Virtually All Contractors Subject To New Cybersecurity Rule

All told, while it requires concerted focus on compliance, the rule is likely to be taken as more limited and palatable to defense contractors than the DOD’s now 10-month-old Defense Federal Acquisition Regulation Supplement rule, which was first implemented last August to address “enhanced safeguarding for certain sensitive DOD information” on contractor systems.[2] In fact, in comparison to the DFARS, it may be more illustrative to describe what the rule does not do:


• The rule does not include any mandatory cyberincident reporting requirements or other elements or provisions related to cyberincident response, analysis or data collection.


• The rule also does not require federal contractors governed only by this cybersecurity rule (as opposed to the DFARS rule) to provide the DOD with access to additional information or equipment necessary to conduct a forensic analysis in the event of a cyberincident.

Both of these elements of the recent DFARS rule on safeguarding covered defense information have proven to be some of the most troubling for defense contractors.[3] Furthermore:


• The rule does not require federal contractors to meet the full set of controls from National Institute of Standards and Technology Special Publication (SP) 800-171, the standard governing most systems covered by the DFARS rule.


• The rule does not specifically address cloud computing or prescribe any controls or requirements that directly address the use of cloud solutions.


• Also unlike the DFARS rule,[4] this new Federal Acquisition Regulation clause is not mandated for commercial off-the-shelf acquisitions (though it is mandatory for other commercial items under Part 12).

However, the Federal Register announcement of the rule states that the rule is only “intended to provide a basic set of protections for all Federal contract information” and that “other rules” that will build on this rule are forthcoming, such as a rule to protect controlled unclassified information (CUI) including personally identifiable information.[5] In fact, the Federal Register notice indicates that the DOD, NASA and the GSA “plan to develop regulatory changes for the FAR in coordination with National Archives and Records Administration (NARA) which is separately finalizing a rule to implement E.O. 13556 addressing CUI.”[6]

The agencies assert that “[a]ll of these actions should help, among other things, clarify the application of the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) information systems requirements to contractors and, by doing so, help to create greater consistency, where appropriate, in safeguarding practices across agencies.”[7]

Covered Contractor Systems

Most federal contractor information systems are likely to be covered by this new FAR clause. The FAR now requires that the new clause (FAR part 52.204-21), be inserted into contracts, “including acquisitions of commercial items other than commercially available off-the-shelf items ... when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.”[8] Notably, the “may have” language in this implementing provision of the FAR suggests that many contracts will contain the clause, even if there is only a possibility that a contractor will process, store, or transmit “Federal contract information.”

That being said, federal contract information is a newly defined term that is rather broad. It is defined to mean “information, not intended for public release, that is”:


• provided by or generated for the government
• under a contract
• to develop or deliver a product or service to the government.[9]

However, the term does not include “information provided by the Government to the public (such as on public Web sites) or simple transactional information, such as necessary to process payments.”[10] In turn, a covered contractor information system is “an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.”[11] Given how broadly the definition of “federal contract information” could be interpreted, it is likely that most federal contractors will own or operate at least some “covered contractor information systems.”[12]

The clause will also cover many subcontracts at any tier, as the clause itself requires contractors to flow down the clause (including the flowdown requirement itself), “in subcontracts under [the] contract (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system.”[13]

“Safeguarding” Requirements and Procedures

Substantively, the clause requires that the contractor or subcontractor apply, at a minimum, the following security controls on covered systems to satisfy the requirement that the contractor provide a basic level of “safeguarding” of federal contract information:

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

3. Verify and control/limit connections to and use of external information systems.

4. Control information posted or processed on publicly accessible information systems.

5. Identify information system users, processes acting on behalf of users, or devices.

6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

12. Identify, report, and correct information and information system flaws in a timely manner.

13. Provide protection from malicious code at appropriate locations within organizational information systems.

14. Update malicious code protection mechanisms when new releases are available.

15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.[14]

Notably, although the Federal Register notice indicates that these controls were derived from NIST SP 800-171,[15] the rule does not require that contractors turn to the NIST SP, nor any other particular resource or set of descriptive or prescriptive controls to satisfy the rule. The agencies reiterate that the rule requires “only the most basic level of safeguarding” and suggest that “[a] prudent business person would employ this most basic level of safeguarding, even if not covered by this rule.”[16] Because the rule includes an express set of controls, rather than relying on a separate standard like NIST SP 800-171 as the basis for the requirements, amendments to augment the required controls are likely over time.

Conclusion

While the new rule appears to be merely one small step in terms of the cybersecurity requirements imposed on federal contractors, the rule is one giant leap in that federal contractors are no longer left to their own devices to determine what cybersecurity controls are minimally required to adequately protect federal contract information. It is likely that this rule is the first in a long-term series of mandates by the government regulating the safeguarding of federal contractor information systems.

—By Ronald D. Lee, Charles A. Blanchard, Nicholas L. Townsend and Tom McSorley, Arnold & Porter LLP

Ronald Lee is a partner at Arnold & Porter, former general counsel of the National Security Agency and former associate deputy attorney general of the U.S. Department of Justice. Charles Blanchard is a partner at the firm and former general counsel of the U.S. Air Force and the Army. Nicholas Townsend is counsel and Tom McSorley is an associate. They are all based in the firm's Washington, D.C., office, practicing in cybersecurity, government contracts and national security matters.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] See https://federalregister.gov/a/2016-11001.

[2] Id. See also Two More Years: DoD Gives Defense Contractors Until December 31, 2017, to Comply With Baseline “Adequate” Cybersecurity Requirements, available here: http://www.arnoldporter.com/en/perspectives/publications/2016/1/two-more-years_dod-gives-defense-contractors; and Defense Contractors Subject to New Cybersecurity and Cloud Computing Regulations, available here: http://www.arnoldporter.com/en/perspectives/publications/2015/09/defense-contractors-subject-to-new-cybersecurity__.

[3] See https://federalregister.gov/a/2015-32869; https://federalregister.gov/a/2015-20870.

[4] DFARS part 204.7304(c).

[5] See https://federalregister.gov/a/2016-11001.

[6] Id.

[7] Id.

[8] See FAR subpart 4.19.

[9] See FAR 52.204-21(a).

[10] Id.

[11] Id.

[12] Id. The new rule also defines “information system” to mean “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. 3502).”

[13] See FAR part 52.204-21(c).

[14] See FAR part 52.204-21(b).

[15] See https://federalregister.gov/a/2016-11001 (“The final rule replaces the requirements in the proposed rule with requirements from NIST guidelines (NIST SP 800-171), which are appropriate to the level of technology, and are updated as technology changes. Flexibility is provided for specific implementation.”).

[16] See https://federalregister.gov/a/2016-11001.