The increased concern about ransomware incidents from both quantitative and severity standpoints, spurred the White House to urge corporate business leaders to improve their defenses and resilience posture against ransomware attacks. In a June 2, 2021 open letter to Corporate Executives and Business Leaders (the Letter), Anne Neuberger, the White House Deputy National Security Advisor for Cyber and Emergency Technology, appealed for business leaders to act following on the heels of the President’s directives to federal agencies and contractors.

President Biden’s newly released Executive Order on Improving the Nation’s Cybersecurity represents a comprehensive approach to tackling cybersecurity threats in the U.S. and will likely result in new FAR and DFARS contract requirements. It represents the next step towards the inclusion of mandatory breach notifications in government contracts following widespread speculation that breach notification requirements were on the horizon.

The Biden Administration has committed to making cybersecurity a top priority and is now turning its focus towards energy infrastructure, which is widely recognized as vulnerable to cyberattack due to grid control systems. The U.S. Department of Energy (DOE) has launched a 100-day initiative to “advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.”

The Biden Administration is imminently expected to release an executive order that will require government contractors to notify the government in the event of a cybersecurity breach. Despite the relatively steady rise in cyberattacks and breaches over the years, and the enactment of consumer data breach disclosure laws in all 50 states, there is currently no standardized reporting requirement for government contractors. However, the Biden administration has promised executive action on the issue, largely in response to a cyberattack by a suspected nation-state against multiple software companies, including the SolarWinds software company.

Have you received a Section 889 letter yet? If not, you may soon. The letters ask whether you provide or use “covered telecommunications equipment or services.” They are part of the implementation of Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (the 2019 NDAA), which has two phases. The first phase started in August 2019 but has a limited scope. The second phase—which started in August 2020—is much broader and raises a lot more questions. This article answers some of those questions and provides some tips on how to comply.

Keep in mind that Section 889 is still being implemented. Much of this analysis is based on interim rulemakings at 85 F.R. 42665 and 85 F.R. 53126. Final rules may change based on public comments.

On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.

The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.

The National Defense Authorization Act for Fiscal Year 2016 [pdf], signed into law just before Thanksgiving, authorizes $607 billion for Department of Defense activities in FY 2016. It also implements a number of acquisition reforms intended to enhance the Government’s cybersecurity efforts and streamline the various acquisition regulations.  Here we break down some of the key acquisition provisions:

  • Rapid acquisition authority for cyber attacks. Section 803 of the 2016 NDAA expands the DoD’s ability to employ rapid acquisition procedures established under the 2003 NDAA to enhance its ability to respond to combat emergencies and urgent operational needs. Under Section 803, rapid acquisition procedures may now be used to acquire “needed offensive or defensive cyber capabilities, supplies, and associated support services” to respond to a cyber attack that “has resulted in critical mission failure, the loss of life, property destruction, or economic effects.” The term “cyber attack” is broadly defined as including any “deliberate action to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information or programs” in those systems. Acquisitions made pursuant to this authority are subject to an aggregate limit of $200 million in each fiscal year.
  • U.S. Cyber Command acquisition authority and liability protection for cybersecurity contractors. In addition to expanding DoD’s rapid acquisition authority to deal with cyber attacks, Section 807 of the NDAA provides new limited acquisition authority for the Commander of the United States Cyber Command (CYBERCOM). The Commander is authorized to procure “cyber operations-peculiar equipment and capabilities,” subject to an annual limit of $75 million for each fiscal year from 2016 through 2021. Section 1647 of the NDAA also requires the evaluation of cyber vulnerabilities of all major DoD weapons systems by the end of 2019. Section 1641 of the NDAA provides enhanced liability protection for reporting cyber incidents for both “cleared” and “operationally critical” contractors, so long as there is no willful misconduct.

