Kaspersky Lab is once again in the news as questions are being raised about the role of Kaspersky software in a reported hack of the National Security Agency. The story repeats the all-too-frequent scenario of an employee—in this case a government contractor—transferring files from work to his home computer and that action leading to the disclosure of sensitive information.  In this case the data is said to have included “highly classified U.S. cyber secrets” and Russian hackers are alleged to have accessed the employee’s home computer through Kaspersky software. Kaspersky software, including popular antivirus tools, is developed by a company with alleged ties to the Russian government.

Last month the U.S. Department of Homeland Security (DHS) announced plans for the federal government to terminate “the use or presence of information security products, solutions, and services supplied directly or indirectly by AO Kaspersky Lab or related entities.” The federal government’s decision on Kaspersky reflects long-standing concerns about the company’s ties to the Russian Government and, in particular, to the Russian intelligence and security agency known as the Federal Service Bureau. U.S. media reports have highlighted worries that Kaspersky software and tools might be able to collect or otherwise be utilized to create opportunities for Russian cyber operations. Last week’s report about the hacking of the National Security Agency adds fuel to that fire, and it builds on tensions that have been exacerbated by Kaspersky’s efforts to publicly attribute certain cyber activities to the U.S. Government (which, it should be pointed out, Kaspersky has done in relation to other States as well).

The U.S. Government’s decision to remove Kaspersky software from government systems occurs against the backdrop of a heightened focus on cybersecurity across the federal government, including an Executive Order, additional Defense Department information security standards, and other new compliance requirements to be included in most federal contracts.  DHS required a plan to be developed by all federal agencies to remove the software within 90 days. What might this decision mean for government contractors currently using the software and/or tasked with removing the software from government systems?

At a minimum:

• Contractors should review and understand the changes clauses in any contract vehicles that might be used to order additional work related to the Kaspersky software order.
• Contractors should ensure they develop a strategy in disputing any potential “cardinal changes” to their contracts. This applies both to contractors being asked to perform the work and to contractors who might be able to perform the work only to see it awarded to a competitor outside the scope of an existing contract.
• To the extent agencies opt to use new procurement vehicles to comply with DHS’s order, contractors should pay close attention to the government’s competition rules, which risk being violated due to the short timeframe of the order.
• Finally, contractors should focus appropriate resources and energy on compliance with new cybersecurity requirements such as the DFARS imposition of the National Institute of Standards and Technology (NIST) Cybersecurity Framework by the end of the year. (For more on NIST-related obligations and guidance, see the draft update to the Framework, draft Implementation Guidance for Federal Agencies, and guidance on protecting Controlled Unclassified Information in nonfederal information systems and organizations.)

If federal agencies opt to implement DHS’s order through existing contract vehicles, then contractors may find themselves negotiating a work requirement and corresponding price through their contract vehicle’s changes clause. Government contracts generally incorporate by reference one of several FAR clauses that afford the contracting officer the authority to make changes within the scope of the contract.[1] Contractors should ensure that any change order is actually signed by the contracting officer, or risk non-payment if the government later claims the work was not properly authorized. In addition, contractors must keep detailed, contemporaneous records of costs incurred in performing work under the change order. If the price for the work is not negotiated beforehand, then the contractor may be required to submit a Request for Equitable Adjustment (REA) after the work is performed. Since REA amounts may be established using various calculation methods, contractors must maintain in-depth cost records – even when the change is to a fixed price contract.[2]

Contractors also must remain vigilant with respect to the U.S. Government’s competition requirements. The short timeline of DHS’s order makes it more likely that agencies will attempt to implement the order without normal competition processes. Contractors in line for such an award should work with their contracting officer to ensure that the agency follows the guidelines established in the Competition in Contracting Act (CICA) and implemented through the FAR and applicable supplements.[3] When work fits within the general scope of work for an existing contract, then contracting officers generally may order the work through a change order as outlined above. However, since the change order will be awarded without competition to ensure a fair and reasonable price, contractors should be ready to provide certified cost and pricing data – or other than certified cost and pricing data, depending on the size of the change order. Contractors who are not awarded the work should consider filing a bid protest if they believe the added scope of work exceeds the scope of the original contract and thus constitutes a “cardinal change.” If the new work is found to be a cardinal change, then the agency likely will be forced to conduct a full and open competition for the work instead of procuring it through a change order.

If the agency decides instead to implement DHS’s order using a sole source procurement, then the contractor receiving the award likewise should be familiar with the FAR’s competition requirements. Generally the contracting agency will be required to post a justification and authorization (J&A) explaining why competition was unavailable or not practical given the agency’s procurement needs. These decisions also can be challenged, so contractors should work to ensure that the government follows the correct procedures and uses reasoning in its J&A that can withstand scrutiny from disappointed contractors and adjudicative bodies such as the Government Accountability Office or the U.S. Court of Federal Claims. On the flip side, contractors hoping to perform the work must stay focused on J&A announcements (usually posted through FedBizOpps) so they can be challenged and the case made for full and open competition.

Finally, the DHS order is only one of a multitude of cybersecurity measures currently affecting federal contractors. Among the most important additional rules, new regulatory provisions incorporated into most contracts impose new cybersecurity standards that must be met within the next few months. For example, Department of Defense contracts containing DFARS 252.204-7008 require contractors to implement the security requirements specified by NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” Contractors are required to implement these NIST standards no later than December 31, 2017. Other potentially relevant cybersecurity contract clauses relate to safeguarding of contractor information systems, cloud computing services, and reporting of cyber incidents.[4]

The DHS Kaspersky order serves as a reminder to contractors of the requirements for both robust compliance practices and forward-thinking business strategies in order to succeed in the federal marketplace. (And it wouldn’t hurt to take a close look at who and what are protecting your networks and data.)

[1] See FAR 52.243-1, 52.243-2, 52.243-3.

[2] See, e.g., North Star Alaska Hous. Corp. v. United States, 76 Fed. Cl. 158 (2007); Lorentz Bruun Co., GSBCA No. 8505, 88-2 BCA ¶ 20,719; Raytheon Co. v. White, 305 F.3d 1354 (Fed. Cir. 2002).

[3] See FAR 6.1, 6.3.

[4] See, e.g., FAR 52.204-21, DFARS 252.204-7008, DFARS 252.204-7010, DFARS 252.204-7012.