In what can best be described as a tsunami of cybersecurity regulation, the Federal Acquisition Regulation (FAR) Council—consisting of the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA)—issued two proposed rules on October 2, 2023. If implemented, the proposed rules would drastically alter existing cybersecurity and incident reporting obligations for Government Contractors. Even if these proposed rules are not fully implemented in their current form (as is likely), they are a harbinger of cybersecurity regulation to come. While the contours of the final rule remain uncertain, it is clear that gone are the days of agency-siloed cybersecurity requirements. Government-wide cybersecurity regulation has arrived.
As drafted, the proposed rules will apply to all contractors that use information technology in the performance of a contract, including those that sell commercial and commercial off-the-shelf (COTS) products, and will flow down to subcontractors as well. Any company whose products or services are sold to any agency of the federal Government should understand the proposed rules, how they might impact the company’s operations, what compliance obligations they impose, and the potentially serious ramifications of non-compliance.
Below, we discuss each of the FAR Council’s proposed rules in detail. The following proposals are particularly noteworthy:
· Agencies will be required to conduct FIPS Publication 199 assessments for government and contractor information technology (IT) systems and to impose appropriate standard security controls via contract, many of which go beyond existing requirements.
· At least annually, contractors are to conduct (or to have conducted by a third party) on their IT systems: (1) a cyber threat hunting and vulnerability assessment to search for vulnerabilities, risks, and indicators of compromise; and (2) an independent (i.e., not conducted by the contractor) assessment of the security of each system.
· The proposed rules provide for potential contractor indemnification of the Government in the event of certain security failures.
· Contractors must provide software bills of materials (SBOMs) for all software sold to the Government.
· Multiple Government agencies may be granted direct and expanded access to contractor IT systems.
· Contractors will have eight hours to report cyber incidents to the Government and then must provide updates every 72 hours thereafter.
· Contractors must certify annually in SAM and with individual proposals as to compliance with the new cybersecurity obligations.
Also significant are the Government’s affirmative statements in both rules that compliance with these cybersecurity and incident reporting requirements is “material to eligibility and payment under Government contracts.” This language is purposeful and designed to make clear that violation of either proposed rule could lead to False Claims Act liability. It also is notable that, under both proposed rules, the FAR Council solicits specific inputs from industry. The multiple requests for comments suggest there remains room to shape the final version of these rules. Government Contractors are advised to take this opportunity to weigh in on the potential business and economic impact of the proposed obligations. Comments on both proposed rules are due on December 4, 2023.
Proposed Standardizing Cybersecurity Requirements Rule
The first proposed rule is “Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems.” 88 FR 68402 (FAR Case No. 2021-019). If implemented, the proposed rule would revise the FAR to standardize contractual cybersecurity requirements across federal agencies. The requirements will apply to all “Federal information systems” (FIS), which, as defined by the proposed rule, include both agency and contractor information systems. As detailed below, the proposed rule reflects a potential sea change in the requirements federal agencies impose on contractors and the way they manage cybersecurity under their Government contracts.
The proposed rule is intended to implement the portion of Executive Order (E.O.) 14028, “Improving the Nation’s Cybersecurity” (May 12, 2021), that directs the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), and in consultation with DoD, the National Security Agency (NSA), and other federal agencies, to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract, and to recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. The proposed rule also implements Section 7 of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (Pub. L. 117-207), which prohibits agencies from purchasing IoT devices that do not comply with established standards, unless a waiver is granted by the agency.
Consistent with these authorities, the proposed rule outlines cybersecurity policies, procedures, and requirements for contractors that develop, implement, operate, or maintain a FIS, which is defined as an “an information system used or operated by an agency, by a contractor of an agency, or by another organization, on behalf of an agency.” “On behalf of an agency” in this context means that “a contractor uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting Government data, and those activities are not incidental to providing a service or product to the Government.” Government data means “any information, (including metadata), document, media, or machine-readable material regardless of physical form or characteristics that is created or obtained by the Government, or a contractor on behalf of the Government, in the course of official Government business.” The proposed rule notes that FIS include cloud-based, on-premises, and hybrid systems that are both “systems that process data (e.g., information technology (IT)) and those that run the vital machinery that ensures its safety (e.g., operational technology (OT)).” Importantly, the proposed rule states that agencies “are responsible for determining what information systems are FIS,” so contractors should have full transparency into the applicability of the proposed rule to its systems at the time of contracting.
