What Every Government Contractor Needs to Know About Federal Cybersecurity Requirements – Part 1
Ever since the Sandra Bullock classic The Net was released in 1995, “cybersecurity” has been at the forefront of the public consciousness. Okay, it would be far-fetched to say that anyone really took that movie seriously, but it is not an exaggeration to say that cybersecurity is one of the most buzzed-about issues of today. With the number of data breaches seeming to increase exponentially each year, cybersecurity has become more important than ever. The US Government (“USG”) has not been immune to data breaches, and thus it has started to it implement policies with the purpose to prevent, detect, report, and minimize damage from cyber breaches.
These cybersecurity policies are important for government contractors, as they will often find the policies included in their contracts with the federal government. This will typically mean that the contract will incorporate one or more FAR and/or DFARS clauses, such as FAR § 52.204-21 and DFARS §§ 252.204-7008 & 252.204-7012. Government contractors will almost certainly see one or all (for DoD contracts) of these clauses in their current federal contracts and solicitations. Given the pervasive nature of these clauses in federal government contracting, it is imperative that contractors are aware of the requirements of each.
Over the course of three installments, this article will examine the three federal cybersecurity clauses most likely to be found in a federal contract. Part 1 will focus on FAR § 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems) and DFARS § 252.204-7008 (“Compliance with Safeguarding Covered Defense Information Controls”), discussing the requirements of each clause. Part 2 will delve into the requirements of DFARS § 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”), focusing on the requirement to provide “Adequate Security.” This will necessitate a brief exploration of NIST Special Publication 800-171 (“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”), which is a key component of meeting the “Adequate Security” requirement. Finally, Part 3 will cover the remaining requirements of DFARS § 252.204-7012, including the “Cyber Incident Reporting” element.
While that movie is hardly a classic, Sandy Bullock remains a national treasure. This cannot be denied.
FAR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
Contracting Officers are required to include FAR § 52.204-21 in all solicitations and contracts where the contractor, or any subcontractor at any tier, may have Federal contract information residing in or flowing through its IT system. As its title denotes, FAR § 52.204-21 (“Basic Rule”) is the more basic of the USG’s cybersecurity clauses. “The Basic Rule” applies to all contractor systems that process, store, or transmit non-public information that is either provided for or generated for the USG under a government contract. “The Basic Rule” requires contractors to apply basic safeguarding policies and procedures to protect this federal information on their IT systems. “The Basic Rule” specifies 15 security controls that the contractor must have in place.
The 15 specific security controls required by “the Basic Rule” are:
- Limit access to authorized users, processes, or devices;
- Limit access to the type of actions that authorized users are permitted to execute;
- Verify and control (or limit) connections to external information systems;
- Control information posted or processed on publicly accessible systems;
- Identify identities of users, processes, or devices;
- Authenticate identities of users, processes, or devices prior to allowing access;
- Sanitize or destroy media containing Federal Contract Information;
- Limit physical access to information systems, equipment, and operating environment to authorized individuals;
- Escort visitors, monitor visitor activity, maintain audit logs of visitor activity, and control and manage physical access devices;
- Monitor, control, and project organizational communications;
- Implement subnetworks for publicly accessible system components that are separated from internal networks;
- Identify, report, and correct information and system flaws in a timely manner;
- Provide protection from malicious code;
- Update malicious code protection mechanisms when new releases are available; and
- Perform periodic scans of the system and real-time scans of files from external sources as files are downloaded, opened, or executed.
The requirements of “the Basic Rule” are fairly intuitive, and responsible contractors likely already include these or similar security protocols in its policies and procedures to safeguard information on their IT systems. However, a contractor’s adherence to the requirements of “the Basic Rule” does not provide an exemption from other safeguarding requirements that are specified by Federal agencies, including the requirements of DFARS § 252.204-7008 and DFARS § 252.204-7012.
In addition to the requirement to meet the security controls, “the Basic Rule” obligates contractors to flow down its terms to all tiers of subcontractors. Excluding subcontracts for commercially available off-the-shelf (COTS) items, contractors and subcontractors are required to include “the Basic rule” (and the requirement to flow down “the Basic Rule”) in any subcontract that may require the subcontractor to have Federal contract information residing in or transmitting through its system.
DFARS § 252.204-7008 – Compliance with Safeguarding Covered Defense Information Controls
DFARS § 252.204-7008 (“Compliance Clause”) is required to be included in all DoD solicitations, with the only exception being solicitations solely for the acquisition COTS items. The Compliance Clause provides that any time covered defense information (“CDI”) is on a contractor’s information system, the requirements of DFARS § 252.204-7012 are mandatory. Given that DFARS § 252.204-7012 covers that requirement on its own, this portion of the Compliance Clause is arguably redundant.
However, the Compliance Clause does contain important certification language that must be heeded by federal contractors. Most important, the Compliance Clause essentially states that by virtue of submitting an offer in response to a solicitation containing the clause, the contractor represents that it will meet the requirements of DFARS § 252.204-7012. Given this representation, it is important for contractors to fully understand the scope of DFARS § 252.204-7012.
While understanding the requirements of the Basic Clause and the Compliance Clause are essential for government contractors, those clauses really only scratch the surface of the USG’s cybersecurity requirements. The most extensive security controls are contained in DFARS § 252.204-7012, which will be discussed in Parts 2 and 3 of this series.
If you have questions about this or any other Government Contracts matter, please contact us.
ABOUT OFFIT KURMAN
Offit Kurman is one of the fastest-growing, full-service law firms in the Mid-Atlantic region. With over 170 attorneys offering a comprehensive range of services in virtually every legal category, the firm is well positioned to meet the needs of dynamic businesses and the people who own and operate them. Our eleven offices serve individual and corporate clients in the Virginia, Washington, DC, Maryland, Delaware, Pennsylvania, New Jersey, and New York City regions. At Offit Kurman, we are our clients’ most trusted legal advisors, professionals who help maximize and protect business value and personal wealth. In every interaction, we consistently maintain our clients’ confidence by remaining focused on furthering their objectives and achieving their goals in an efficient manner. Trust, knowledge, confidence—in a partner, that’s perfect.
You can connect with Offit Kurman via our Blog, Facebook, Twitter, Google+, YouTube, and LinkedIn pages. You can also sign up to receive Law Matters, Offit Kurman’s monthly newsletter covering a diverse selection of legal and corporate thought leadership content.
MARYLAND | PENNSYLVANIA | VIRGINIA| NEW JERSEY | NEW YORK | DELAWARE | WASHINGTON, DC