U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
Cybersecurity 101: Government Contracts
1. MARCH 7, 2013 GOVERNMENT CONTRACTS AND CYBERSECURITY CLIENT ALERT
This Alert provides only general
information and should not be
relied upon as legal advice. This
CYBERSECURITY 101: GOVERNMENT
Alert may be considered attorney
advertising under court and bar CONTRACTORS
rules in certain jurisdictions.
If you are a contractor with the federal government, and if you are not already
subject to regulations governing the security of your computer systems, you soon
will be. On February 12, 2013, President Obama issued an Executive Order titled
For more information, contact your
“Improving Critical Infrastructure Cybersecurity.” Section 8(e) of the Order gives
Patton Boggs LLP attorney or the
DoD, GSA, and the Federal Acquisition Regulatory Council 120 days to make
authors listed below.
recommendations on the “feasibility, security benefits, and relative merits of
incorporating security standards into acquisition planning and contract
MARY BETH BOSCO administration.” The recommendations must also address steps to harmonize
mbbosco@pattonboggs.com existing procurement regulations related to cybersecurity.
NORMA KRAYEM In order to assist in understanding how the actions outlined in the Executive
nkrayem@pattonboggs.com Order could impact companies doing business with the federal government, this
Client Alert summarizes the major cyber regulations already focusing on
government contractors. It covers the existing GSA regulations, the proposed
amendments to the Federal Acquisition Regulation (“FAR”), and the Defense
FAR Supplement (“DFARS”), and the 2013 National Defense Authorization Act
ABU DHABI
(“NDAA”) provisions. In addition to establishing minimum standards for cyber
ANCHORAGE protection, these provisions offer opportunities for companies either to obtain
DALLAS procurement advantages or sell their products and services to the government.
DENVER
DOHA
GSA’S CYBERSECURITY REQUIREMENTS
NEW JERSEY
NEW YORK GSA released its cyber regulations in January 2012. They apply to GSA contracts
RIYADH for IT supplies, services or systems which involve physical or electronic access to
WASHINGTON DC non-classified government information supporting GSA’s mission. The basic
requirements are:
• IT Security Plan: Covered contractors must submit an IT security plan to
their contracting officers within 30 days of contract award. The plan
must include a continuous monitoring program to detect cyber intrusions.
• Security Authorization: Within six months of award, contractors must
submit either a self-certification to, or a third-party validation of,
compliance with the National Institute of Standards and Testing
(“NIST”) Special Publication 800-37.
PattonBoggs.com Cybersecurity 101: Government Contractors 1
2. • Notice and Access: GSA contractors must notify GSA each time an employee with access to GSA
information leaves or is hired. GSA is also entitled to access to contractor and subcontractor personnel for
the purpose of inspection, investigation or audit relating to cybersecurity regulation.
DOD PROPOSED REGULATIONS
DoD proposed cyber regulations in 2011. Its most recent regulatory agenda projects the regulations to be finalized
this year. The regulations cover non-public, non-classified DoD information resident on or transitioning through a
contractor’s systems. The proposed rules divide covered information into two subsets – basic and enhanced
information-- with different protections applied to each.
• Basic Information: This is non-public information (i.e., information not releasable under the Freedom of
Information Act) used or generated in support of a DOD activity. Absent DOD’s determination that
information is releasable, and with certain exceptions for audits and investigations, the proposed rules
preclude contractors from releasing basic level information outside of their organizations or to employees or
subcontractors who do not have a right to know the information.
In addition to this release restriction, the proposed rules identify specific, minimum protections for even
“basic” information. These are:
o Contractors cannot process government information on publicly-accessible computers or on
company computers that do not have access control.
o Contractors’ electronic transmission systems must provide “the best level of security and privacy
available, given facilities, conditions, and environment.”
o Voice data may only be transmitted when the user has reasonable assurance that access is limited
only to authorized recipients.
o When information is not being accessed, it must be protected by at least one physical barrier (e.g.,
lock or password).
o Contractors must have procedures to clear information from devices before they are released or
discarded.
o Contractors must have minimum intrusion protections, including regularly updated malware and
prompt application of security-related patches and upgrades.