Although not every contractor will operate an FIS, the proposed rule would apply to all acquisitions regardless of dollar value, including procurements for commercial products (including COTS) and commercial services. Contractors also must include the requirements in any subcontracts issued under the contract that are for services to develop, implement, operate, or maintain a FIS using cloud or non-cloud computing services.
The proposed rule notes current inconsistencies among agencies with respect to the cybersecurity standards to be applied to FIS and states that, “upon issuance of a final rule, agencies shall update their agency specific requirements to remove any requirements that are duplicative of such FAR updates.” This is a bit of good news for contractors currently facing disparate and conflicting requirements.
The proposed rule provides separate policies, procedures, and requirements for cloud-based and non-cloud-based FIS. These requirements will be added to the FAR as a new FAR subpart 39.X, “Federal Information Systems,” and as two new FAR clauses: FAR clause 52.239–YY, “Federal Information Systems Using Non-Cloud Computing Services,” and FAR clause 52.239–XX, “Federal Information Systems Using Cloud Computing Services.”
Requirements for Non-Cloud-Based FIS
For non-cloud-based FIS, the proposed rule addresses 14 focus areas. Some of the key proposed requirements, and our thoughts about the potential impact of those requirements, include:
1. Federal Information Processing Standard (FIPS) Publication 199 Impact Level and Mandatory Security and Privacy Controls: The proposed rule would require agencies to use FIPS Publication 199 to categorize each FIS based on an impact analysis of the information processed, stored, or transmitted by the system. Based on the agency’s impact-level determination, the agency must select the appropriate security and privacy controls for the FIS and specify them in the contract. The applicable security and privacy controls would be derived from the current versions of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems; NIST Special Publication (SP) 800-5353B, Control Baselines for Information Systems and Organizations; and existing agency requirements. The selected security and privacy controls must account for the following factors, when applicable, in every contract: multifactor authentication, administrative accounts, consent banners, IoT device controls, and annual assessment requirements. Accounts must employ multifactor authentication that meets or exceeds current NIST SP 800-63B guidelines and any administrative access must be through a multifactor cryptographic device authenticator. In addition, administrative accounts must be unique to agency systems, and consent and login banners must be deployed on all systems and networks, consistent with CISA guidelines. The proposed rule would effectively require agencies to assess and evaluate each FIS under FIPS Publication 199 and tailor security and privacy controls accordingly. This could be a time-consuming exercise that would hold up the acquisition process. It also is not clear that federal agencies have acquisition personnel with qualifications to make these determinations. The administrative requirements may exceed contractors’ current standard practices and procedures and could present operational challenges, in addition to introducing additional compliance costs. Finally, it appears the only way for contractors to challenge any FIPS level determination or reasonableness of imposed security requirements would be through a pre-award protest.
2. Records Management and Government Access: The proposed rule would require contractors to provide Government agencies, including CISA, with timely and full access to Government data and Government-related data; with timely access to contractor personnel involved in performance of the contract; and, for purposes of audits, investigations, and inspections, “with physical access to any contractor facility with Government data including any associated metadata.” Although Government agencies typically have audit rights under Government contracts, the proposed rule would significantly expand the reach of such rights by requiring contractors to provide access not only to the relevant contracting agency, but also to other Government agencies.
3. Assessments: For FIS assessed at a moderate- or high-impact level under FIPS Publication 199, the proposed rule would require contractors (and their designated third-party assessor) to conduct, at least annually: (1) a cyber threat hunting and vulnerability assessment to search for vulnerabilities, risks, and indicators of compromise; and (2) an independent (not conducted by the contractor) assessment of the security of each FIS. The contractor must disclose any business relationships with the independent third party conducting the independent assessment. The proposed rule also would require contractors to share the results of such assessments, including any recommended improvements or risk mitigations, with the contracting officer, who may then require the contractor to implement the recommended improvements or mitigations. This potential compliance obligation contains aspects of the System Security Plan (SSP)/Plan of Actions and Milestones (POAM) construct familiar to contractors under DFARS 252.204-7012, with the added element of contracting agency involvement in SSP evaluation and POAM implementation. Moreover, the threat hunting and vulnerability assessments are similar to the requirements to which cloud services providers with FedRAMP authorizations are currently subject. These assessments could lead to costly remediation efforts and create significant room for noncompliance (and False Claim Act liability) if vulnerabilities are identified but not addressed.
