FAR 52.204-21 And The Future Of Federal Cybersecurity Enforcement

Fox Rothschild LLP
Contact

Earlier this month, we had the pleasure of opening the 2017 Associated General Contractors of America Federal Contractor Conference in Washington, DC with a presentation focused on the emerging issue of Cybersecurity in Federal contracting.  Data breaches are big news in the private sector, but the issue has remained somewhat under the radar for public contracts – until now.

New rules and regulations (with the imminent promise of more on the way) are setting the stage for Cybersecurity to be the next big government enforcement target under the Civil False Claims Act (which the Department of Justice used to claw back $4.7 Billion in recoveries from Federal contractors in FY 2016 alone).

The New Cybersecurity FAR Clause

A Final Rule published by the Department of Defense, NASA, and the General Services Administration in 2016 created a new Federal Acquisition Regulation subpart (4.19) and contract clause (52.204-21) that deal exclusively with Cybersecurity.

The Regulation broadly applies to “covered contractor information systems” that process, store, or transmit “Federal contract information.”  These terms are interpreted expansively to cover any information provided by or transmitted to the Federal government in connection with contract performance.  In other words, if the new clause is not included in your Federal contracts yet, it soon will be.

The Regulation imposes 15 “basic” security controls for contractors.  The controls are intended to impose minimum safeguarding measures that the government believes any responsible contractor should have in place as part of the cost of doing business.  A complete list of the security controls is available here.

The DFARS Cybersecurity Clause

Compliance with FAR clause 52.204-21 should be viewed by contractors as a baseline Cybersecurity requirement – but it does not take the place of other, more complex requirements.

For example, DoD contractors must comply with DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting).  The DFARS clause is more far-reaching than the FAR clause, and includes investigation and rapid reporting requirements for breach incidents.  It also requires compliance with NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) by no later than December 31, 2017.

Other requirements related to the handling of Classified and Controlled Unclassified Information also remain in place.  And we fully expect more (and more demanding) Cybersecurity requirements to be published by the government in the coming months and years.

The Contractor’s Guide to Cybersecurity Compliance

For Federal contractors, the future is now.

Cybersecurity requirements will soon be included in almost every Federal contract, so the only question is how to achieve and maintain compliance.

The good news is that compliance with FAR 52.204-21 is a great first step.  Again, the government considers the Regulation to be a basic safeguarding requirement that every responsible contractor should have in place.  If your business does not have at least those 15 security controls covered right now, it is time to figure out why.

To track and maintain compliance with expanding requirements, we also recommend making Cybersecurity part of your Federal Business Ethics and Compliance Program.

All Federal contractors have (or should have) a written Contractor Code of Business Ethics and Conduct.  The Code should be a living document that your business routinely updates and uses in connection with internal audits and employee training.

By adding Cybersecurity to your Ethics Program and written Code, you are ensuring that it becomes a part of your company’s culture.  You are also increasing the likelihood that Cybersecurity breaches, or other instances of non-compliance, are identified by your Internal Control System – not by the government.

Cybersecurity is an emerging, complex subject – but that does not mean that the government will relax its enforcement efforts while your business gets up to speed.  In fact, we think the opposite is true.  Contractors that do not make Cybersecurity compliance a priority now will be behind the power curve and are more likely to face harsh consequences (including False Claims Act allegations, suspension, or debarment) later down the road.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.