Enhanced Cybersecurity Monitoring and Reporting Obligations for Federal Contractors
The Obama administration recently released proposed guidance that will require government contractors and subcontractors that handle sensitive government data to meet standardized security requirements, to allow agency access to their information systems, and to report cyber incidents to federal authorities.1 The guidance imposes these enhanced obligations to monitor, report, and cooperate with the federal government regarding cyber incidents that may adversely affect an information system operated on the government's behalf and that affect Controlled Unclassified Information (CUI) on a contractor's internal system.
These guidelines are part of the government's broader effort to secure government networks in response to high-profile cyberattacks on government agencies and contractors. "The increase in threats facing federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively and consistently addressed in federal contracts," Tony Scott, the administrator for the Office of E-Government and Information Technology within the Office of Management and Budget (OMB), said in the corresponding notice published in the Federal Register.2 Arnold & Porter LLP has recently published other advisories that address congressional legislation on cybersecurity information sharing and the potential privacy implications3 and proposed regulations for unified treatment of CUI.4 There are also pending proposed regulations to amend the Federal Acquisition Regulation (FAR) to add a contract clause for the basic safeguarding of contractor information systems that contain or generate government information.5
As part of the federal government's continuing effort to improve its cybersecurity, the Department of Defense (DoD) also published cybersecurity regulations for contractors that access unclassified controlled technical information (UCTI) in 2013.6 DoD's final rule reduced the scope of cybersecurity reporting and safeguarding requirements as compared to its interim rule by limiting the information covered to only UCTI. The final rule created rigorous security requirements for contractors with access to UCTI, but DoD declined to impose basic, general contractor cybersecurity requirements. OMB's guidance could be considered an extenuation of DoD's initial effort to implement general cybersecurity requirements on all contractors with access to sensitive government information.
OMB has requested public comment on its proposed guidance by September 10, 2015.7 The Federal Acquisition Regulatory Council also intends to amend the FAR to provide for inclusion of contract clauses that address this guidance in federal procurement solicitations and contracts.
Monitoring and Assessing Contractors' Information Systems Security
The National Institute of Standards and Technology (NIST) currently requires federal contractors to ensure that certain security and privacy safeguards are in place prior to operating information systems or providing a service that accesses information on behalf of federal agencies. NIST also recently published procedures for protecting CUI in non-federal information systems and organizations. The guidance directs agencies to adapt these standards to their risk management.
The guidance encourages agencies to consider the following when developing requirements to assess information systems that a contractor operates on behalf of federal agencies:
- Assessing the impact level of the data that is to reside in the contractor's information system to determine what types of controls should be applied and whether to obtain an independent security assessment. The assessment of privacy controls must be performed by the senior agency official for privacy (SAOP); and
- Ensuring agency access for security reviews on a periodic and event-driven basis for the life of the contract.8
The guidance also recommends that agencies take the following actions that appear to apply to all contractors with access to sensitive government information:
- Identify in the contract solicitation how the agency expects the contractor to demonstrate in its proposal that it meets NIST requirements to protect sensitive government information, including the security assessment for contractor internal systems. Depending upon the impact level of the information at risk, a contractor may provide simple attestation of compliance or detailed description of the system's security architecture, controls, and provision of supporting test data;
- Specify that the contractor will afford the agency access to its facilities, operations, databases, IT systems, devices, and personnel used in performance of the contract to the extent required to conduct an inspection, evaluation, investigation, or audit and to preserve evidence of information security incidents; and
- Obtain contractor certification of the sanitization of government information prior to contract closeout.9
The guidance recommends that contractors use Information Security Continuous Monitoring (ISCM), an initiative identified in NIST and OMB publications, to monitor information security, vulnerabilities, and threats. The Department of Homeland Security (DHS) has created the Continuous Diagnostics and Mitigation (CDM) program to assist agencies in establishing ISCM capabilities quickly to ensure contractors provide required information security information.