4. Specification of Additional Security and Privacy Controls: The proposed rule would require agencies to identify all security and privacy controls necessary for contract performance. Additional applicable security and privacy controls would be derived from the current versions of the following NIST SPs in existence at the time of award: (1) NIST SP 800–53, “Security and Privacy Controls for Information Systems and Organizations”; (2) NIST SP 800–213 “IOT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements”; (3) NIST SP 800–161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”; and (4) NIST SP 800–82, “Guide to Industrial Control Systems Security.” The proposed rule would also require contractors to: (1) develop, review, and update, if appropriate, an SSP to support authorization of all applicable controls on each FIS; and (2) have contingency plans for all information technology systems aligned to NIST SP 800–34, “Contingency Planning Guide for Federal Information Systems.” Although this requirement will provide transparency for contractors as to which NIST requirements are relevant for contract performance, it will also potentially assist prosecutors and relators in False Claims Act actions, as noncompliance with NIST controls expressly identified as “necessary for contract performance” could be a basis for a False Claim Act violation. It remains to be seen whether the final rule will require full compliance or will instead permit SSPs and POAMs to address gaps, as under the current DFARS 252.204-7012 clause. Finally, it is noteworthy that the cybersecurity standard under the DFARS clause for non-cloud systems, NIST SP 800-171, is not mentioned in the above list. The related NIST SP 800-53 standard imposes additional security requirements.
5. Additional Considerations: The proposed rule would require contractors to apply NIST guidance when performing or managing certain FIS activities, particularly those that involve risk assessment or risk management; the design of zero trust architecture; systems engineering; use of cyber resiliency constructs for new systems, system upgrades, or repurposed systems; implementation of continuous monitoring strategies for FISs; or implementation of digital identity services and requirements. The proposed rule would also require contractors to provide the Government with a copy of their continuous monitoring strategy for the FIS. This requirement would align the continuous monitoring requirements for non-cloud-based FIS with those that currently exist for FedRAMP-authorized cloud services.
6. Cyber Supply Chain Risk Management: The proposed rule would allow contractors the flexibility to implement alternative, additional, or compensating cyber supply chain risk management security controls from those stated in the contract “when authorized in writing to do so by the contracting officer.” This requirement could effectively subject contractors’ existing supply chain risk management policies to contracting officer approval. It also could create a scenario where a contractor is forced to adjust its supply chain risk management policy on a customer-by-customer basis to satisfy different contracting officers’ requirements.
In addition to the above, non-cloud FIS contractors also must:
· Develop, maintain, and supply to the Government a list of the physical location of all operational technology equipment within the boundary of the non-cloud FIS;
· Abide by the incident reporting, incident response, and threat reporting requirements of the separate proposed rule (discussed below);
· Comply with Binding Operational Directives (BODs) and Emergency Directives (“EDs”) issued by CISA that have specific applicability to a FIS used or operated by the contractor; and
· Agree to indemnify the Government (on a strict liability basis) for any liability arising out of the performance of the contract that “is incurred because of the contractor’s introduction of certain information or matter into Government data or the contractor’s unauthorized disclosure of certain information or material.”
With respect to cloud-based FIS, the proposed rule provides that the agency will identify the FIPS Publication 199 impact level and the corresponding FedRAMP authorization level. Key additional requirements include:
1. Safeguards, Controls, and Maintenance of Certain Systems within the United States: The proposed rule would require contractors to implement and maintain the security and privacy safeguards and controls in accordance with the FedRAMP level specified by the agency, engage in continuous monitoring activities, and provide continuous monitoring deliverables as required for FedRAMP-approved capabilities. Moreover, the proposed rule would require contractors, for FIPS Publication 199 high-impact FIS, to maintain Government data within the United States unless the data is located on U.S. Government premises or as otherwise specified in the contract. In addition to generally requiring compliance with existing FedRAMP requirements, this requirement would compel contractors to use cloud infrastructure that is physically located in the United States when they are operating a FIPS Publication 199 high-impact FIS.
2. Other protections: A number of the requirements for non-cloud FIS also apply to cloud-based FIS, including:
· Multifactor authentication, administrative accounts, and consent banners consistent with non-cloud requirements;
· Security incident and cyber threat reporting in accordance with proposed FAR clause 52.239-ZZ (discussed below);
· Permitting various Government agencies access to Government data, Government-related data, and contractor personnel; and
· Agreeing to indemnify the Government for liability arising out of contract performance “because of the contractor’s introduction of certain information or matter into Government data or the contractor’s unauthorized disclosure of certain information or material.”