• Enhanced Information: The second category of covered information is “enhanced” information, which
includes information designated by DOD as critical, information subject to the export control laws,
information subject to DOD-specific FOIA directives, information designated as controlled information
(such as “Official Use Only”), personal identification information, and certain technical information. To
meet the enhanced protection requirements, a contractor’s security program will need to comply with the
specific standards set forth in NIST Special Publication 800-53. Importantly, DOD’s proposal mandates
reporting of cyber incidents affecting enhanced DOD information within 72 hours of discovery.
PattonBoggs.com Cybersecurity 101: Government Contractors 2
3. PROPOSED FAR REGULATIONS
A cyber amendment is also slated for the FAR. Once final, the new FAR clause will apply to contracts
exceeding the simplified acquisition threshold ($150,000), including commercial acquisitions. The clause
must be flowed down to subcontracts at any tier. The new clause, which will be in FAR Part 52.204,
identifies seven basic safeguards for contractor information systems through which nonpublic information
generated by or for the government either resides or transits. The basic safeguards identified in the
proposed FAR amendment are similar to the ones governing DOD “basic” information:
• Government information may not be processed on computers without access control or located in
public areas. Similarly, government information cannot be posted on a public website. If posted to a
web site, the site must control access either through user identification or password, user certificate
or other technical means, and must provide protection via use of security technologies.
• Electronic information may be transmitted only on systems that utilize technologies and processes
that provide the best level of security and privacy available, given facilities, conditions and threat
level.
• Transmission by voice or fax may only occur when the sender has a reasonable
assurance that access is limited to authorized recipients.
• Systems must be protected by at least one level of physical barrier and one level of
electronic barrier, such as lock and key in conjunction with a password, when not in the direct
control of the individual user.
• Media that is being released or discarded must be cleared and sanitized.
• The contractor must provide at least the following means of intrusion protection: Current and
regularly updated malware protection, such as anti-virus software and anti-spyware software; and
prompt application of security-related upgrades and patches.
• Information may only be transferred to those subcontractors with a contractual need to have the
information and who employ the safeguards described in the clause.
These proposed requirements will require covered contractors to review not just their hardware and
software systems, but their facilities, employee practices, record-keeping systems, and subcontract
relationships in order to ensure compliance.
PattonBoggs.com Cybersecurity 101: Government Contractors 3
4. THE NATIONAL DEFENSE AUTHORIZATION ACT
The 2013 NDAA instructs the Secretary of Defense to establish procedures requiring certain government
contractors to report to DoD when one of their networks or information systems is “successfully
penetrated.” Contractors covered by this provision are those holding security clearances. The procedures
are due within 90 days of the NDAA’s enactment, which was January 2, 2013.
The NDAA requires the reports to include: (1) a description of the technique or method used in the system
penetration; (2) if discovered and isolated, a sample of the malicious software; and (3) a summary of
information that was potentially compromised by the penetration. While contractors handling classified
information already are required to report unauthorized access to classified information, the NDAA’s new
reporting regime covers a broader spectrum of incursion as it presumably will cover external penetration of
any of a cleared contractor’s computer systems. Under the new procedures, DoD will be able to obtain
access to the contractor’s equipment or information for the purposes of conducting a forensic analysis,
subject to appropriate protections for trade secrets, other confidential business information, and personal
identification information.
In addition to establishing mandatory reporting of cyber incursions by cleared contractors, the 2013 NDAA
contains opportunities for companies providing software, systems, and system engineering to DoD. For
example, Section 932 requires DoD to develop a strategy to acquire open-architecture, next-generation,
host-based cybersecurity tools and equipment in time for inclusion in the FY 2015 budget. Similarly, the
agency is to develop a baseline software assurance policy for all major software systems, and it must prepare
an analysis of available large-scale software database or data analysis tools and determine whether to acquire
such tools from the private sector.
CONCLUSION
This year will bring significant Congressional and executive branch cybersecurity activity. For government
contractors, the proposed FAR and DFARS regulations provide a roadmap to prepare for the requirements
that are certain to come. There will also be business opportunities. President Obama’s Executive Order
envisions procurement preferences for companies with robust cybersecurity policies and procedures in
place. The NDAA signals new DoD system standards that will require the supply of innovative software
and hardware solutions to the agency.
For additional information, please contact:
Mary Beth Bosco Norma Krayem
Mbbosco@pattonboggs.com nkrayem@pattonboggs.com
202.457.6420 202.457.5206
PattonBoggs.com Cybersecurity 101: Government Contractors 4