So you want to acquire a government contractor? Makes sense, and you’re not alone. Over the past few years, the federal contracting landscape continues to evolve as a result of mergers and acquisitions (M&A), primarily involving the acquisition of small and midsize contractors by larger entities as a means to quickly expand into new federal markets. This trend is especially prevalent in the information technology (IT) market, where the acquisition of small or midsize IT firms with new capabilities can provide larger firms with shiny new toys to share with their roster of government clients to gain a larger share of the federal IT “pie,” if not create—almost overnight—new IT market leaders in areas such as cloud computing, cybersecurity, software, and predictive intelligence.
And while a degree of risk is inherent in any business acquisition, it is especially palpable in the acquisition of federal IT contractors, who are responsible for navigating and ensuring compliance with the ever-shifting landscape of federal cybersecurity provisions in order to continue doing business with the federal government. With the continued focus on federal cybersecurity standards (Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 3, Cybersecurity Maturity Model Certification (CMMC), etc.), it is critical for contractors seeking to acquire IT capabilities through the M&A process to ensure that new acquisitions don’t become a Trojan Horse of “cyber risk” and liability. Moreover, a target’s questionable cybersecurity compliance can also materially affect the terms, purchase price, post-closing indemnity obligations of the parties, and, in extreme cases, influence a buyer’s decision to walk away from the deal. Verizon’s proposed $4.8 billion acquisition of Yahoo in 2017 underscores this point. During that acquisition, two prior Yahoo customer data breaches were discovered. As a result, Verizon cut roughly $350 million from its offer. Imagine the waking nightmare for federal contractors when, instead of simply affecting target valuation, a significant lapse in cybersecurity compliance could incur False Claims Act liability or suspension and debarment.
To mitigate this risk, due diligence—a critical aspect of the M&A process—aims to identify upfront liabilities and areas of potential risk exposure of an entity targeted for acquisition by assessing and quantifying risk. But buyers that don’t understand, or ignore, a target’s lapses in compliance with federal cybersecurity requirements during the due diligence phase run an increased risk of neither understanding the actual value of the assets acquired nor the significance of the liabilities it may incur post-closing.
Below, we briefly explain federal cybersecurity standards, why small and midsize contractors may have difficulty complying with the federal standards, and how buyers can mitigate the risk of noncompliance through targeted due diligence.
Federal Cybersecurity Framework
The granular details of contractor compliance with federal cybersecurity regulations are beyond the scope of this article, but can be found throughout this Blog. However, the following broad overview of the Department of Defense (DoD) cybersecurity regulations provides some insight into the sometimes daunting task of ensuring compliance with this framework.
All federal contractors, addressing needs for any government agency, must apply fifteen “basic safeguarding requirements” on “Federal contract information” residing on “Covered contractor information systems” as directed by Federal Acquisition Regulation (FAR) 52.204-21.
All DoD contractors must provide “adequate security” on all “covered contractor information systems” that store, process, or transmit certain sensitive information (i.e., Controlled Unclassified Information (CUI), such as Covered Defense Information (CDI)) by way of implementing (and maintaining) the basic safeguarding requirements articulated in DFARS 252.204-7012.
To meet this level of “adequate security,” required by this DFARS clause, a contractor must begin by implementing, at both the prime contractor level and all subsequent subcontractor levels, the 110 security safeguarding requirements detailed in NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. Furthermore, the contractor must ensure that the integrity and availability of CDI is maintained, as is assumed by Appendix E of NIST SP 800-171 (most contractors forget or skip this part).
But the NIST SP 800-171 requirement may just be the tip of the iceberg for some DoD contractors. Depending on the type of protected information processed, stored, or transmitted by a contractor’s covered information system, even more security requirements may be mandated. Complicating matters further, the standards are in a constant state of flux, with new NIST requirements on the horizon and the DoD preparing to launch a new Cybersecurity Maturity Model Certification that will vary from the present DFARS and NIST requirements.
What Are the Difficulties Small or Midsize Contractors Face With Federal Cybersecurity Compliance, and Why Should Buyers Care?
