For years, the federal contracting community has closely monitored the oft-delayed Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) program—now on iteration 2.0—as the forefront of cybersecurity obligations. That focus may soon be expanding. Contractors outside of DOD’s orbit may soon be subject to similar requirements. Civilian agency contractors should start preparing now for an enhanced cybersecurity proposed rule to prevent gaps or issues when the regulation goes into effect—not to mention it just being good business to have robust cybersecurity protection. On June 6, 2023, PilieroMazza attorneys will present a webinar on “Cybersecurity for Government Contractors: Success Through Compliance Readiness” to cover these and other cybersecurity-related topics. Visit this link to register.
Background
The Federal Acquisition Regulatory Council (FAR Council) announced it was preparing a proposed rule to standardize cybersecurity requirements for unclassified Federal Information Systems across federal agencies in accordance with the directives in Executive Order 14028, Improving the Nation’s Cybersecurity. Although the FAR Council has not provided any timeline for the publication of the proposed rule, it is anticipated that it will come out later this year. Even before the proposed rule is released, federal contractors will need to be cognizant of their cybersecurity obligations—from the existing FAR and agency supplement requirements to more robust obligations being contemplated for the near future. Like all proposed rules, contractors will have at least 60 days to comment and, assuming it is not issued as an interim rule, will be afforded additional times before the rule goes into effect.
Existing Civilian Agency Cybersecurity Obligations
Currently, federal contractors must protect Federal Contract Information (FCI) using the 15 minimum security controls described in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems. That clause broadly defines FCI, meaning that the 15 basic security controls apply to most, but not all, of the federal contracting community. These include requirements to limit system access to authorized individuals, escort and monitor visitors, and update malicious code protection mechanisms when new releases are available. The 15 controls, however, set the floor of cybersecurity requirements and can hardly be described as a robust or even adequate cybersecurity program. For example, they do not address breach notification obligations or the longer list of requirements within the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 (rev. 2) (NIST SP 800-171), which will likely be center-stage in DOD’s CMMC 2.0 program.
Beyond FAR 52.204-21, some civilian agencies already impose additional agency-specific cybersecurity obligations, which suggest, if not outright require, contractors to meet the full NIST 800-171 standards. For instance, the Department of Homeland Security (DHS) has its own set of cybersecurity requirements. Those regulations instruct DHS contractors to complete a Cyber Hygiene Assessment and require compliance with the cybersecurity standards and protections in NIST 800-171 and NIST 800-172. Similarly, as PilieroMazza attorneys recently discussed, the Department of Veterans Affairs (VA) announced new cybersecurity regulations to protect its sensitive data and health information. Among other things, the VA’s regulations impose near real-time reporting requirements of security incidents and other varying degrees of cybersecurity requirements depending on the contract type. It also mandates adequate security controls, which suggests compliance with NIST 800-171.
Anticipated FAR Cybersecurity Obligations
Although PilieroMazza attorneys anticipate that other civilian agencies will impose increasingly stringent cybersecurity obligations on contractors on a contract-by-contract or agency-by-agency basis, the contemplated government-wide proposed FAR rule will suggest imposing a robust set of cybersecurity obligations across all agencies.
While the FAR Council has not released a draft yet, the rule’s abstract states that it will implement Sections 2(i) and 8(b) of President Biden’s Cybersecurity Executive Order, which identify the need for standardized cybersecurity requirements. These standardized obligations are likely to mirror the enhanced cybersecurity requirements contemplated under CMMC and NIST 800-171. Indeed, Ms. Stacy Bostjanick—Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity (DCIO(CS)), Office of the Chief Information Officer—recently suggested that, like the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clauses, the new government-wide FAR obligations would impose the controls listed in NIST 800-171 and require third-party confirmation.
Contractors should take this opportunity to get ahead of these new regulations. While most contractors likely are already meeting at least some of the NIST 800-171 controls, it is unlikely that a company which has not specifically prepared for compliance meets the full set of requirements. Most companies, especially small businesses, struggle to fully comply with NIST 800-171 standards without outside assistance. For example, many popular commercial email systems do not meet all the necessary DOD requirements for handling Controlled Unclassified Information (CUI). As a result, companies would either need to change email systems or incorporate a patchwork of individual fixes to meet the controls.
Beyond the business and contracting advantages to improved cybersecurity, contractors will also be able to provide more detailed and robust comments to the new proposed rules when issued if they understand their current cybersecurity situation. Being able to articulate specific compliance issues and costs are key to crafting persuasive and effective comments on the proposed rules, which would then shape any final rules.
Key Takeaways
Considering the government’s continued focus on cybersecurity, federal contractors in both the civilian and defense sectors should proactively assess and improve their cybersecurity hygiene. With broad cybersecurity regulations on the horizon for both defense and civilian contractors, now is a good time to start thinking about:
- Meeting Current Requirements. Ensuring compliance with any applicable agency-specific cybersecurity obligations and FAR 52.201-21, the Basic Safeguarding clause, through both internal reviews and external, third-party audits.
- Making Sure Partners Meet Current Requirements. Flowing down cybersecurity provisions and confirming subcontractors are complying with cybersecurity obligations as required by agency supplements and general best practices.
- Determining Scope of Future Compliance. Auditing current practices against NIST 800-171 and NIST 800-172 standards, as updated, which will likely serve as a foundation for any forthcoming cybersecurity regulations and may already be required.