The Senate passed the Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015 [pdf] on Friday, December 12, 2014. President Obama is expected to sign the bill into law. The $585 billion bill authorizes the Pentagon’s activities in FY 2015. It includes $521.3 billion in base defense spending and another $64 billion in war funding. Here is a summary of the procurement reform initiatives that will be relevant to contractors in the upcoming year:

  1. Cyber incident reporting for operationally critical contractors. Section 1632 of the 2015 NDAA directs the Secretary of Defense to designate and notify “operationally critical contractors,” a term narrowly defined in the bill. After notification, designated contractors will be required to report to the Department of Defense each cyber incident with respect to any network or information system of such contractor. Reports must include: an assessment of the effect on the contractor’s ability to meet the Department’s contractual requirements; the technique used in the cyber incident; any sample of malicious software obtained; and a summary of information compromised by the incident. Despite the disclosure requirement, section 1632 provides for protection of contractor trade secrets and confidential commercial or financial information. It also limits the dissemination of information obtained to relevant entities and agencies.
  2. Enhanced authority for non-DOD Chief Information Officers. Section 831 of the NDAA increases the role of Chief Information Officers of agencies other than the Department of Defense. It provides that an agency may not enter into a contract for information technology unless the contract has first been reviewed and approved by the agency’s Chief Information Officer. The head of each covered agency must ensure that its Chief Information Officer has a significant role in all annual and multi-year planning, budgeting, and reporting related to information technology. The bill requires the Director of OMB and the Chief Information Officers of appropriate agencies to increase the efficiency and effectiveness of information technology investments and to develop opportunities to consolidate the acquisition and management of information technology services. The Chief Information Officer of each covered agency is directed to inventory agency data centers and develop a multi-year strategy for consolidation and optimization of those data centers inventoried.
  3. DOD CIO positions consolidated. Section 901 of the 2015 NDAA incorporates a DOD proposal to combine the positions of Chief Information Officer and Deputy Chief Management Officer into the position of Under Secretary of Defense for Business Management and Information. The new Under Secretary will oversee business operations, personnel, and IT projects and will be appointed by the President with the advice and consent of the Senate. This change will not take place until the next administration.

The need for strong security measures to protect sensitive government data from hackers has never been more intense. In November alone, the federal government suffered at least four breaches of government information systems, including cyber-attacks on the U.S. Postal Service, the State Department, NOAA, and the White House. What is not discussed in the news reports is the fact that the much of the burden of securing government data falls on government contractors.

The federal government has struggled to adopt a unified and mandatory approach to contractor data security. Each agency has taken a separate approach to adopting cybersecurity requirements, for example DoD recently adopted a new set of regulations governing unclassified “controlled technical information.” Many contractors find the current requirements confusing and at times conflicting between agencies.

In an effort to address this problem, the Department of Commerce National Institute of Standards and Technology has released a draft version of NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations [pdf].

The new NIST guidance is directed at contractors that already have information technology infrastructure and associated security policies and practices in place. The final version of Special Publication 800-171 will attempt to synthesize the federal government’s recommendations to ensure the confidentiality of sensitive federal information stored on contractor computers and information systems. Special Publication 800-171 is part of a three-part plan that will ultimately make these recommendations mandatory. The other parts include a rule proposed by the National Archives and Records Administration—currently under review by OMB—and the eventual adoption of a FAR clause that will apply the requirements of the NARA rule and Special Publication 800-171 to all federal contracts.

No one will argue against the need to improve cybersecurity. We should limit the vulnerability of critical infrastructure and preserve the confidentiality of military technology, private company trade secrets, and individual medical records.

But there is a significant cost to upgrade IT systems in order to achieve this goal. The federal government will pay more to contractors who can meet heightened cybersecurity standards. If cybersecurity standards are too restrictive, qualified contractors will be driven away from federal contracting. At a minimum, new cybersecurity standards will mean more grounds for bid protests, which are the focus of this post.

First, the background

Executive Order No. 13636 (Feb. 12, 2013) [pdf] called for agencies to publish guidance on mitigating cybersecurity threats in federal procurement. In November 2013, DOD and GSA released a joint report recommending that compliance with an established cybersecurity protocol be a precondition to the award of information and communication technology (“ICT”) contracts. See Improving Cybersecurity and Resilience through Acquisition, Final Report of the Department of Defense and General Services Administration (Nov. 2013) [pdf].

The National Institute for Standards and Technology (“NIST”) released its voluntary framework for improving cybersecurity for critical infrastructure in February 2014. See Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, 2014) [pdf]. The NIST Framework is a tool for organizations seeking to measure and improve their cybersecurity programs against an ideal. The Framework encourages organizations to improve their cybersecurity programs “when such a change would reduce cybersecurity risk and be cost effective.” Compliance is not yet mandatory, but legislation incentivizing or requiring compliance should be expected.

These are by no means the first cybersecurity standards for federal contractors, but they would broaden and increase existing requirements. As they are implemented, cybersecurity requirements will certainly lead to an increase in pre- and post-award bid protests for ICT contracts. We see them principally in three areas.