Cyber Threat and Incident Reporting and Information Sharing Rule
The second proposed rule, with the title above, is at 88 FR 68055 (FAR Case No. 2021-017). If implemented, the proposed rule would revise the FAR to impose upon contractors the obligation to report cyber threats and incidents to the Government and to provide the Government with investigatory and enforcement mechanisms to hold accountable contractors found to have put U.S. information or information systems at risk. The proposed rule includes new certification requirements under which contractors will certify to compliance with incident reporting requirements.
The proposed rule implements OMB, CISA, and Dept of Homeland Security recommendations related to E.O. 14028, Improving the Nation’s Cybersecurity, as well as portions of the White House’s National Cyber Strategy. It also implements OMB Memorandum M–21–07, Completing the Transition to Internet Protocol Version 6 (IPv6), dated November 19, 2020.
In discussing the rationale for the proposed rule, the FAR Council specifically calls out the SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents and notes that they “share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”
The proposed rule makes clear the intention to call to account contractors that do not provide adequate security or do not report cyber incidents and threats.
The proposed rule includes several new definitions, including one for “information and communications technology” (ICT), formerly called “information and communication technology,” to which it adds new examples, including electronic media and IoT devices. Other new definitions, such as those for operational technology and IoT devices, mirror those in the other FAR proposed rule.
Most importantly, the proposed rule seeks to add a new proposed FAR clause to all contracts, FAR 52.239–ZZ, Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology, and a new FAR clause to all solicitations, FAR 52.239–AA, Security Incident Reporting Representation. Each of these are discussed in turn below:
FAR 52.239–ZZ, Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology
This wide-ranging clause covers: new incident reporting requirements, contractor obligations to support incident response, and cyber threat indicator and defensive measures reporting. It also implements the aforementioned IPv6 requirements and imposes a requirement that contractors develop and maintain an SBOM for any software used in the performance of the contract.
1. SBOMs. Under the proposed rule, all contractors are required to have an SBOM for software used in the performance of a contract and to provide the SBOM to the Government. The FAR council asks for input on several questions regarding the anticipated impact of this SBOM requirement, including:
• How should SBOMs be collected from contractors? What specific protections are necessary for the information contained within an SBOM?
• How should the Government think about the appropriate scope of the requirement on contractors to provide SBOMs to ensure appropriate security?
• What challenges will contractors face in the development of SBOMs? What challenges are unique to software resellers? What challenges exist regarding legacy software?
• What are the appropriate means of evaluating when an SBOM must be updated based on changes in a new build or major release?
• What is the appropriate balance between the Government and the contractor, when monitoring SBOMs for embedded software vulnerabilities as they are discovered?
Although some agencies have begun requesting SBOMs from contractors, this new rule will standardize the requirement.
2. Expanded Access to Contractor Information and Information Systems. Two aspects of the proposed clause could expand access to contractor information systems. First, the proposed rule would provide a mechanism for CISA to initiate threat hunting and incident response activities. The purpose of this engagement is to provide CISA with visibility into systems to observe adversary activity and reduce risk. CISA also may provide recommendations to the contractor regarding compromised systems. In addition, the new FAR clause would give CISA, the Federal Bureau of Investigation, the Department of Justice, and the contracting agency “full access to applicable contractor information and information systems, and to contractor personnel, in response to a security incident reported by the contractor or a security incident identified by the Government.”The FAR Council clearly recognizes the consternation this proposed expansion of Government access to contractor systems may pose to contractors, as it has posed a number of questions regarding potential contractor concerns about this access and any safeguards that contractors may desire. Notwithstanding this invitation for comments, this potential new requirement may be the most aggressive and difficult one for contractors to swallow. The confidentiality, privacy, and logistical concerns presented by Government access to contractor computer systems are tremendous and difficult to overcome.
