Meet Proposed New Minimum Requirements? DOD s proposed rule on safeguarding unclassified DOD information 3 calls for basic and enhanced safeguarding techniques, which require a contractor s IT systems to meet minimum security requirements and its employees to follow basic security protocols. Although not final, and not without some shortcomings, the proposed rule telegraphs the direction that DOD, intelligence, and eventually civilian agencies will likely move. The proposed rule would establish new contractual obligations for DOD contractors who manage or have access to unclassified, nonpublic DOD information, requiring the contractor to maintain basic safeguarding protocols, including: Avoiding public computers or kiosks to access DOD information, Refraining from posting DOD information to publicly available websites, Transmitting electronic DOD information using only technologies that implement the best level of security and privacy available, Protecting electronic data at rest using login and password protection, and Sanitizing storage media prior to disposal. Contractors would also have to use current and regularly updated antivirus and antispyware software, and promptly install security relevant software upgrades, patches, service packs, and hot fixes. These basic safeguarding protocols are straightforward, but even simple new requirements may drive change within a contractor s organization. For example, a traveling employee may no longer be able to use a hotel business center to access the contractor s network, and a telecommuter may no longer be able to access the company network remotely unless the personal computer has updated virus protections. If nothing else, the proposed rule would put even more of a premium on contractor training to improve basic frontline defenses against cyber risks. For contractors with access to more sensitive DOD information, the proposed rule would require enhanced safeguarding measures that incorporate a number of DOD instructions and directives, and NIST Standard Publication , Recommended Security Controls for Federal Information Systems and Organizations, as the contractual baseline. That approach would standardize some of the security requirements that are already included in many (but not all) existing contracts. Contract Management May

5 3. Are Reporting Obligations Being Met? Cyber incident reporting likewise has few standardized requirements. Several large defense and telecommunications contractors also participate in a voluntary disclosure pilot program (initiated by DOD but recently transferred to the Department of Homeland Security) or have other disclosure agreements with agencies to facilitate information exchange and collaborate on network security. The clause at FAR requires a contractor to alert the government to new or unanticipated threats or hazards, including whether existing safeguards have ceased to function, and arguably that could impose a reporting obligation on a contractor for a breach. Individual contracts may also impose a reporting obligation to the contracting officer, and various state laws may impose reporting obligations when a breach involves PII. The DOD proposed rule on safeguarding unclassified DOD information would standardize incident reporting for all DOD contracts where the contractor has access to DOD information, requiring contractors to report situations in which DOD information residing on or transiting through a contractor s unclassified system is potentially exfiltrated or manipulated, or otherwise lost or compromised. The Securities and Exchange Commission has also waded into cybersecurity disclosure, issuing in October 2011 nonbinding Disclosure Guidance that stated its views regarding disclosure obligations relating to cybersecurity risks and cyber incidents for public companies, encouraging them to disclose known or threatened cyber incidents. 4. Do Your Company s Systems Adequately Segregate Government Information? For those contractors who conduct federal and commercial business over a single IT network, or rely on federal enclaves for government contracts, they need to be certain that those systems adequately segregate and protect government data. For example, contractors who generate or store data controlled by the International Traffic in Arms Regulations 28 Contract Management May 2012

6 Contract compliance, expanded FARther than ever The CCH Expanded FAR Matrix Tool, now searchable by Contract Type and Deliverable Fast, actionable information for contracting professionals. Developed by the trusted experts of Wolters Kluwer Law & Business, the CCH Expanded FAR Matrix Tool streamlines the cumbersome process of using Federal Acquisition Regulation Part to understand and document compliance issues related to the clauses and provisions in your contracts and solicitations. Whether you begin your report by selecting specific clauses, parts, or subchapters of the FAR, or if you start with contract type and applicability, the FAR Matrix Tool provides the accurate, up-to-date information professionals need to secure and perform government contracts successfully. Start saving time, money, and compliance integrity. Quickly identify reporting requirements, subcontract flowdowns, forms, and guidance specifically associated with your task, contract type, or deliverable. Dynamically create an organized chart to clarify responsibilities, and avoid penalties or adjustments on government contracts due to noncompliance. Ensure you are focused only on the clauses and provisions that apply specifically to your contract types and deliverables and stop spending additional resources on unnecessary compliance activities. Research, document, and report in just a few mouse clicks. Now you can begin your search by selecting one or more of the 19 contract types specified in the FAR, and continue filtering your results by applicability. Obtain plain English descriptions, and link to the full-text of each provision or clause, related agency supplements, archives, and amendments. View reporting requirements, link to associated forms, and clearly find subcontract flowdown requirements. Save, print, , or export your chart quickly and easily! Learn more at thefarmatrix.com or call

