Today, Hogan Lovells’ Global Unmanned Aircraft Systems (UAS) Practice Chair Lisa Ellman testified to the House Small Business Subcommittee on Investigations, Oversight and Regulations ...27 September 2016
Final Rule Implements New Baseline Cybersecurity Requirements for Federal Contractors
Stacy Hadeka and Allison Bender also contributed to this report.
On May 16, 2016, more than three years after publication of an interim rule in August of 2012,1 the U.S. Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) published a final rule amending the Federal Acquisition Regulation (FAR) to implement requirements for the “Basic Safeguarding of Covered Contractor Information Systems.” 81 Fed. Reg. 30,439 (May 16, 2016), available here. See our previous analysis of the proposed 2012 rule here and here. This final rule becomes effective on June 15, 2016.
The final rule adds a new FAR subpart and contract clause for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information. In the preamble to the rule, the government states the intent is to establish basic safeguarding measures that are (or should be) generally employed by contractors as part of “routine” business practices – the rule is a baseline and does not affect other more specific federal information safeguarding requirements, such as:
- Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting;
- Requirements relating to Controlled Unclassified Information (CUI); or
- Requirements for classified information.
Distinct from the proposed rule of 2012, the focus of this final rule is on the safeguarding of the contractor information system itself, and not the Federal contract information generally.
Highlights of the Final Rule
Specifically, the final rule implements basic safeguarding requirements to promote the confidentiality and integrity of data as follows:
- The rule adds a new FAR subpart 4.19, Basic Safeguarding of Covered Contractor Information Systems, and an accompanying contract clause 52.204-21. The FAR clause identifies 15 security requirements for safeguarding a covered contractor information system (e.g., host servers, workstations, and routers). Although the government states multiple times throughout the Federal Register notice that this final rule addresses a basic level of safeguarding and does not equate to CUI safeguards, these 15 requirements are pulled verbatim from the National Institute of Standards and Technology (NIST) Special Publication (SP) NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,2 (although the FAR uses the phrase “Federal contract information” in lieu of “CUI”). A complete mapping of the language of the new FAR contract clause and each applicable NIST 800-171 reference is below.
DoD contractors that have already implemented these NIST 800-171 security requirements under the DFARS rule on cybersecurity safeguarding, which we previously wrote about here and here, will be well positioned to comply with this new FAR rule. DoD contractors (and non-DoD contractors) that are still in the process of implementing NIST 800-171 security requirements should consider prioritizing the items in the chart above in order to comply with the new FAR rule.
- The rule is applicable to all acquisitions (even below the simplified acquisition threshold), including commercial items other than commercial-off-the-shelf items (COTS).3
- The rule applies to any covered contractor information system, i.e., systems that are owned or operated by a contractor that process, store, or transmit “Federal contract information.”4
- The rule applies to subcontractors at all tiers in which the subcontractor may have Federal contract information residing in or transmitting through its information system. The rule, however, is unclear as to how a prime contractor should police a subcontractor’s controls or ensure that a subcontractor reports information or information system flaws in a timely manner as required by the safeguarding requirement in new FAR clause 52.204-21(b)(1) (xii).
- Failure to implement the basic requirements could result in a breach of contract. However, unlike the DFARS cybersecurity rule, this FAR clause does not include an affirmative compliance certification by the contractor or a process to present a company’s security safeguards to the government for review.5
- The FAR clause does not include an incident reporting requirement, whereas the DFARS cybersecurity clause requires covered DoD contractors to rapidly report “cyber incidents” to DoD (and a prime contractor, if applicable) within 72 hours.6
- The rule also amends FAR Part 7.1057 to add requirements that agency written acquisitions plans must include content on “security considerations” including:
- How adequate security will be established, maintained, and monitored for classified matters;
- How agency information security will be met for IT acquisitions;
- How agency personal identity verification requirements for contractors will be met; and
- How compliance with FAR subpart 4.19 will be met when federal contract information may be resident on contractor systems.
Overlap with Other Federal Contractor Cybersecurity Safeguarding Initiatives
This final rule is the latest step in a series of coordinated regulatory actions, including draft White House Office of Management and Budget (OMB) guidance for federal contracting8 and implementation of cybersecurity requirements, including those related to CUI. These actions are meant to help, among other things, clarify the application of the Federal Information Security Management Act of 2002 (FISMA), as amended by the Federal Information Security Modernization Act of 2014, and the NIST information systems requirements to contractors and, by doing so, help to create greater consistency, where appropriate, in safeguarding practices across agencies. The government’s goal appears to be building consistency of cybersecurity protections horizontally (across the federal government) as well as vertically (for government contractors and the government’s supply chain) aimed at better protecting government information, and information systems that may contain that information.
