By Kenny R. Cantrell, III of Smith, Currie & Hancock LLP
Originally Published: April 2, 2024
The United States faces increasingly sophisticated cyber campaigns that threaten the public and private sectors’ security and privacy. The public and private sectors have been rocked by vulnerabilities. Such examples include the December 2020 ransomware attack on SolarWinds that paralyzed multinational companies and permanently locked people around the world out of tens of thousands of computers, and the Colonial Pipeline ransomware attack on May 7, 2021 that halted the pipeline system’s access to servers and caused widespread fuel shortages. Government contractors will need to meet the challenges of emerging technologies and significant geopolitical events giving rise to new threats to business continuity. The ability to ensure data security is quickly becoming essential for contractors’ survival.
The Federal Acquisition Regulatory (FAR) Council has issued two proposed cybersecurity rules for government contractors: Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). Both proposed rules make compliance material to eligibility for and payment under government contracts. Compliance will likely be tethered to potential False Claims Act liability.
This article provides a brief summary of both Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). We will also discuss other considerations, such as potential liability under the False Claims Act.
Cyber Threat and Incident Reporting and Information Sharing.
The first proposed rule emphasizes sharing information about cyber threats and reporting cybersecurity incidents. The proposed rule includes updated definitions, requirements, and representations for government contractors’ cybersecurity. The representations and requirements would encompass preparation and maintenance of cybersecurity infrastructure and protocols, enhanced collaboration with agencies, and subcontractor compliance. We summarize some key highlights below.
New Requirements for Federal Contractors
Software Bill of Materials (SBOM) – Federal contractors would be required to develop and maintain a Software Bill of Materials for any software used in contract performance. Other “preparation and maintenance activities” include subscribing to automated indicator sharing (AIS) capability and sharing cyber threat indicators using AIS during performance.
· IPv6 Implementation: Federal contractors would be required to complete Internet Protocol Version 6 (IPv6) implementation activities in accordance with OMB Memorandum M-21-07, Completing the Transition to Internet Protocol Version 6 (November 19, 2020).
· CISA Engagement Services: Federal contractors would be required to allow access to and cooperate with the Cybersecurity & Infrastructure Security Agency (CISA) for purposes of threat hunting and incident response. Recommendations from CISA, however, would only be implemented after consultation with the contractor and the agency.
· Access to Contractor Information and Systems: Contractors would be required to provide CISA, the Federal Bureau of Investigation (FBI), and the contracting agency with full access to applicable contractor information, information systems, and personnel should a security event occur.
· Operations in a Foreign Country: The proposed rule would seek feedback on barriers for companies that operate outside the United States.
· Security Incident Reporting Harmonization: Contractors would be required to report security incidents through the CISA incident reporting portal within eight (8) hours of discovery and to provide updates every 72 hours thereafter until the incident is eradicated or remediated.
The proposed rule would include new FAR clauses in Part 39, Acquisition of Information Technology, and two new FAR clauses to be included in solicitations and contracts that will flow down to all subcontracts.
FAR 52.239-ZZ Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology – This would relate to (1) security incident investigation, response, and reporting; (2) Software Bill of Materials; (3) sharing cyber threat indicators and defensive measures; and (4) Internet Protocol Version 6 (Completing the Transition to Internet Protocol Version 6 (November 19, 2020)).
FAR 52.239-AA Security Incident Reporting Representation – This would require offerors to represent that they have (1) submitted in a current, accurate, and complete manner all security incident reports required by existing contracts; and (2) flowed down to each first-tier subcontractor requirements to (i) notify the offeror within 8 hours of discovery of a security incident and (ii) flow down requirements for reporting security incidents to lower-tier subcontractors.
The proposed rule would be included in all solicitations and contracts. Compliance with the requirements would be “material to eligibility and payment under government contracts.” This should pique all contractors’ interest because these requirements could touch every manner of government contracts and unprepared contractors could find themselves behind the eight ball, ineligible for payment.
Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems.
The second proposed rule would standardize cybersecurity contractual requirements across government agencies for unclassified information systems. It would also support the government’s efforts to identify, deter, protect against, and respond to cybersecurity threats.
A new FAR Subpart 39.X, Federal Information Systems, would require agencies to prescribe policies and procedures when acquiring services to develop, implement, operate, or maintain an information system.
The proposed rule would add two new contract clauses to be used in contracts for services to develop, implement, operate, or maintain cloud computing systems. Cloud computing is the delivery of computing services over the internet, such as servers, storage, databases, networking, software, analytics, and intelligence. Cloud computing can help businesses improve their IT costs, speed, productivity, performance, reliability, and security. Contractors will want to be prepared for these new responsibilities.
FAR 52.239–XX Federal Information Systems Using Cloud Computing Systems – The primary effect of this new clause is to require contractors to maintain FedRAMP-level security and privacy protections, and to continuously monitor and report activity to the government.
FAR 52.239–YY Federal Information Systems Using Non-Cloud Computing Services – This would require, among other things, that a contractor provide government personnel access to government data and government-related data on the contractor’s IT systems for auditing, inspection, and investigation purposes.
Potential Liability Under the False Claims Act is Real.
False Claims Act liability is an ever-present risk for contractors. These new cybersecurity initiatives would require contractors to add additional cybersecurity controls to the list of precautions necessary to avoid running afoul of the False Claims Act.
We see this happening already with the Department of Justice’s Civil-Cyber Fraud Initiative. September 2023 saw a qui tam action against Penn State University unsealed. The complaint alleges that the school failed to comply with the Department of Defense’s cybersecurity requirements. Days later, the DOJ announced a $4 million settlement with Verizon Business Network Services LLC to resolve failures in cybersecurity requirements for Verizon’s secure public internet connections to federal agencies.
These examples reflect the focus on cybersecurity compliance as a potential hook for False Claims Act liability. Cybersecurity-related False Claims Act enforcement is likely to surge. Regulators will want to encourage contractors to emphasize meeting cybersecurity requirements, and whistleblowers will certainly search for potential cybersecurity-related claims.
Word to the Wise for Contractors.
The public comment period for both proposed rules closed on February 2, 2024. At this time, there is no indication of when the finalized rules will be issued. However, the proposed rules could lead to a mass reorganization of agency-specific cyber requirements for federal contractors, and a compliance process that could be long and expensive.
In sum, this compliance landscape requires continuous monitoring. Outside counsel can be instrumental in tackling the complicated web of cybersecurity requirements contractors will face. Contractors can expect to see more enforcement actions from both the government and whistleblowers and should take the opportunity to bolster their compliance efforts now.
Kenny R. Cantrell, III is an Associate with Smith, Currie & Hancock LLP. He brings more than a dozen years of experience in a broad range of business and civil litigation matters. He represents owners, general contractors, subcontractors, architects, engineers, and suppliers in disputes and also advises them on a variety of issues. He can be reached at krcantrell@smithcurrie.com or 404.582.8066.