Although it was already apparent, recent events have made it even clearer that cybersecurity is an essential concern for government contractors. The coming year is poised to include many cybersecurity-related changes and developments. Below we highlight just a few:
Continued Rollout of Department of Defense’s CMMC Program
The Department of Defense (DoD) interim rule for its Cybersecurity Maturity Model Certification (CMMC) Program went into effect November 30, 2020. Although full CMMC implementation will not be achieved until 2025, a number of steps must be taken by contractors in the coming year. First, registration and reporting of assessment scores in accordance with the DoD Assessment Methodology (based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171) in the Supplier Performance Risk System (SPRS) are now required of all DoD contractors and subcontractors that handle controlled unclassified information (CUI). (More on these CMMC and SPRS requirements is available here.) Second, the first “pathfinder” contracts requiring CMMC review have been announced by DoD. Contractors and subcontractors seeking to obtain these contracts, expected to be awarded in late 2021, will need CMMC certification by date of award in order to participate. More contract opportunities that require CMMC certification will be forthcoming this calendar year, meaning the race is on for contractors to come into compliance and line up for assessment, lest they be excluded from DoD contracting altogether.
We expect other federal agencies to closely watch the CMMC rollout, and perhaps themselves adopt the same or a similar third-party cybersecurity authorization requirement for contractors in the coming year.
Post-SolarWinds Fallout
The hacking of SolarWinds’ Orion product, and the subsequent havoc wreaked upon government agencies and private industry alike are sure to shape cybersecurity policy for years to come. The government has now definitively attributed the hack to the Russian government. In the coming year we expect even more rigorous scrutiny of supply chain considerations, and closer examination of software and cloud-based offerings sold to the government. Federal Risk and Authorization Management Program (FedRAMP) authorization is likely to become more challenging and other cybersecurity standards for contractors may become more demanding. Supply chain-related certifications with respect to information technology use also may be implemented, following the pattern of the telecommunications equipment restrictions of the Fiscal Year (FY) 2019 National Defense Authorization Act (NDAA) Section 889.
In what is perhaps a preview of things to come, the recent pandemic stimulus package enacted by Congress as a Consolidated Appropriations Act includes a provision that requires government agencies to conduct “an assessment of any risk of cyber-espionage or sabotage” associated with the acquisition of any high-impact or moderate impact information system “including any risk associated with such system being produced, manufactured, or assembled by one or more entities identified by the United States Government as posing a cyber threat, including but not limited to, those that may be owned, directed, or subsidized by the People’s Republic of China, the Islamic Republic of Iran, the Democratic People’s Republic of Korea, or the Russian Federation.”
Legislative Changes Impacting Cybersecurity for Government Contractors
The FY 2021 NDAA contains a number of provisions related to cybersecurity designed to improve U.S. cybersecurity defenses and to protect U.S. systems and critical infrastructure from malicious actors, both state-sponsored and not. Most prominently, more than two dozen of the recommendations of the Cyberspace Solarium Commission were adopted. These include the establishment of a National Cyber Director housed in the Executive Office of the President and of an Integrated Cybersecurity Center to coordinate federal cybersecurity centers within the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, and the adoption of a biennial national cyber exercise that will involve federal, state, private sector and international stakeholders. Other provisions recognize the need for greater coordination and cooperation between government and industry pertaining to cyber threats. See here for a comprehensive list of the 27 FY 2021 NDAA provisions pertaining to cybersecurity.
In December 2020, the Internet of Things (IoT) Cybersecurity Improvement Act was also signed into law. This statute provides incentives to manufacturers to address cybersecurity gaps and directs NIST to develop standards and guidelines for federal government use of IoT devices. Ultimately, subject to limited exceptions, federal agencies will not be able to procure IoT devices that do not meet the applicable NIST standards and guidelines. On December 15, NIST issued four draft guidance documents, including three interagency reports (NIST Interagency Reports 8259B, 8259C, and 8259D) and Draft SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government, as part of the process of establishing IoT device cybersecurity requirements. The public comment period for the draft publication extends through February 12, 2021.
Just last week, the House passed H.R. 21, the FedRAMP Authorization Act of 2021, which codifies the FedRAMP program and instructs the General Services Administration to make modifications to the risk-based approach to certifying cloud computing products and services for use by the federal government. The bill has yet to be considered by the Senate.
Additional cybersecurity-related legislation is certain to be on the horizon this year.
Possible (and Welcome) Changes to the Program for Marking and Securing CUI
In 2010, President Obama issued Executive Order No. 13556, Controlled Unclassified Information, directing the Executive Branch to establish a uniform program for safeguarding non-classified government information, or CUI, in order to replace the ad hoc patchwork approach then used by federal agencies in the absence of any uniform policies and procedures. The executive order called for the National Archives and Records Administration (NARA) to spearhead the effort in concert with all executive agencies. It took NARA six years to issue its comprehensive CUI program guidance, which ultimately identified over 100 categories and subcategories of CUI, each with specific marking and handling requirements. However, since NARA’s guidance was issued in 2016, relatively little progress has been made on actually implementing the uniform CUI program, especially with respect to federal contractors. While NARA issued program guidance in 2016, agencies were not required to implement the NARA program until the end of 2020.
While some agencies, including the DoD and the Department of Homeland Security in particular, have issued CUI guidance and/or have imposed formal CUI-related cybersecurity requirements on contractors, many other agencies have simply failed to implement a comprehensive CUI program. Also, no Federal Acquisition Regulation (FAR) clause has been issued to uniformly apply CUI requirements to contractors.
In December 2020 – just days before the NARA implementation deadline – the Director of National Intelligence (DNI) formally requested that the President rescind Executive Order No. 13556. Notably, the DNI did not request an extension or exemption for intelligence agencies, but instead requested that the entire CUI program be scrapped. In his request, the DNI slammed the program as “exponentially more complex” than prior procedures and “vastly overcomplicated,” and argued that implementation within just the intelligence community will cost “over a billion dollars.” The DNI suggested that many other agencies may be in agreement with the intelligence community, noting that several agencies also objected to the 2020 deadline as infeasible.
We do not yet know how President Biden and other agencies may respond to the DNI’s request. It does seem apparent that something should be done about the CUI program as, in its current form, the CUI rules simply sow confusion and create excessive administrative burdens for agencies and contractors alike.
Potential Sanctions for Ransomware Payments
As cyber criminals’ use of ransomware escalates, victims must now not only grapple with the threat of potential release or deletion of their data, but also with the possibility of U.S. government sanctions if payment is made to sanctioned individuals or organizations. In October 2020, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory that paying ransoms to cyber criminals could violate U.S. law. OFAC now includes as part of its sanctions lists a growing number of cyber-criminal organizations with which U.S. companies and individuals cannot do business. These entities are primarily affiliated with North Korea, Iran, and Russia. Individuals and entities found to have breached the sanctions restrictions can face punishment of up to $20 million in fines. It is possible to obtain a license to permit a ransom payment, but OFAC has made clear these will not be issued with regularity: “Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.”