Continuing its race to protect sensitive data, the United States federal government recently added cybersecurity requirements that establish basic safeguards governing information systems that government contractors must implement for new procurements. Effective June 15, 2016, the government is amending the Federal Acquisition Regulation ("FAR") to require contractors to implement 15 safeguards that "a prudent business person would employ" during the "routine course of doing business." The regulations impose these requirements for federal acquisitions, including commercial acquisitions (other than acquisitions of commercially available off-the-shelf items), where the contractor's information system may contain federal contract information. The obligations flow down to subcontractors but will apply only when subcontractors' information systems contain the defined information. The new requirements do not replace, however, and contractors must still follow, other safeguarding requirements imposed by federal departments or agencies designed to protect Controlled Unclassified Information ("CUI").
Requirement to Protect Information Systems, Rather Than Classes of Information
The requirements imposed by the government focus on the systems that house sensitive data, rather than imposing requirements on specified data. They do not address the transmission of electronic information or protection of information beyond the establishment of safeguards for such information systems. Contracting officers must include a FAR-mandated contract clause containing the safeguards in solicitations and contracts "when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system." These include any "information system" that may contain "Federal contract information," i.e., "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." This information includes, but is not limited to, financial, export control, agriculture, procurement, and acquisition data. It does not include information intended for public release (such as publicly accessible website data) or "simple transactional information."
The contract clause requires the contractor to implement 15 "minimum" security safeguards. These requirements, which are modeled after the requirements in National Institute of Standards and Technology Special Publication 800-171, essentially involve the types of measures contractors typically use to protect proprietary information and trade secrets:
- Identifying authorized users and limiting them to permitted activities (i.e., requirements 1, 2, 5, and 6);
- Controlling communications with external information systems and preventing information from being posted publicly (i.e., requirements 3, 4, 10, and 11);
- Limiting access to facilities and devices (i.e., requirements 7–9); and
- Monitoring for and correcting vulnerabilities in information systems (i.e., requirements 12–15).
Contractors are required to report flaws in the information systems "in a timely manner."
Enforcement of the Final Rule
The final rule provides that the inadvertent release of information will not constitute a breach of contract "as long as the safeguards are in place." Although the final rule does not discuss the government's remedies for a contractor's failure to implement the safeguards, they would include the government's standard remedies for failure to follow contract provisions and FAR requirements. These would include remedies for breach of contract, termination, negative evaluations for performance in subsequent solicitations, and, in egregious circumstances, enforcement activity.
Relationship to Other Safeguarding Requirements
The final rule indicates that it "is just one step in a series of coordinated regulatory actions being taken or planned to strengthen protections of information systems" and "does not relieve the contractor from complying with any other specific safeguarding requirements and procedures." Specifically, contractors still must comply with the Department of Defense's interim rule in the Defense Federal Acquisition Regulation Supplement, if applicable, as explained in our prior Commentary, and the Office of Management Budget ("OMB") guidance related to CUI. In addition, the Final Rule indicates that further amendments to FAR are forthcoming to implement Executive Order 13556's requirements for CUI and to implement the OMB guidance.