In 2016, the dangers presented by an increasingly digital world clearly were on display. A cyber-attack using an army of Internet of Things devices interfered with the operations of major commercial websites. And the Presidential Election was plagued with allegations of state-sponsored cybersecurity hacking (for which the Obama Administration just issued sanctions against the Russian government). Cybersecurity threats are unlikely to cede the spotlight in the coming year. Indeed, Marcel Lettre, the Undersecretary of Defense for Intelligence recently described cybersecurity as a “political, economic, diplomatic and military challenge” that is “evolving and growing more acute over time.”

As repositories for some of the Government’s most sensitive data, contractors face increasing regulatory obligations for protecting that data from cyber-attacks. Highlighted below are some of the key regulatory actions taken in 2016 to further this goal. And, as described further below, cybersecurity remains a focus for the Government for the year ahead.

Some of the key cybersecurity regulatory actions impacting contractors in 2016 included the following:

  • On February 9, 2016, President Obama unveiled his Cybersecurity National Action Plan and two related Executive Orders, to “enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.” See analysis here.
  • On May 16, 2016, the FAR Council issued a final rule adding a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.” The rule imposed a set of fifteen “basic” security controls for contractor information systems upon which “Federal contract information” transits or resides. See analysis here.
  • On September 14, 2016, the National Archives and Record Administration (NARA) issued a final rule, effective November 13, 2016, establishing cross-agency practices and procedures for safeguarding, disseminating, controlling, destroying, and marking Controlled Unclassified Information. This rule should pave the way for a final FAR clause that will impose contractor safeguarding requirements (and potentially cyber incident reporting requirements) across the Government. See analysis here.
  • On October 4th, the Department of Defense (DoD) issued a final rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors who have “agreements” with DoD. The final rule also highlighted DoD’s desire to encourage greater participation in the voluntary Defense Industrial Base cybersecurity information sharing program. See analysis here. 
  • On October 21, 2016, DoD issued a long-awaited, immediately-effective final rule and revised DFARS clause imposing safeguarding and cyber-incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information. See analysis here.
  • On October 31, 2016, DoD issued a proposed rule calling for the revocation of access to and implementation of an initial disqualification process for contractors where DoD has “substantial and credible information” of export-control violations. As noted above, DoD contractors are required to report cyber incidents involving covered defense information. Because such incidents could involve export-controlled information, contractors have expressed concern that DoD may use them as a basis for disqualification. Hopefully, DoD will clarify this point in its final rule.
  • On December 20, 2016, the National Institute of Standards and Technology (NIST) published Revision 1 to Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The Revision added a new control requiring a System Security Plan (SSP), which must “describe the boundary of [a contractor’s]information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.” If requested, contractors will be required to provide the Government with its SSP and any associated Plans of Action and Milestones (POAM). Federal agencies may consider the submitted SSPs and POAMs as critical inputs when deciding whether to award a contract that requires the processing, storing, or transmitting of CUI on a contractor information system.[1]

The Government’s emphasis on cybersecurity demonstrated by all of the above also is apparent in the Fiscal Year 2017 National Defense Authorization Act (NDAA), which contains a number of cybersecurity-focused provisions. These provisions, which could impact contractors, include the following:

  • Section 1647 requires the Secretary of Defense to establish an advisory committee to make recommendations for the protection of information and networking systems of cleared defense contractors, including “information security and cyber defense policies, practices, and reporting relating to the unclassified information and networking systems of defense contractors.” The advisory committee will be composed of six to ten members appointed by the Secretary of Defense, split between Government and industry representatives.
  • Section 1650 requires the Secretary of Defense to submit “a plan for the evaluation of the cyber vulnerabilities of the critical infrastructure of the Department of Defense.”
  • Section 1652 requires the Director of the Defense Information Systems Agency (DISA), in consultation with the Pentagon’s Acquisitions Chief, to develop a “strategic plan” for evaluating and testing the “adequacy” of efforts for protecting DISA’s IT systems. This plan must be updated every two years.
  • Section 1654 requires the Secretary of Defense to report to Congress and the President on the “military and nonmilitary options” for deterring cyber-attacks by foreign governments and terrorist organizations. Among the topics in the report would be an integrated priorities list for cyber-deterrence capabilities. This portion of the report could provide contractors with insight into DoD procurement priorities as the Department seeks to shore up its cybersecurity capabilities and defenses.

The Government’s concerns about cybersecurity are also on display in its Unified Agenda of Federal Regulatory and Deregulatory Actions, published on December 23, 2016. In it, DoD maintains cybersecurity as one of its six priorities and indicates an intent to continue to sharpen its regulatory requirements in this area, including further revisions to its final rule regarding participation in its Defense Industrial Base program. Although the exact parameters of the changes that DoD will make in the cybersecurity area remain to be seen, DoD’s significant emphasis on protecting its own systems should provide a warning to contractors about the importance that DoD and other Government agencies place on the protection of Government information – whether stored on Government or contractor systems.

[1] Notably, Rev. 1 of NIST SP 800-171 also indicated that the anticipated FAR clause that will apply to all federal contractors in protecting CUI (and presumably will impose NIST SP 800-171 safeguarding requirements Government-wide) will not be issued until 2017.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.