Earlier this month, it was reported that the National Security Agency (NSA) discovered a serious security flaw in Microsoft Windows 10 cryptographic functionality, CVE-2020-0601.That security flaw could render trust certifications used to authenticate sources in communications and files vulnerable to spoofing or attack. As the NSA Cybersecurity Advisory notes, “[e]xploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.” To address this critical vulnerability, the NSA recommends installation of the Microsoft patch on Windows 10 and Windows Server 2016/2019 systems.
Government contractors and their supply chains are being impacted by this discovery. The impacts raise questions about how cybersecurity requirements are to be handled under Government contracts and subcontracts, whether government-directed changes are to be compensated, and whether contractors are at risk if they don’t promptly address such Government direction.
Who pays for the impact of installing the patch? What if the contractor delays in installing the patch and something happens? Will there be contractor liability if a cyber incident occurs?
For example, the current DFARS cybersecurity rule, DFARS 252.204-7012, calls for contractors, and their subcontractors and similar agreement holders, to maintain “adequate security” to protect unclassified information systems that are owned, or operated by or for, a contractor and that process, store, or transmit covered defense information (CDI). CDI includes controlled unclassified information that requires safeguarding (CUI). The DFARS also requires at a minimum compliance with the National Institute of Standards and Technology (NIST) SP 800-171’s 110 security controls, including the 110th control to have a System Security Plan (SSP) and Program and Milestones (POAM) to implement the other 109 security controls. The NIST provides for flexibility in how the contractor applies these required security controls. For example, NIST SP 800-171 at 3.11 Risk Assessment provides for compliance with basic security requirements:
Basic Security Requirements
3.11.1 Periodically assess the risk to organizational operations …, organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
Derived Security Requirements
3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
3.11.3 Remediate vulnerabilities in accordance with risk assessments.
However, where the Government agency directs the Government contract holder to take specific actions that are not requirements under in the contract in order to address a Government-identified security flaw – such as directing the contractor to install a particular patch to address the identified flaw, requiring that the contractor do so within a specified period of time, directing their subcontractors and supply chain entities to install that patch, and requiring the contractor to report to the Government agency within a specified time on the implementation efforts – these Government-directed activities may increase the Government contract’s scope (including method of performance), schedule, or costs and therefore give rise to a potentially compensable contractual change. See, e.g., FAR Part 43 Contract Modifications.
If you receive direction from the Government to take specific actions in response to a cybersecurity threat, you may have no choice but to comply with that direction. However, as a contractor it would be wise to consider whether such direction will give rise to increased costs and impacts and, if so, to take steps to promptly notify the Government of these impacts and seek to negotiate a compensable change to your contract. At a minimum, putting the Government on notice should help you preserve your right to bring a claim for any increased costs and impacts arising from that Government direction.
In these types of situations, you should take steps to document … document … document! Consider establishing a separate charge number to record and track your increased work, schedule changes, and costs related to this Government-directed change so that you have the evidence needed to support any request for equitable adjustment or claim.
Be aware of your contract requirements and any impacts that such direction may have on your contract schedule, cost, scope or method of performance. These may be impacts that entitle you to compensation.