For contractors without a robust cybersecurity framework in place, contractors that handle a limited amount of CUI, and contractors with few DoD opportunities, compliance with NIST SP 800-171 standards can be onerous and costly. This is especially true for small DoD contractors, as most face significant issues affecting regulatory compliance, such as lack of awareness of the DFARS and NIST regulations, lack of a comprehensive understanding of NIST 800-171 security controls and its holes, and, most significantly, a lack of financial and employee resources to implement the required safeguards.
Why should a buyer care about a small or midsize target’s difficulties in meeting federal cybersecurity standards? In a word—liability. The penalties of noncompliance with federal cybersecurity standards are real—a contractor with a noncompliant regime can be subject to costly state and federal litigation and administrative penalties. According to reports, Cisco Systems will pay up to $8.6 million to settle charges under state and federal False Claims Act that the company knew of critical security weaknesses in its video surveillance software. Meanwhile, a False Claims Act case based on failing to comply with DFARS 252.204-7012 survived the contractor’s motion to dismiss and is proceeding in the Eastern District of California. See United States of America ex rel. Brian Markus v. Aerojet Rocketdyne, Inc., 2019 WL 2024595 (E.D. Cal. May 8, 2019).
Litigation is but only one potential sanction for noncompliance. The Defense Contract Management Agency (DCMA) has been tapped to “validate, for contracts for which they provide contract administration and oversight, contractor compliance with the requirements of DFARS 252.204-7012” and NIST SP 800-171 for contractors and their supply chains. Under this new authority, DCMA auditors may identify deficiencies in contractor efforts to safeguard CDI and management of cybersecurity requirements throughout the contractor’s supply chain. If a DCMA auditor determines that a “significant deficiency” is present in a contractor’s systems, a contracting officer may withhold money owed to a contractor. Finally, a contractor could be subject to suspension or debarment from competing for federal contracts for failure to comply with DFARS 252.204-7012 and NIST SP 800-171. Essentially, a lack of proper cybersecurity by the target in an acquisition could mean a complete lack of value for the buyer.
How Should a Buyer Use Due Diligence to Mitigate Cyber Risk When Acquiring a Small Contractor?
Cybersecurity due diligence might not yield precise results, but it has the capability to provide a buyer with a more exacting picture of whether the target meets the safeguarding and monitoring controls instituted for federal contractors. With such a picture in hand, the buyer will be in a better position to structure the acquisition to mitigate the risks identified.
As an initial matter, to help mitigate any “cyber risk” or unforeseen liability related to a target’s systems, the buyer’s cybersecurity due diligence questions and document request list should be tailored to the scope of the target’s current federal contracts and geared toward requesting information and identifying documents regarding the target’s IT framework, security measures, and attendant level of regulatory compliance.
Accordingly, diligence questions and requests should include but not be limited to: (1) what type of sensitive information, if any, is stored, processed, or transmitted on the target’s systems; (2) information regarding the target’s compliance with DFARS 252.204-7012, NIST 800-171, and related contractual requirements; (3) the target’s IT policies, procedures, and standard practices; (4) whether the target’s systems have been subject to any breach or prior unauthorized access; and (5) information about cybersecurity compliance at every level of the target’s supply chain. To facilitate this effort, we suggest employing, in part, NIST SP 800-171A, Assessing Security Requirements for CUI. This document is a tool intended to provide contractors with a methodology to evaluate their systems’ conformance with the rigors of the NIST SP 800-171 security requirements. As such, SP 800-171A can provide acquiring companies with generalized, flexible, and customizable assessment procedures for each of the 110 NIST SP 800-171 controls. It can also be used by the soon-to-be-acquired company to better position itself for acquisition.
Consideration of how the buyer can protect itself from the effects of the target’s potential noncompliance with federal cybersecurity regulations in the acquisition agreement is also warranted.
Consider what type of information the target contractor processes, transmits, or stores on its systems. If the target doesn’t possess, store, or transmit CUI or CDI on its systems, it will, most likely, have to meet only minimal cybersecurity requirements. Conversely, targets storing, handling, or transmitting CDI must comply with all NIST 800-171 standards. It follows that the required level of compliance informs the level of due diligence required when reviewing a target’s internal systems.
