Set-Aside Alert logo   
    
Federal Market Intelligence
for Small Business

Front Page Headlines | Calendar of Events | Contract Awards | Newly-Certified Firms | DoD Small Business Awards | Teaming | Procurement Watch | Past Issues |
Jun 23 2023    Next issue: Jul 7 2023

Column: Get Ready! Enhanced Cybersecurity Standards for Federal Contractors Coming Soon

By Kevin Barnett, counsel, and Daniel Figuenick III and Ustina Ibrahim, associates, PilieroMazza PLLC

      For years, the federal contracting community has closely monitored the oft-delayed Defense Dept.’s (DOD) Cybersecurity Maturity Model Certification (CMMC) program—now on iteration 2.0—as the forefront of cybersecurity obligations. That focus may soon be expanding.

      Contractors outside of DOD’s orbit may soon be subject to similar requirements. Civilian agency contractors should start preparing now for an enhanced cybersecurity proposed rule to prevent gaps or issues when the regulation goes into effect—not to mention it just being good business to have robust cybersecurity protection.

Background

      The Federal Acquisition Regulatory Council (FAR Council) announced it was preparing a proposed rule to standardize cybersecurity requirements for unclassified Federal Information Systems across federal agencies in accordance with the directives in Executive Order 14028, Improving the Nation’s Cybersecurity.

      Although the FAR Council has not provided any timeline for the publication of the proposed rule, it is anticipated that it will come out later this year.

      Even before the proposed rule is released, federal contractors will need to be cognizant of their cybersecurity obligations—from the existing FAR and agency supplement requirements to more robust obligations being contemplated for the near future.

      Like all proposed rules, contractors will have at least 60 days to comment and, assuming it is not issued as an interim rule, will be afforded additional times before the rule goes into effect.

Existing Civilian Agency Cybersecurity Obligations

      Currently, federal contractors must protect Federal Contract Information (FCI) using the 15 minimum security controls described in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.

      That clause broadly defines FCI, meaning that the 15 basic security controls apply to most, but not all, of the federal contracting community. These include requirements to limit system access to authorized individuals, escort and monitor visitors, and update malicious code protection mechanisms when new releases are available.

     The 15 controls, however, set the floor of cybersecurity requirements and can hardly be described as a robust or even adequate cybersecurity program. For example, they do not address breach notification obligations or the longer list of requirements within the National Institute of Standards and Technology’s (NIST) Special Publication 800-171 (rev. 2) (NIST SP 800-171), which will likely be center-stage in DOD’s CMMC 2.0 program.

      Beyond FAR 52.204-21, some civilian agencies already impose additional agency-specific cybersecurity obligations, which suggest, if not outright require, contractors to meet the full NIST 800-171 standards. For instance, the Homeland Security Dept. (DHS) has its own set of cybersecurity requirements. Those regulations instruct DHS contractors to complete a Cyber Hygiene Assessment and require compliance with the cybersecurity standards and protections in NIST 800-171 and NIST 800-172.

      Similarly, as PilieroMazza attorneys recently discussed, the Veterans Affairs Dept. (VA) announced new cybersecurity regulations to protect its sensitive data and health information. Among other things, the VA’s regulations impose near real-time reporting requirements of security incidents and other varying degrees of cybersecurity requirements depending on the contract type. It also mandates adequate security controls, which suggests compliance with NIST 800-171.

Anticipated FAR Cybersecurity Obligations

      Although PilieroMazza attorneys anticipate that other civilian agencies will impose increasingly stringent cybersecurity obligations on contractors on a contract-by-contract or agency-by-agency basis, the contemplated government-wide proposed FAR rule will suggest imposing a robust set of cybersecurity obligations across all agencies.

      While the FAR Council has not released a draft yet, the rule’s abstract states that it will implement Sections 2(i) and 8(b) of President Biden’s Cybersecurity Executive Order, which identify the need for standardized cybersecurity requirements.

      These standardized obligations are likely to mirror the enhanced cybersecurity requirements contemplated under CMMC and NIST 800-171. Indeed, Ms. Stacy Bostjanick—Chief Defense Industrial Base Cybersecurity, Deputy Chief Information Officer for Cybersecurity (DCIO(CS)), Office of the Chief Information Officer—recently suggested that, like the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clauses, the new government-wide FAR obligations would impose the controls listed in NIST 800-171 and require third-party confirmation.

      Contractors should take this opportunity to get ahead of these new regulations. While most contractors likely are already meeting at least some of the NIST 800-171 controls, it is unlikely that a company which has not specifically prepared for compliance meets the full set of requirements. Most companies, especially small businesses, struggle to fully comply with NIST 800-171 standards without outside assistance. For example, many popular commercial email systems do not meet all the necessary DOD requirements for handling Controlled Unclassified Information (CUI). As a result, companies would either need to change email systems or incorporate a patchwork of individual fixes to meet the controls.

      Beyond the business and contracting advantages to improved cybersecurity, contractors will also be able to provide more detailed and robust comments to the new proposed rules when issued if they understand their current cybersecurity situation. Being able to articulate specific compliance issues and costs is key to crafting persuasive and effective comments on the proposed rules, which would then shape any final rules.

Key Takeaways

      Considering the government’s continued focus on cybersecurity, federal contractors in both the civilian and defense sectors should proactively assess and improve their cybersecurity hygiene. With broad cybersecurity regulations on the horizon for both defense and civilian contractors, now is a good time to start thinking about:

  • Meeting Current Requirements: Ensuring compliance with any applicable agency-specific cybersecurity obligations and FAR 52.201-21, the Basic Safeguarding clause, through both internal reviews and external, third-party audits.
  • Making Sure Partners Meet Current Requirements: Flowing down cybersecurity provisions and confirming subcontractors are complying with cybersecurity obligations as required by agency supplements and general best practices.
  • Determining Scope of Future Compliance: Auditing current practices against NIST 800-171 and NIST 800-172 standards, as updated, which will likely serve as a foundation for any forthcoming cybersecurity regulations and may already be required. (UPDATE - More information on DOD CMMC rules at https://tinyurl.com/mp9w3ey2 and https://tinyurl.com/yzrj9fdz)

    If you have questions about where to start, compliance requirements, or any other cybersecurity related questions, please contact Kevin Barnett, Daniel Figuenick, or Ustina Ibrahim, the authors of this client alert, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups. This column has been reprinted with permission.

          View PilieroMazza’s June 6, 2023, webinar “Cybersecurity for Government Contractors: Success Through Compliance Readiness” at https://tinyurl.com/bde2su9k.

         

    • Inside this edition:

    Changes to MAS RFP in July

    Many GSA Interact industry pages not regularly updated

    Many HUBZones expiring July 1

    Syed OK’d as deputy admin

    GSA’s look at FY2022 small biz procurements

    New disability forms July 25

    Warning on audit schedule

    Column: Get Ready! Enhanced Cybersecurity Standards for Federal Contractors Coming Soon

    Washington Insider:

    • GSA’s new regional administrators
    • Buy American update
    • HSBC website redo highlights activities

    Clarification on debt default


    Copyright © 2023 Business Research Services Inc. All rights reserved.

    Set-Aside Alert is published by
    Business Research Services, Inc.
    PO Box 42674
    Washington DC 20015
    1-202-285-0931
    Fax: 877-516-0818
    brspubs@sba8a.com
    www.sba8a.com
    hits counter