Cybersecurity

The need for strong security measures to protect sensitive government data from hackers has never been more intense. In November alone, the federal government suffered at least four breaches of government information systems, including cyber-attacks on the U.S. Postal Service, the State Department, NOAA, and the White House. What is not discussed in the news reports is the fact that the much of the burden of securing government data falls on government contractors.

The federal government has struggled to adopt a unified and mandatory approach to contractor data security. Each agency has taken a separate approach to adopting cybersecurity requirements, for example DoD recently adopted a new set of regulations governing unclassified “controlled technical information.” Many contractors find the current requirements confusing and at times conflicting between agencies.

In an effort to address this problem, the Department of Commerce National Institute of Standards and Technology has released a draft version of NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations [pdf].

The new NIST guidance is directed at contractors that already have information technology infrastructure and associated security policies and practices in place. The final version of Special Publication 800-171 will attempt to synthesize the federal government’s recommendations to ensure the confidentiality of sensitive federal information stored on contractor computers and information systems. Special Publication 800-171 is part of a three-part plan that will ultimately make these recommendations mandatory. The other parts include a rule proposed by the National Archives and Records Administration—currently under review by OMB—and the eventual adoption of a FAR clause that will apply the requirements of the NARA rule and Special Publication 800-171 to all federal contracts.

No one will argue against the need to improve cybersecurity. We should limit the vulnerability of critical infrastructure and preserve the confidentiality of military technology, private company trade secrets, and individual medical records.

But there is a significant cost to upgrade IT systems in order to achieve this goal. The federal government will pay more to contractors who can meet heightened cybersecurity standards. If cybersecurity standards are too restrictive, qualified contractors will be driven away from federal contracting. At a minimum, new cybersecurity standards will mean more grounds for bid protests, which are the focus of this post.

First, the background

Executive Order No. 13636 (Feb. 12, 2013) [pdf] called for agencies to publish guidance on mitigating cybersecurity threats in federal procurement. In November 2013, DOD and GSA released a joint report recommending that compliance with an established cybersecurity protocol be a precondition to the award of information and communication technology (“ICT”) contracts. See Improving Cybersecurity and Resilience through Acquisition, Final Report of the Department of Defense and General Services Administration (Nov. 2013) [pdf].

The National Institute for Standards and Technology (“NIST”) released its voluntary framework for improving cybersecurity for critical infrastructure in February 2014. See Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, 2014) [pdf]. The NIST Framework is a tool for organizations seeking to measure and improve their cybersecurity programs against an ideal. The Framework encourages organizations to improve their cybersecurity programs “when such a change would reduce cybersecurity risk and be cost effective.” Compliance is not yet mandatory, but legislation incentivizing or requiring compliance should be expected.

These are by no means the first cybersecurity standards for federal contractors, but they would broaden and increase existing requirements. As they are implemented, cybersecurity requirements will certainly lead to an increase in pre- and post-award bid protests for ICT contracts. We see them principally in three areas.

It should come as no surprise that the contracting policy changes in the National Defense Authorization Act for 2014 [pdf] reflect a continued focus on reducing spending. But they also encourage collaboration between the government and the private sector and emphasize the need for innovative contracting strategies and greater flexibility in the procurement process, which may benefit contractors in the long run. Here is a breakdown of a few of the highlights:

  • Extension of restrictions on contractor services spending. Section 802 of the 2014 NDAA amends Section 808 of the 2012 NDAA to extend the temporary limit on the amounts obligated for DOD spending on contract services in FY 2014 to the amount requested for contract services in the President’s budget for FY 2010. It also requires that the heads of each Defense Agency continue the 10-percent-per-fiscal-year reductions in spending for staff augmentation contracts and contracts for inherently governmental function for FY 2014, and requires that any unimplemented amounts of the 10 percent reductions for FY 2012 and FY 2013 be implemented in FY 2014.

The United States Defense Department has published a final cybersecurity regulation concerning unclassified “controlled technical information.” See 78 Fed. Reg. 69,273 (Nov. 18, 2013) [pdf]. The objective of the regulation is to require contractors to maintain “adequate security” on unclassified information systems on which CTI may reside or transit and to implement detailed reporting requirements for “cyber incidents.” The final rule is narrower than the proposed regulation, which sought to safeguard unclassified DoD information generally.  See 76 Fed. Reg. 38,089 (June 29, 2011) [pdf].

Definition of CTI

The final rule includes a new DFARS provision (DFARS 204.7300) and a DFARS contract clause (DFARS 252.204.7012), which impose new security measures and reporting requirements on contractors and subcontractors whose work involves unclassified “controlled technical information resident on or transiting through contractor information systems.”

The rule broadly defines CTI as “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”  DFARS 204.7301.

The term “technical information” is further defined to mean “recorded information, regardless of the form or method of the recording, of a scientific or technical nature . . . .” See DFARS 252.227-7013. Examples of technical information include research and engineering data, engineering drawings and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

While this is a broad definition, comments on the new rule limit its application to information requiring controls pursuant to DoD Instruction 5230.24 [pdf] and DoD Directive 5230.25 [pdf]. Contractors should not have to devote resources simply to the task of determining whether information is CTI or not.