Consider the extent to which the target complies with DFARS 252.204-7012, NIST SP 800-171, and other applicable contractual requirements. As discussed above, DFARS 252.204-7012 and NIST 800-171, in addition to other applicable clauses, impose obligations on contractors handling sensitive data to meet certain cybersecurity standards. For example, NIST SP 800-171B, Enhanced Security Requirements for Critical Programs and High Value Assets, offers additional directions for protecting CUI in contractor systems when that information invites a higher risk of unauthorized exposure. For contractors required to comply with NIST SP 800-171B, each will be faced with 33 additional security requirements (on top of the “minimum” security requirements mandated by NIST 800-171). It is critical to identify in the contracts held by the target the applicable cybersecurity legal obligations for which it has signed up, and to evaluate the current status of the target’s compliance with those obligations. This will facilitate a better evaluation of the risks posed by any failure of such compliance.
Consider whether the target has appropriate and effective internal IT policies and procedures. Compliance with DFARS 252.204-7012 and NIST 800-171 cybersecurity regulations also entails that contractors have robust internal policies and procedures, including, but not limited to, a System Security Plan, Plans of Actions and Milestones, and an Incident Response Plan keyed into contractual reporting requirements upon an occurrence of a “cybersecurity incident.” In addition to document requests, the buyer should interview the target’s CIO (or better yet, its Chief Information Security Officer, if the target has one) and its employees charged with overseeing the target’s IT systems. Questions to ask the target include:
Does the target conduct regular risk assessments to identify the threats and potential risks to CUI on its systems
Does the target engage in regular monitoring and testing of its cybersecurity controls to ensure they are effectively deployed and perform properly?
Does the target regularly review and adjust its cybersecurity program in tune with changing federal cybersecurity requirements
Does the target address the impact of any of third-party access to its systems (e.g., by third-party vendors, cloud providers, or outsourced providers)?
Consider whether the target’s systems have been subjected to a security breach or unauthorized access. Details about how the target identified, assessed, and resolved past security attacks or breaches will not only demonstrate the effectiveness of the target’s security measures but also provide insight into potential areas of weakness in the target’s systems.
Consider the target’s entire supply chain. A buyer’s due diligence should also assess whether the target’s cybersecurity compliance is maintained throughout the target’s supply chain. This will help mitigate the risk of potential liability emanating from a purchasing system audit.
Consider post-merger integration issues. The results of a buyer’s cybersecurity due diligence will also play a large role post-closing. Buyers should consider how the target’s CUI, if applicable, will migrate to the buyer’s system, and how the target’s internal systems will mesh with the buyer’s existing systems. For example, buyers should consider:
What type of data does the target handle
If the target’s sensitive data (e.g., CUI) migrates to my system, will I need to update or enhance my systems to meet federal cybersecurity standards? If so, what will be the cost?
Consider building protections to mitigate the target’s potential noncompliance with federal cybersecurity regulations into the acquisition agreement’s representations and warranties. The acquisition agreement can also be influenced by the results of the buyer’s cybersecurity due diligence. In the event that due diligence reveals a target’s noncompliance with DFARS 252.204-7012 and/or NIST 800-171 regulations, the buyer can build extra protections into the terms of the acquisition agreement, such as the representations and warranties to be made by the parties, the target’s actions to be taken prior to closing to rectify identified compliance gaps (or to prevent future noncompliance) with federal cybersecurity regulations, and the inclusion of indemnification protection and indemnity escrows to provide some measure of risk abatement for unexpected compliance issues arising after closing.
Unlike Chia Pets and hairstyles, cybersecurity compliance is not a passing fad. Overlooking cybersecurity during due diligence or conducting a shallow review of a target’s compliance footprint (including other obligations predicated on FAR/DFARS clauses, federal labor standards, export control regimes (e.g., ITAR, EAR), CFIUS (if foreign ownership/control of a target exists), and Small Business Administration standards (e.g., size standards, socioeconomic program compliance)) means ignoring the significant repercussions for government contractors resulting from noncompliance. Indeed, irresponsible buyers could be on the hook for noncompliance penalties associated with a new acquisition that far exceeds the acquisition’s purchase price. Given the increasing importance of compliance with cybersecurity regulations, buyers should retain counsel with expertise on obligations inherent in contracting with the government and federal cybersecurity standards, and have these subject matter experts involved throughout the deal process.