As witnessed over the last year, the federal government has continued to prioritize cybersecurity, and it does not appear to be slowing down. Some other key anticipated federal contractor cybersecurity initiatives still in development include:
- A final NARA rule on CUI, to be followed by a FAR clause;9
- A final version of the DFARS safeguarding rule;10 and
- A new DFARS rule to specify liability protections for certain DoD contractors when reporting cyber incidents and network penetrations under DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.11
For additional information about this final FAR rule and the other federal contractor cybersecurity initiatives discussed above, please contact the authors of this posting or the Hogan Lovells attorney with whom you work.
 Proposed Rule, FAR Case 2011-020, Basic Safeguarding of Contractor Information Systems, which was intended to address the safeguarding of contractor information systems that contain or process information provided by or generated for the government (other than public information). 77 Fed. Reg. 51,496 (August 24, 2012). In a parallel effort, on November 18, 2013, DoD published a Final Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to address requirements for safeguarding Unclassified Controlled Technical Information (the “UCTI Rule”). Interestingly, while the DFARS UCTI Rule was recently amended (more than once) in 2015 (see here and here regarding those changes), the FAR case on Basic Safeguarding has languished for three years until the final rule issued this week.
 NIST SP 800-171 refines the requirements from Federal Information Processing Standard (FIPS) 200 and the security controls from NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and presents them in a simpler format. It describes 14 “families” of security requirements (they are not called “controls”) that only include general narratives and no specific procedures on how a company should implement them. NIST 800-171 focuses on the “confidentiality” of data, and generally does not draw from the FIPS 200 and NIST 800-53 controls for the “integrity” or “availability” of data.
 The DFARS rule on cybersecurity safeguarding applies to all DoD contractors, including those with COTS contracts, but only addresses DoD “Covered Defense Information.”
 This includes information “not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” and excludes information provided by the Government to the public or simple transactional information. FAR 4.1901. The rule does not include a marking requirement, as compared to the DoD safeguarding rule where DoD “Covered Defense Information” should be marked as such. See Michael J. Scheimer & Stacy Hadeka, Recent Updates to DFARS Cybersecurity Rule, Dec. 17, 2015, available here; see also Defense Procurement and Acquisition Policy, Frequently Asked Questions (FAQs) regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73, DFARS Subpart 239.76 and PGI Subpart 239.76, Class Deviation 2016-O0001 (OCT 2015) (Nov. 17, 2015), available here.
 DFARS clause 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, states that by submission of its offer the Offeror represents that it has implemented, or will implement no later than December 31, 2017, the security requirements of NIST 800-171. The clause also allows an offeror (1) to propose that a particular security requirement is not applicable or (2) to propose alternative but equally effective, security measures in writing to the Contracting Officer to submit to the DoD CIO for review.
 DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
 FAR 7.105(b)(18).
 On August 11, 2015, OMB issued “proposed guidance” on “Improving Cybersecurity Protections in Federal Acquisitions.” The guidance is intended to “take major steps toward implementing strengthened cybersecurity protections in federal acquisitions[,] thus mitigating the risks of potential incidents.” The OMB Guidance specifically directs agencies to require their contractors that handle CUI to meet the requirements of NIST 800-171.
 On May 8, 2015, NARA issued a proposed rule on agencies’ safeguarding, marking, and disposal of CUI. 80 Fed. Reg. 26,501 (May 8, 2015), available here. The NARA rule, which is expected to be published as a final rule in summer 2016, will require all federal agencies and contractors handling CUI for an agency to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program. NARA’s proposed rule from last year states that the CUI Program is undergoing a three part implementation plan to: 1) finalize the NARA proposed CUI rule in 32 CFR § 2002; 2) finalize NIST 800-171 (which was completed in June 2015); and 3) release a single FAR rule on CUI. When the NARA rule is finalized, contractors handling CUI should anticipate that their customer agencies may require compliance with NIST 800-171 standards.
 Although the DoD cyber safeguarding rule was issued as an interim rule effective upon publication, DoD has stated it will consider public comments received in response to the interim rule in the formation of a final rule. The most recent Open DFARS case tracker at the DoD Defense Procurement and Acquisition Policy (DPAP) website indicates the due date for the internal report on a final rule for DFARS Case 2013-D018 was extended to 5/25/2016.
 The most recent Open DFARS case tracker indicates DFARS Case 2016-D025, opened to implement section 1641 of the FY16 NDAA (which required DoD to specify liability protections for cleared defense contractors and operationally critical contractors when reporting cyber incidents and network penetrations), has an internal report on the proposed DFARS rule due 06/22/2016.