3. Security Incident Reporting. The proposed rule requires contractors to “immediately and thoroughly investigate all indicators that a security incident may have occurred and submit information using the CISA incident reporting portal . . . within eight hours of discovery . . . [and to] update the submission every 72 hours thereafter until the Contractor, the agency, and/or any investigating agencies have completed all eradication or remediation activities.” The FAR Council recognizes that initial reports will be incomplete, but insists that early reporting is vital, as is subsequent reporting throughout the lifecycle of the incident, to allow the Government to take appropriate actions to protect its systems and data. The FAR Council also recognizes that contractors may be subject to other reporting regimes with different reporting timelines, including DFARS 252.204-7012, the Homeland Security reporting rule, the NISPOM, and CIRCIA, which is the subject of a separate rulemaking process. Rather than address this potential conflict, however, the FAR Council again poses questions to contractors to ask about the burden of all of these different compliance regimes and the potential implications for incident response. The FAR Council has also asked contractors to explain how the cost of information technology products and services might increase in light of the reporting requirement. As proposed, the rule applies to all ICT products, including COTS, although the FAR Council has asked for input on this decision as well. Finally, the definition of “security incident” in the proposed rule differs from that used by Homeland Security and the definition of “covered incident” in CIRCIA. Again, rather than trying to reconcile potential conflicts, the FAR Council turns to contractors for potential solutions. This is an area where we would expect contractors to have significant ability to shape the final rule. Harmonization of reporting requirements across agencies would have significant benefits, but it is unclear whether that can be achieved through this rule. Moreover, an eight-hour reporting requirement is exceptionally aggressive, and the requirement for updates every 72 hours will impose burdens on contractors going through incident response and remediation activities.
4. IPv6. To capture new rules related to IPv6, the FAR Council has proposed new FAR clause 52.239–1, Privacy or Security Safeguards, in solicitations and contracts for information technology that require security of information technology and/or are for the design, development, or operation of a system of records using commercial information technology services or support services. The new FAR 39.101 states that, when acquiring ICT using internet protocol, agencies must require IPv6 compliance. Suppliers are required to provide a declaration of conformity to document the USGv6 capabilities supported by a specific product or set of products and provide traceability back to the accredited laboratory that conducted the tests (see NIST SP 500–281B). FAR 39.106-1 states that ICT products and services must conform, at a minimum, to the IPv6 mandatory capabilities in the current version of the USGv6 Profile (NIST SP 500–267B) or, if the agency Chief Information Officer (CIO) grants a waiver, provide for a product/service-specific IPv6 implementation plan. FAR 39.106–2 describes the IPv6 waiver process. Only the agency CIO may grant a waiver and, where granted, contracting officers must include the fact of a waiver in solicitations. The potential impact of this clause remains to be seen, but Contractors should have been aware of the impending IPv6 requirements since 2020.
FAR 52.239–AA, Security Incident Reporting Representation
The proposed rule would require all contractors, including those with commercial products and services contracts, to represent at the time of contracting that: (1) they have submitted all security incident reports in a current, accurate, and complete manner; and (2) they have flowed down to each lower-tier subcontractor under certain contracts the requirements of FAR clause 52.239–ZZ.
The specific representation to be made by contractors is:
(1) The Offeror represents that it has submitted in a current, accurate, and complete manner, all security incident reports required by current existing contracts between the Offeror and the Government.
(2) Under current existing contracts between the Offeror and the Government where information and communications technology is used or provided in the performance of a subcontract, the Offeror represents that it has required each first-tier subcontractor to:
(i) Notify the Offeror within 8 hours of discovery of a security incident, as required by paragraph (f) of FAR clause 52.239–ZZ; and
(ii) Require the next lower-tier subcontractor to include the requirement to notify the prime Contractor and next higher-tier subcontractor within 8 hours of discovery of a security incident, and include this reporting requirement and continued flow down requirement in any lower-tier subcontracts, in this and other executive agency contracts, as required by paragraph (f) of FAR clause 52.239–ZZ.
The FAR Council’s proposed rules are a lot to take in at once. We anticipate they will create significant compliance burdens and costs for existing Government Contractors, and they could have a chilling effect on new market entrants. The proposed rules also bestow significant discretion and responsibility on contracting officers, many of whom may not have technical backgrounds or be equipped to make the types of determinations contemplated under the proposed rules. Finally, the False Claims Act implications of the rules cannot be ignored. The proposed rules expressly state that compliance with these requirements “is material to eligibility and payment under Government contracts,” thus laying the groundwork for False Claims Act cases. With this language in the rule and with the added certification obligations in FAR 52.239-AA, relators and Government agencies will be able to establish False Claims Act liability for cybersecurity lapses or failure to report security incidents far more easily than currently.
Notwithstanding the above, proposed rules necessarily are not final rules, which means they can be viewed as fluid. Government Contractors therefore should accept the FAR Council’s invitation to comment on the proposed rules and provide detailed feedback on their anticipated impacts.