Agencies Establish Baseline Cybersecurity Safeguards for Information Systems Containing Federal Contract Information
Continuing its race to protect sensitive data, the United States federal government recently added cybersecurity requirements that establish basic safeguards governing information systems that government contractors must implement for new procurements. Effective June 15, 2016, the government is amending the Federal Acquisition Regulation ("FAR") to require contractors to implement 15 safeguards that "a prudent business person would employ" during the "routine course of doing business." The regulations impose these requirements for federal acquisitions, including commercial acquisitions (other than acquisitions of commercially available off-the-shelf items), where the contractor's information system may contain federal contract information. The obligations flow down to subcontractors but will apply only when subcontractors' information systems contain the defined information. The new requirements do not replace, however, and contractors must still follow, other safeguarding requirements imposed by federal departments or agencies designed to protect Controlled Unclassified Information ("CUI").
Requirement to Protect Information Systems, Rather Than Classes of Information
The requirements imposed by the government focus on the systems that house sensitive data, rather than imposing requirements on specified data. They do not address the transmission of electronic information or protection of information beyond the establishment of safeguards for such information systems. Contracting officers must include a FAR-mandated contract clause containing the safeguards in solicitations and contracts "when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system." These include any "information system" that may contain "Federal contract information," i.e., "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." This information includes, but is not limited to, financial, export control, agriculture, procurement, and acquisition data. It does not include information intended for public release (such as publicly accessible website data) or "simple transactional information."
The contract clause requires the contractor to implement 15 "minimum" security safeguards. These requirements, which are modeled after the requirements in National Institute of Standards and Technology Special Publication 800-171, essentially involve the types of measures contractors typically use to protect proprietary information and trade secrets:
- Identifying authorized users and limiting them to permitted activities (i.e., requirements 1, 2, 5, and 6);
- Controlling communications with external information systems and preventing information from being posted publicly (i.e., requirements 3, 4, 10, and 11);
- Limiting access to facilities and devices (i.e., requirements 7–9); and
- Monitoring for and correcting vulnerabilities in information systems (i.e., requirements 12–15).
Contractors are required to report flaws in the information systems "in a timely manner."
Enforcement of the Final Rule
The final rule provides that the inadvertent release of information will not constitute a breach of contract "as long as the safeguards are in place." Although the final rule does not discuss the government's remedies for a contractor's failure to implement the safeguards, they would include the government's standard remedies for failure to follow contract provisions and FAR requirements. These would include remedies for breach of contract, termination, negative evaluations for performance in subsequent solicitations, and, in egregious circumstances, enforcement activity.
Relationship to Other Safeguarding Requirements
The final rule indicates that it "is just one step in a series of coordinated regulatory actions being taken or planned to strengthen protections of information systems" and "does not relieve the contractor from complying with any other specific safeguarding requirements and procedures." Specifically, contractors still must comply with the Department of Defense's interim rule in the Defense Federal Acquisition Regulation Supplement, if applicable, as explained in our prior Commentary, and the Office of Management Budget ("OMB") guidance related to CUI. In addition, the Final Rule indicates that further amendments to FAR are forthcoming to implement Executive Order 13556's requirements for CUI and to implement the OMB guidance.
We will continue to monitor future regulations concerning cybersecurity provisions applicable to government contracts and are available to assist contractors in implementing and complying with the safeguards.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
D. Grayson Yeargin
Peter F. Garvin III
J. Andrew Jackson
Fernand A. Lavallee
Todd S. McClelland
Mauricio F. Paez
Grant H. Willis
Chad O. Dorr
Christopher M. Tipler
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.