On October 22, 2015, President Obama vetoed the National Defense Authorization Act (“NDAA”) for Fiscal Year 2016. In so doing, the President cited concerns over provisions keeping in place the sequester, preventing reforms to modernize the military, and making it more difficult to close Guantanamo Bay. As a result, the acquisition provisions of the 2016 NDAA are likely to remain unchanged in the version of the bill that is ultimately passed. Those provisions will have a significant impact on government contractors. This post addresses some of the key cybersecurity aspects of the bill.
Section 1641: Liability Protections for Cyber Reporting
The amendment proposed by Rep. Mac Thornberry in May 2015 providing liability protection to DoD contractors for properly reporting cyber incidents on their networks and information systems is included in the final bill. This provision amends Section 941 of the 2013 NDAA and 10 U.S.C. § 391 to provide for liability protection for covered contractors and operationally critical contractors complying with cyber incident reporting requirements. Specifically, “no cause of action shall lie or be maintained in any court against any [cleared defense contractor or operationally critical contractor], and such action shall be promptly dismissed, for compliance with this section that is conducted in accordance with the [cyber incident reporting] procedures.” The liability protection does not extend to contractors who engage in willful misconduct “in the course of complying with” the reporting requirements. Willful misconduct is “an act or omission that is taken . . . intentionally to achieve a wrongful purpose; knowingly without legal or factual justification; and in disregard of a known or obvious risk that is so great as to make it highly probably that the harm will outweigh the benefit.” When alleging willful misconduct, the plaintiff bears the burden of proving the willful misconduct by “clear and convincing evidence” and that the alleged misconduct “proximately caused injury to a plaintiff.”
This is largely a positive step for contractors subject to cybersecurity reporting requirements; however, it is unclear exactly how this will interact with the DoD’s recent interim rule for safeguarding covered defense information and cyber incident reporting, which also amends Section 941 of the 2013 NDAA to impose significant burdens on defense contractors. The interim rule does not currently include any liability protection. It is also not clear how this amendment will interact with the Cybersecurity Information Sharing Act currently proceeding through Congress.
Section 803: Expansion of Rapid Acquisition Authority
The bill also allows for the Secretary of Defense to make a written determination to utilize the rapid acquisition procedures of 10 U.S.C. § 2302 (note) to “eliminate a deficiency that as the result of a cyber attack has resulted in critical mission failure, the loss of life, property destruction, or economic effects, or if left unfilled” will lead to the same. The bill defines cyber attack as any “deliberate action to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information or programs resident in or transiting these systems or networks.” Under the Rapid Acquisition Authority, the goal is for a contract to be awarded within 15 days of the Secretary’s determination, and the aggregate amount of contracts issued under these procedures is not to exceed $200,000,000 in a fiscal year. Thus, the addition of cyber attacks as a justification for use of the Rapid Acquisition Authority presents an opportunity for contractors who provide “offensive or defensive cyber capabilities, supplies, and associated support services.”
Section 890: Cloud Strategy for DoD
This section directs the DoD Chief Information Officer (“CIO”) to develop a cloud strategy to the Secret Internet Protocol Network (“SIPRNet”). The strategy is to address: (1) security requirements; (2) the compatibility of applications currently utilized within the SIPRNet with a cloud computing environment; (3) how a SIPRNet cloud capability should be competitively acquired; and (4) how a SIPRNet cloud system for the DoD would achieve interoperability with the cloud systems of the intelligence community operating at the Sensitive Compartmented Information level. Also included in this directive is an instruction for the CIO to “assess the feasibility and advisability of imposing a minimum set of open standards for cloud infrastructure, middle-ware, metadata, and application programming interfaces to promote interoperability, information sharing, ease of access to data, and competition across all of the cloud computing systems and services utilized by components of the [DoD].” This cloud strategy has the potential to result in new opportunities for contractor who provide cloud computing services.