Earlier this month, we had the pleasure of opening the 2017 Associated General Contractors of America Federal Contractor Conference in Washington, DC with a presentation focused on the emerging issue of Cybersecurity in Federal contracting. Data breaches are big news in the private sector, but the issue has remained somewhat under the radar for public contracts – until now.
New rules and regulations (with the imminent promise of more on the way) are setting the stage for Cybersecurity to be the next big government enforcement target under the Civil False Claims Act (which the Department of Justice used to claw back $4.7 Billion in recoveries from Federal contractors in FY 2016 alone).
The New Cybersecurity FAR Clause
A Final Rule published by the Department of Defense, NASA, and the General Services Administration in 2016 created a new Federal Acquisition Regulation subpart (4.19) and contract clause (52.204-21) that deal exclusively with Cybersecurity.
The Regulation broadly applies to “covered contractor information systems” that process, store, or transmit “Federal contract information.” These terms are interpreted expansively to cover any information provided by or transmitted to the Federal government in connection with contract performance. In other words, if the new clause is not included in your Federal contracts yet, it soon will be.
The Regulation imposes 15 “basic” security controls for contractors. The controls are intended to impose minimum safeguarding measures that the government believes any responsible contractor should have in place as part of the cost of doing business. A complete list of the security controls is available here.
The DFARS Cybersecurity Clause
Compliance with FAR clause 52.204-21 should be viewed by contractors as a baseline Cybersecurity requirement – but it does not take the place of other, more complex requirements.
For example, DoD contractors must comply with DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting). The DFARS clause is more far-reaching than the FAR clause, and includes investigation and rapid reporting requirements for breach incidents. It also requires compliance with NIST 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) by no later than December 31, 2017.
Other requirements related to the handling of Classified and Controlled Unclassified Information also remain in place. And we fully expect more (and more demanding) Cybersecurity requirements to be published by the government in the coming months and years.
The Contractor’s Guide to Cybersecurity Compliance
For Federal contractors, the future is now.
Cybersecurity requirements will soon be included in almost every Federal contract, so the only question is how to achieve and maintain compliance.
The good news is that compliance with FAR 52.204-21 is a great first step. Again, the government considers the Regulation to be a basic safeguarding requirement that every responsible contractor should have in place. If your business does not have at least those 15 security controls covered right now, it is time to figure out why.
To track and maintain compliance with expanding requirements, we also recommend making Cybersecurity part of your Federal Business Ethics and Compliance Program.
All Federal contractors have (or should have) a written Contractor Code of Business Ethics and Conduct. The Code should be a living document that your business routinely updates and uses in connection with internal audits and employee training.
By adding Cybersecurity to your Ethics Program and written Code, you are ensuring that it becomes a part of your company’s culture. You are also increasing the likelihood that Cybersecurity breaches, or other instances of non-compliance, are identified by your Internal Control System – not by the government.
Cybersecurity is an emerging, complex subject – but that does not mean that the government will relax its enforcement efforts while your business gets up to speed. In fact, we think the opposite is true. Contractors that do not make Cybersecurity compliance a priority now will be behind the power curve and are more likely to face harsh consequences (including False Claims Act allegations, suspension, or debarment) later down the road.