Cyber Incident Reporting
Under the proposed guidance, federal contracts will require contractors to report all known or suspected cyber incidents involving the loss of confidentiality, integrity, or availability of data for systems operated on the government's behalf to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC), as well as the Contracting Officer and other contracting authorities, within the timeline agreed upon in the contract. Contractors also must report all known cyber incidents in contractor internal systems if they involve CUI, but contractors do not have to report all known or suspected cyber incidents. This is the only distinction between reporting cyber incidents affecting information systems operated on the government's behalf and those affecting contractor internal systems.10
The guidance defines a "cyber incident" as an action taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Agencies will be required, at a minimum, to include the following language regarding cyber incident reporting in federal contracts:
- Language to indicate that a cyber incident that is properly reported by the contractor will not, but itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI;
- The definition of what constitutes a cyber incident;
- The required timeline for first reporting to the agency;
- The types of information required in a cyber incident report to include: company and point of contact information, contract information, the type of information compromised;
- The contractor shall send only one report to each agency point of contact identified in the contracts, not a report for each contract from that agency. The report may contain information required by other agencies, so one report may satisfy the requirements of multiple agencies; and
- Specific government remedies if a contractor fails to report according to the agreed upon contractual language.11
The guidance intends for the reporting to promote timely and meaningful information sharing to allow the contractor and the agency to work closely to investigate the incident, identify affected individuals, respond quickly to the incident and take other appropriate actions.
Business Due Diligence
The guidance recommends that agencies increase their business due diligence to gain a better understanding of how contractors manage their products and services and assure operational security. The guidance proposes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.
It requires the General Services Administration (GSA) to create a business due diligence information shared service, which will provide agencies with access to risk information that encompasses data collected from voluntary contractor reporting, public records, publicly available and commercial subscription data based on transparent, objective, and measurable risk indicators. Agencies should use these research tools to engage in due diligence throughout the acquisition, sustainment, and disposal lifecycles of planned acquisitions and contracts. These efforts will be complementary to existing government supply chain risk management activities that agencies conduct.12
The guidance also requires, within 90 days of publishing the finalized guidance, that an interagency cybersecurity group work with GSA to identify and make recommendations on risk indicators that should be used as a baseline for business due diligence research and other core requirements for the shared service.
OMB's proposed guidance will have a broad impact on all federal contractors with access to sensitive government information. It aims to create uniform standards for data security for federal contracts and to enhance information sharing between federal contractors and the government. The guidance will require contractors to implement policies and procedures to monitor their information systems security in compliance with federal requirements, to provide timely and substantial reports of actual and potential security incidents to the government, and to allow federal agencies access to contractors' information systems operated on the government's behalf as well as to contractors' internal information systems.
Contractors should consider commenting on the proposed guidance by September 10, 2015, and prepare to implement these additional cybersecurity obligations. OMB expects that the final guidance will be released in Fall 2015. Contractors should also stay tuned for the FAR Council's implementation of contracting clauses in support of OMB's guidance.
OMB's proposed guidance is part of a multifaceted government effort to enhance cybersecurity by promoting information sharing of contractors' information systems management and security operations. Contractors should be alert to evolving government initiatives that impose new contracting cybersecurity requirements.
*Emma K. Dinan contributed to this article. She is a Columbia Law School graduate employed at Arnold & Porter LLP. Ms. Dinan is not admitted to the bar.
Improving Cybersecurity Protections in Federal Acquisitions, available here.
Request for Comments on Improving Cybersecurity Protections in Federal Acquisitions, 80 Fed. Reg. 45555 (July 30, 2015), available here.
Differences In House and Senate Approaches to Cybersecurity Information Sharing Have Potential Privacy Implications, Arnold & Porter LLP (July 2015), available here.
Proposed Rule Sets Agenda for Unified Treatment of Controlled Unclassified Information, Arnold & Porter LLP (June 2015), available here.
Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems, 77 Fed. Reg. 51496 (Aug. 2012), available here.
New DoD Requirements For Defense Contractor Cyber Incident Reporting, Safeguarding Technical Information, And Supply Chain Risk, Arnold & Porter LLP (Dec. 2013), available here.
Public comment may be submitted here.