Two tough new rules from the Federal Acquisition Regulation Council are coming, but originating with the Cybersecurity and Infrastructure Security Agency. They have to do with contractor incident reporting and for how contractors button up unclassified systems. For analysis  the Federal Drive with Tom Temin turned to Haynes Boone procurement attorney Zach Prince.

Interview Transcript:  

Zach Prince Well, it really depends on how the FAR council ends up refining the definitions. But as it is now, at least, the very first rule, the cyber threat incident reporting rule could apply to at least 75% of contractors. The FAR council said that in the proposed rule, because it touches anybody that has a contract, that includes some information and communication technology, which is a hugely broad definition of things.

Tom Temin Right. Because even services contractors might have some hardware somewhere just to enable the delivery of the service that they’re developing.

Zach Prince They likely will. I can think of very few examples of contractors that really would have nothing to do with information technology.

Tom Temin And it could spread. I mean, if they’re providing a service or even developing software which will run somewhere if it runs on a cloud or there’s some cloud service brought into this, that kind of brings the whole cloud chain in under this rule potentially.

Zach Prince Oh, yeah. I mean, we’ve seen attacks that impact a huge swath of federal infrastructure just coming from one provider. So the reason that we need this to be so broad is because the impact could be so broad to the government.

Tom Temin And the specific rule itself on incident reporting and information sharing. Let’s start with that one. What would it require contractors specifically to do here?

Zach Prince So it’s got a couple of components. The first and biggest part of it is an obligation to report cyber incidents. And so under the [Department of Defense (DoD)] analogous rule to 252-2047012, been around for quite a while now, you have to report a cyber incident that impacts contractor information system, which roughly means [Controlled Unclassified Information (CUI)] is involved in some way. This rule goes a lot further. This requires contractors to disclose whenever they’ve discovered indicators that there’s been a security incident, which is defined to include any event or series of events which pose actual or imminent jeopardy to integrity, confidentiality, etc., of information systems. But not just that, also anything that could constitute a violation of a acceptable use policy. I don’t know that they thought that part through, because you remember there were cases in the last couple of decades of people who violated use policies by, say, misrepresenting your age on Facebook, that’s technically a violation of a use policy. I don’t think that’s what the FAR council is thinking that they need reported to homeland security and then the FBI. But that’s what the rules that they drafted suggest.

Tom Temin Right. These rules originated with [Cybersecurity and Infrastructure Security Agency (CISA)], as we said, at the top, and then now they’re being delivered through the way they have to, the FAR council. But it sounds like maybe they just threw everything they could think of into the basket. And maybe in the commenting period, which I think goes to early December, they’ll sort it out or pare it down.

Zach Prince I think this is going to be an iterative process. You’re going to get a bunch of comments and then another draft and then comments and draft. And I think you’re going to be looking at a rule probably later part of next year, if not 2025.

Tom Temin And the issue then is some of the large contractors have this capability. They have their own NOCs, network operations centers and security operations centers because they’re that big. And so they can easily adapt, probably. But small businesses and subcontractors may or may not have the ability to know, let alone develop a report of a possible breach, given the technology base they have and the knowledge they have.

Zach Prince It’ll be a learning curve. Right at the least, the government wants you to be able to, if you know or have indicators of an attack or potential attack, tell the government. Because they want to know and be able to help. And I think a lot of this is the government wanting contractors to stop siloing information, get the government involved, get the FBI involved and stop the cyber attacks as early as possible.

Tom Temin And then the other rule is standardizing cybersecurity requirements for unclassified federal information systems. That’s incumbent on contractors also or on agencies?

Zach Prince This is also on contractors. But it’s got a little bit of both components, because DoD for many years now has been using the NIST 801-71 framework. We’ve got [Cybersecurity Maturity Model Certification (CMMC)] looming on the horizon that’s essentially mirroring that same framework. Civilian agencies have been all over the place. Mostly they’ve just been doing almost nothing in a lot of their contracts. But then in the last year or two I’ve started seeing clauses show up that are insanely broad and ill defined and really doesn’t help, don’t tell contractors what to do. They say things like, Your information technology will comply with [Federal Information Security Management Act (FISMA)] and various requirements that may or may not apply. And they don’t tell you how they apply. They really don’t give any guidance that’s sufficient to tell you how you’re complying with your contract. The point of this clause is to mandate that agencies, during the procurement process, do analysis and they identify which requirements apply and how, so contractors are on notice and can actually implement those requirements.

Tom Temin Right. Because these rules are coming through the FAR Council. That means it will be incumbent on agencies to ensure that contracts have clauses expressing what these rules are after in those contracts.

Zach Prince Yeah, and it can’t just be guesswork. The problem in a lot of instances is that contracting officers are not cybersecurity specialists. They’ve got mandates coming down from up high saying include this super broad series of provisions. And they don’t have much discretion. They might have the warrant, but in reality we know how these things work. They can’t say we’re going to waive this year or even tell you what applies because our higher up said it all applies. So now they’re going to have to actually say, go through a process, say this applies, this applies, this applies, this doesn’t. And then you as a contractor will bid on that assumption and be able to implement.

Tom Temin Are those soft footsteps I hear coming up behind the steps of False Claims Act?

Zach Prince It’s definitely possible for both of these clauses. An interesting thing with the cyber incident reporting clause is it is going to include a mandatory representation with bids that says current, accurate and complete reporting has been done for any cyber incident that has occurred previously under this clause and that you’ve been following down the clause appropriately. And that’s the language that you see in the Truth and Negotiations Act. Now, I guess the truthful costs and pricing data Act where current, accurate and complete is used and that becomes the hook for False Claims Act liability.

Tom Temin Sure. Tina has some pretty sharp nails when it comes to push comes to shove there. And so what are you advising contractors to do? For example, are there any provisions, and these are long rules that you are advising them to get up on their hind legs and say, wait a minute, here in the commenting.

Zach Prince At this point we’re working on comments that are just going to be asking a lot of questions to define terms better. The definition of information technology is really, really broad here. How the reporting obligation actually applies to contractors is not clear. The definition of the incident itself is really broad. So a lot of the process for the next couple of months is going to be trying to get clarity on basic definitions. There are some provisions in here that are really challenging to swallow. The standardizing rule that’s going to come out has this indemnification provision that is frankly crazy. It applies a strict liability standard, it doesn’t matter how whether you were negligent or not. If there’s any damage that happens to the government because of information that you’ve introduced into a government system, you have to cover every damage the government could possibly have. I mean, that’s nuts. You would never accept that in a commercial context. Why should the government be getting that, particularly with small contractors?

Tom Temin Yes. So potentially then you could be on the hook for, and I’m just making this up as a potential, but the ten years of paying the credit report protection program for 10,000 employees or something.

Zach Prince Or 100,000 or a million. I mean, look at the size of the [Office of Personnel Management (OPM)] breaches that have happened. They’re huge. So, yeah, I mean, that’s right. And this applies below the simplified acquisition threshold, too. So you’ve got a $50,000 contract that this clause applies to. And somehow a virus gets in to your program through no fault of your own. In this instance, you still are on the hook for a million employees having credit monitoring for ten years.

Tom Temin For that matter. The virus could come in from the government itself.

Zach Prince And I wouldn’t be too surprised.

Tom Temin All right. Well, they’re on the way. And so everybody should comment. Zach Prince as a partner at the law firm Haynes Boon, thanks so much for joining me.

Zach Prince Thanks for having me.