7 on their government systems need to be certain that non-u.s. persons who may operate on the commercial side of the business do not have access to controlled data so that there can be no improper deemed export. Likewise, if a contractor stores information that is unclassified standing alone, but when aggregated could be upgraded in classification, the system may need to have protocols in place to prevent improper aggregation. Each company s system architecture needs to be designed or revisited with concerns like these in mind. 5. Do Employees Have Access to Personally Identifiable Information? A recent proposed FAR rule, Privacy Training for Contractors, 4 would impose new training requirements for contractor employees who handle PII for the government or design, develop, maintain, operate, or have access to a government system of PII records. The proposed rule would extend Privacy Act 5 obligations to the contractor workforce, and require contracting officers to insert one of three new clauses requiring training into covered contracts. In anticipation of a final rule, contractors should identify employees who have access to PII, and be prepared to develop new training and compliance programs consistent with the proposed rule s guidance. 6. Do Employees Have Access to Shared Government Systems That Hold Source- Selection-Sensitive or Third-Party Proprietary Data? The temporary suspension of a large government contractor s business unit in June 2010 due to concerns regarding improper use and monitoring of a federal system was a wakeup call to many in the industry. 6 The incident served as a wake-up call that cybersecurity is not always about keeping bad actors out, but sometimes involves policing internal resources as well, especially when a contractor has shared access to government systems and networks that hold competitively sensitive information. It is not uncommon for government employees (and contractors) to use these shared sites to store sourceselection-sensitive or third-party proprietary data, sometimes (usually inadvertently) without adequate security controls to limit access or distribution. Contractor personnel must be trained to resist the temptation to troll these networks for improper competitive purposes. Moreover, contractors need to be sensitive to potential unequal access to information organizational conflicts of interest that might arise from access to government systems and networks if that access could be construed to create an unfair competitive advantage in a later competition. 7. Should Cybersecurity be Added to Your Due Diligence Checklist? Cybersecurity risks can manifest as contractual, past performance, and even suspension and debarment problems (e.g., L-3 s Membership 101 Looking for Leadership Experience? Relationships with Contract Management Professionals? Look no further become involved with chapter leadership to gain leadership experience and form relationships with your fellow chapter leaders. Contact your local chapter to get started. Members have access to tons of professional development articles like Seven Ways to Lead by Example in our April issue: membersonlyarticle 30 Contract Management May 2012

8 temporary suspension in June 2010). DOD already has the authority under Section 806 of the 2011 National Defense Authorization Act to exclude sources (including subcontractors) from competitions in connection with national security systems if the source poses a supply chain risk. Furthermore, a likely new trend in cybersecurity legislation currently pending in Congress will increase certification liability for contractors overseeing critical infrastructure, 7 raising further the risk of related False Claims Act 8 exposure. In light of these emerging business risks, companies may need to separately evaluate cybersecurity issues in connection with merger and acquisition due diligence. Conclusion By no means comprehensive, these questions should at least provoke some thought within contractor organizations. One thing is clear: Cybersecurity is one of the next big things in the federal space, and contractors need to be prepared to react and adjust as threats and requirements evolve. CM About the Author JON W. BURD is a lawyer in the Government Contracts Practice at Wiley Rein, LLP, in Washington, DC. He counsels U.S. government contractors and subcontractors on a range of legal matters and regularly litigates bid protests before the Government Accountability Office, the Court of Federal Claims, and federal agencies. He can be reached at or jburd@wileyrein.com. *This article was originally published in a publication of Wiley Rein, LLP, and provides general news about recent legal developments. It should not be construed as providing legal advice or legal opinions. You should consult an attorney for any specific legal questions. Send comments about this article to cm@ncmahq.org. Endnotes 1. See Safeguarding Unclassified DOD Information, DFARS Case 2011-D039, 76 Fed. Reg (June 29, 2011) U.S.C. 3541, et seq. 3. See 76 Fed. Reg See 76 Fed. Reg (October 14, 2011). 5. Public Law , 88 Stat See, e.g., Andrea Shalal-Esa, Lockheed Martin Special Ops Contract After L-3 Suspension, Reuters (June 21, 2010). 7. See The Cybersecurity Act of 2012 (S. 2105), Section 105 (requiring owners of covered critical infrastructure to report significant cyber incidents affecting covered critical infrastructure and certify, on an annual basis, in writing, to the secretary and head of the federal agency with responsibilities for regulating the security of the covered critical infrastructure whether the owner has developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements established under the act) U.S.C Contract Management May