Proposed FAR Security Incident Reporting Requirements: What You Need To Know
The Federal Acquisition Regulation (FAR) Council issued a proposed rule that, if enacted, would require federal contractors to comply with new security incident reporting obligations and other requirements that would apply to all FAR-covered contracts. Those requirements include security incident reporting in FAR 52.239-ZZ, “Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology,” and certification requirements in FAR 52.239-AA, “Security Incident and Reporting Representation.” Comments are due December 4.
Security Incident Reporting and Compliance Certification
Under the proposed rule, contractors performing covered contracts must, among other things, report to the Department of Homeland Security, Cybersecurity & Infrastructure Security Agency (CISA), within eight hours of discovery, “all security incidents involving a product or service provided to the Government that includes information and communications technology, or the information system used in developing or providing the product or service.” FAR 52.239-ZZ(b)(1)(i). Further, FAR 52.239-AA will require offerors to certify, and contractors to maintain correct certifications, that they reported all security incidents in accordance with FAR 52.239-ZZ and flowed down FAR 52.239-ZZ to their subcontractors. Offerors and contractors will need to thoroughly assess their compliance before making that representation to avoid liability, including under the False Claims Act (FCA).
Will FAR 52.239-ZZ apply to my contract? Almost certainly, yes. The clauses would apply to all solicitations, including contracts below the simplified acquisition threshold and for commercially available off-the-shelf items, where the contractor either uses or provides Information and Communications Technology (ICT) in performing a contract.
What is ICT? The proposed rule largely relies on FAR 2.101’s existing definition of ICT, which encompasses “information technology and other equipment, systems, technologies, or processes, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content.” That definition encompasses, among other things, “computers and peripheral equipment,” “telecommunications equipment” and “services,” “websites,” and “electronic documents.” New examples under the proposed rule include “Internet of Things (IoT) devices” (e.g., “smartphones and laptops”). In the modern era, it is difficult to envision a scenario in which a prime contractor or subcontractor does not use some form of ICT to develop a product or perform a service.
What is a “security incident”? FAR 52.239-ZZ(a) defines “security incident” broadly as:
- Any event or series of events, which pose(s) actual or imminent jeopardy, without lawful authority, to the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies
- Any malicious computer software discovered on an information system
- Transfer of classified or controlled unclassified information onto an information system not accredited (i.e., authorized) for the appropriate security level
What if I discover a “security incident”? Contractors would be required to “immediately and thoroughly investigate all indicators that a security incident may have occurred” and report the incident to CISA “within 8 hours of discovery that a security incident may have occurred.” FAR 52.239-ZZ(b)(3). Contractors must also “update the submission every 72 hours thereafter until the Contractor, the agency, and/or any investigating agencies have completed all eradication or remediation activities.” Id. In cases of malware, the contractor must “submit malicious code samples or artifacts to CISA.” FAR 52.239-ZZ(c)(5). Contractors must also, among other things, preserve images of affected systems and monitoring and packet capture data. That material must be retained for specific timeframes.
Do I have to provide the government with access to information and systems? Under the proposed rule, contractors would be required to collect and preserve numerous categories of data and, upon request, provide the government, namely CISA, the Federal Bureau of Investigation (FBI), the Department of Justice, and the contracting agency, with “full access” to systems and personnel. See, e.g., FAR 52.239-ZZ(c)(1), (4). Further, CISA and the FBI may have the right to perform a forensic analysis and conduct a detailed investigation. FAR 52.239-ZZ(c)(6). The FAR Council has requested comments on these information sharing and access provisions.
What is a software bill of materials (SBOM)? The proposed rule would also require contractors, regardless of whether a security incident occurs, to maintain and provide contracting agencies access to “a current SBOM for each piece of computer software used in performance of the contract.” FAR 52.239-ZZ(c)(3)(i). A SBOM details the “supply chain relationships of various components used in building software.” FAR 52.239-ZZ(a). The purpose of a SBOM is to allow contractors and agencies following an incident to identify known vulnerabilities. Agencies and contractors can then leverage that information to avoid future incidents.
Implications, Open Issues, and Considerations for Submission of Comments
- FCA Risks: FAR 52.239-AA requires contractors to expressly certify compliance with FAR 52.239-ZZ and subcontract flow down requirements. FAR 52.239-AA is not cabined to specific contracts. It requires offerors at the proposal stage for new contracts to certify historical compliance with FAR 52.239-ZZ. Thus, the government could bring enforcement actions for noncompliance under prior contracts and also argue under a fraud-in-the-inducement theory that, but for an inaccurate certification of historical compliance, the government would not have awarded the offeror future contracts.
- Additional Reporting Requirements: Contractors may have multiple reporting obligations because FAR 52.239-ZZ would not replace other incident reporting requirements, such as those in DFARS 252.204-7012. Nor would the FAR requirements replace or supersede security incident requirements under state breach notification laws, which vary in scope and content. The FAR Council asked contractors to comment on the potentially differing obligations under state law and this proposed rule.
- Access to Information: As discussed above, the proposed rule would require contractors to share information with the government and, upon request, provide certain government agencies with extensive access to systems and personnel. The proposed rule provides few details on how this requirement would be effected, including how the government would safeguard shared information. The FAR Council has requested comments on these issues.
- Monitoring: FAR 52.239-ZZ does not impose any specific security controls, though it requires contractors to meet cyber threat indicator sharing requirements. However, contractors will presumably need to implement monitoring policies and controls to facilitate the discovery of security incidents.
- Employee Devices: Employees regularly use personal devices, including through bring-your-own-device policies, to perform contract-related work, and this has only increased in the era of remote work. The proposed rule would arguably extend security incident reporting requirements to employee devices and information systems used in the performance of a government contract. That would pose a variety of challenges, including monitoring and collecting data from employee devices. It could also set the stage for a conflict between the security incident reporting requirements and state and local privacy laws, raising Supremacy Clause concerns.
- Contracts Performed Overseas: Contractors performing overseas must often comply with foreign privacy and data security laws, such as the European Union’s General Data Protection Regulation (GDPR) and the similar United Kingdom GDPR. The FAR Council has requested input on how those laws, which have specific breach notification requirements, might affect compliance with FAR 52.239-ZZ.
- Flow-Downs: FAR 52.239-ZZ must be incorporated “in all subcontracts where ICT is used or provided in the performance of a subcontract, including subcontracts for the acquisition of commercial products or services.” FAR 52.239-ZZ(f). Subcontractors must report incidents to the prime contractor and higher tier subcontractor within eight hours of discovery. The prime contractor will presumably then have eight hours to report the incident.
Comments on the proposed rule might address some or all of the issues noted above, among other questions the FAR Council posed in the proposed rule.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.