August 13, 2015
The Office of Management and Budget (OMB) on August 11, 2015 released proposed guidance, available here, that takes “major steps” towards – and likely accelerates – the implementation of cybersecurity requirements in federal acquisitions. OMB’s proposed guidance directs agencies, among other things, to impose security controls and reporting requirements on contractor information systems on which Controlled Unclassified Information (CUI) is present. OMB provides some fairly clear guidance in this area for contractors seeking to understand their future cybersecurity compliance obligations.
OMB indicates its guidance will be finalized in the fall of 2015. In light of the high profile breach of the Office of Personnel Management and the National Archives and Records Administration’s (NARA) related efforts to address the identification and safeguarding of CUI, contractors should expect OMB’s proposed guidance to be adopted in short order, with applicable cyber requirements appearing in government contracts shortly thereafter.
OMB’s proposed guidance would apply to federal acquisitions of products or services that involve creation, collection, or access to CUI. Although not directly addressed in the OMB guidance, the identification of CUI likely would be governed by NARA’s CUI registry and NARA’s proposed rule issued on May 8, 2015 that seeks to establish a government-wide policy for designating and controlling CUI, previously discussed here. OMB’s guidance suggests that its requirements would be broadly applicable to both prime contractor and subcontractor information systems containing CUI in connection with federal acquisitions. Contractors accordingly should expect OMB’s guidance to have broad applicability to virtually any federal contract involving CUI.
OMB’s guidance would impose different security controls and reporting requirements on contractors depending on whether a contractor’s information system is: (1) a system operated on behalf of the government; and (2) an internal system used to provide a product or service for the government that processes CUI “incidental” to the product or service being provided. OMB’s guidance generally would apply more stringent requirements to contractor information systems operated on behalf of the government, rather than strictly internal systems. This highlights the importance for contractors to understand what type of system they are operating in connection with particular contracts to avoid the over-imposition of cybersecurity requirements.
With respect to security controls, a company operating an information system involving CUI on behalf of the government would be required to comply with the security controls contained in NIST Special Publication (SP) 800-53, specifically at the “moderate” baseline subject to agency tailoring. Conversely, a company operating internal information systems involving CUI would not be subject to the NIST 800-53 controls. Instead, the contractor would be expected to comply with the recently promulgated security controls contained in NIST SP 800-171, issued in final on June 18, 2015 and previously discussed here.
Although overlap exists between the security controls contained in these two NIST standards, contractors operating internal information systems on which CUI may be present should seek to ensure the appropriate NIST SP 800-171 controls are included in contracts, and be prepared to push back on government attempts to impose additional security controls based on NIST SP 800-53. The notable exception to this would be DOD’s Unclassified Controlled Technical Information (UCTI) requirements, DFARS 252.204-7012, which were adopted in November 2013 and include more than fifty controls from NIST SP 800-53.
With regard to cyber incident reporting, the OMB guidance recognizes that cyber incident reporting requirements for the two types of contractor information systems would be “similar.” The primary difference between the two types of systems would be that a contractor’s reporting obligation for internal contractor information systems would be limited to incidents in which CUI is impacted, rather than to every cyber incident involving systems operated on behalf of the government.
The OMB guidance also notes that agency contract language should include “specific government remedies” if a contractor fails to report cyber incidents as required by its contract. Although OMB’s guidance does not provide insight into these remedies, potential remedies may include payment withholding, award fee reductions, or negative past performance evaluations. Prescribing remedies would give the government an enforcement tool to ensure cyber compliance in addition to the more drastic termination, debarment, or fraud remedies.
OMB’s proposed guidance suggests that key stakeholders would “immediately” begin working to apply the OMB guidance and that agencies also would “continuously review contract activities” to ensure compliance with OMB’s guidance. Yet OMB also states, consistent with NARA’s proposed rule, that the FAR Council will be amending the FAR to include contract clauses that implement requirements related to CUI. Accordingly, it remains an open question whether OMB’s guidance would be adopted by agencies individually on a contract-by-contract basis, or whether the guidance requirements would be implemented only after promulgation of a FAR rule. In the interim, contractors should carefully review their upcoming contract awards to assess whether the government has sought to include any new or changed obligations relating to security controls and cyber incident reporting.
It also is unclear how or if the OMB guidance requirements would be harmonized with the recommendations and implementation efforts of the DOD/GSA Joint Working Group, which issued its report in January 2014 containing six recommendations aimed at improving cybersecurity in federal acquisitions. It is similarly unclear whether OMB’s guidance would be reconciled with the DOD UCTI requirements. Absent such harmonization efforts, contractors may continue to find themselves subject to conflicting compliance obligations in this area.
OMB is seeking industry feedback on its proposed guidance by September 10, 2015, in anticipation of issuing final guidance by the fall of 2015. OMB is seeking comments through the GitHub platform, and contractors should strongly consider submitting comments either independently or through industry trade associations.
Dentons attorneys will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons attorneys will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity. More information about the series can be found here or by contacting the authors of this client alert.