Cybersecurity was a major issue for government contractors last year, and remains a hot button topic for 2018. Below we outline the most prominent considerations for the new year:
1. DFAR compliance
The hottest cyber topic last year remains front and center. As of January 1, 2018, all Department of Defense (DoD) contractors that store, process, or transmit covered defense information (CDI) are subject to DFAR 252.204-7012. The DFAR clause requires that contractors have implemented the NIST special publication 800-171 standards. DoD has confirmed that this implementation means, at the very least, that the contractor has performed an assessment of its current security protocols versus the NIST 800-171 standards, has documented that analysis in a system security plan (SSP), and has a plan of actions and milestones (POAM) to address any gaps.
Prime contractors must also flow down the DFAR cybersecurity requirements to subcontractors, and may need to take additional steps to verify subcontractor compliance. See “So You’re Finally Compliant with the DFAR and NIST Requirements, But Are Your Subcontractors?”
Contractors and subcontractors that are not in compliance face potentially serious consequences, both in terms of getting new awards and continuing performance of current contracts.
2. Cybersecurity as an evaluation criteria
NIST SP 800-171 Rev. 1 notes that agencies may request SSPs and POAMs from contractors. Moreover, these SSPs and POAMs, and/or a company’s cybersecurity protections generally, may be considered by procuring agencies in evaluating proposals for contracts that require the processing, storing, or transmission of CDI or, for non-DoD agencies, controlled unclassified information (CUI).
In the recent decision Syneren Tech. Corp., B-41508, B-415058.2, Nov. 16, 2017, the Government Accountability Office (GAO) upheld the Navy’s determination that an offer was technically unacceptable because it failed to meet various DoD and Navy cybersecurity requirements referenced in the RFP. In the coming year, we expect to see more agencies explicitly incorporating cybersecurity requirements into solicitations, as both minimum requirements and evaluation criteria. Offerors that fail to demonstrate full compliance may be disqualified as technically unacceptable or be downgraded for evaluation purposes.
Effective cybersecurity compliance can also work to a contractor’s benefit. For example, in IP Keys Tech., B-414890, B-414890.2, October 4, 2017, the GAO found that the agency reasonably assigned the awardee’s proposal a strength for exceeding the minimum cybersecurity criteria.
3. Expansion of federal contractor cybersecurity obligations beyond DoD
At present, the Federal Acquisition Regulation (FAR) includes a basic safeguarding clause, FAR 52.204-21, which incorporates only 15 of the NIST 800-171 requirements. Several agencies include contract-specific cyber clauses in select contracts, but none has a universal clause akin to the DFAR cybersecurity clause. This is about to change.
First, the National Archives and Records Administration (NARA) rule on CUI requires agencies to include NIST 800-171 protections in contracts involving CUI. The NARA rule is to be implemented through a new FAR case charged with developing a clause to extend the NIST cybersecurity requirements to contractors.
In the interim, individual agencies are taking their own steps to strengthen cybersecurity protections. Just last week for example, GSA announced that it is developing proposed GSA FAR supplement (GSAR) clauses that will impose NIST-based controls on contractors with access to unclassified GSA information as well as cyber incident reporting requirements akin to the DFAR network penetration requirements. See 83 FR 9, January 12, 2018. The Department of Homeland Security also has proposed cybersecurity regulations for DHS contractors. See 82 FR 6429, January 19, 2017. These go beyond the DFAR rule to require third-party system security authentication in certain instances.
4. Cybersecurity audits
DoD has indicated that it expects future Defense Contract Management Agency (DCMA) business system audits to include the following:
- Verification that the contractor has an SSP;
- Verification that, prior to October 2017, the contractor submitted to the DoD Chief Information Officer (CIO), within 30 days of any contract award, a list/notification of the security requirements that the contractor had not yet implemented; and
- If needed, verification of any necessary External Certificate Authority (ECA) or public key infrastructure (PKI) certificate.
If DCMA detects any cybersecurity concerns, they are to be escalated to the relevant DoD program offices and the DoD CIO.
5. State and local cybersecurity requirements
Like the federal government, states and localities are increasingly imposing cybersecurity requirements on their contractors. The New York Department of Financial Services, for example, developed a cybersecurity regulation (available at 23 NYCRR Part 500) that garnered widespread attention. The regulation, which was the first state effort to regulate cybersecurity of financial services firms, went into effect in March 2017. Numerous other states have enacted cybersecurity breach notification laws.