In 2016, the dangers presented by an increasingly digital world clearly were on display. A cyber-attack using an army of Internet of Things devices interfered with the operations of major commercial websites. And the Presidential Election was plagued with allegations of state-sponsored cybersecurity hacking (for which the Obama Administration just issued sanctions against the Russian government). Cybersecurity threats are unlikely to cede the spotlight in the coming year. Indeed, Marcel Lettre, the Undersecretary of Defense for Intelligence recently described cybersecurity as a “political, economic, diplomatic and military challenge” that is “evolving and growing more acute over time.”
As repositories for some of the Government’s most sensitive data, contractors face increasing regulatory obligations for protecting that data from cyber-attacks. Highlighted below are some of the key regulatory actions taken in 2016 to further this goal. And, as described further below, cybersecurity remains a focus for the Government for the year ahead.
Some of the key cybersecurity regulatory actions impacting contractors in 2016 included the following:
- On February 9, 2016, President Obama unveiled his Cybersecurity National Action Plan and two related Executive Orders, to “enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.” See analysis here.
- On May 16, 2016, the FAR Council issued a final rule adding a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.” The rule imposed a set of fifteen “basic” security controls for contractor information systems upon which “Federal contract information” transits or resides. See analysis here.
- On September 14, 2016, the National Archives and Record Administration (NARA) issued a final rule, effective November 13, 2016, establishing cross-agency practices and procedures for safeguarding, disseminating, controlling, destroying, and marking Controlled Unclassified Information. This rule should pave the way for a final FAR clause that will impose contractor safeguarding requirements (and potentially cyber incident reporting requirements) across the Government. See analysis here.
- On October 4th, the Department of Defense (DoD) issued a final rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors who have “agreements” with DoD. The final rule also highlighted DoD’s desire to encourage greater participation in the voluntary Defense Industrial Base cybersecurity information sharing program. See analysis here.
- On October 21, 2016, DoD issued a long-awaited, immediately-effective final rule and revised DFARS clause imposing safeguarding and cyber-incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information. See analysis here.
- On October 31, 2016, DoD issued a proposed rule calling for the revocation of access to and implementation of an initial disqualification process for contractors where DoD has “substantial and credible information” of export-control violations. As noted above, DoD contractors are required to report cyber incidents involving covered defense information. Because such incidents could involve export-controlled information, contractors have expressed concern that DoD may use them as a basis for disqualification. Hopefully, DoD will clarify this point in its final rule.
- On December 20, 2016, the National Institute of Standards and Technology (NIST) published Revision 1 to Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The Revision added a new control requiring a System Security Plan (SSP), which must “describe the boundary of [a contractor’s]information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.” If requested, contractors will be required to provide the Government with its SSP and any associated Plans of Action and Milestones (POAM). Federal agencies may consider the submitted SSPs and POAMs as critical inputs when deciding whether to award a contract that requires the processing, storing, or transmitting of CUI on a contractor information system.
The Government’s emphasis on cybersecurity demonstrated by all of the above also is apparent in the Fiscal Year 2017 National Defense Authorization Act (NDAA), which contains a number of cybersecurity-focused provisions. These provisions, which could impact contractors, include the following:
- Section 1647 requires the Secretary of Defense to establish an advisory committee to make recommendations for the protection of information and networking systems of cleared defense contractors, including “information security and cyber defense policies, practices, and reporting relating to the unclassified information and networking systems of defense contractors.” The advisory committee will be composed of six to ten members appointed by the Secretary of Defense, split between Government and industry representatives.
- Section 1650 requires the Secretary of Defense to submit “a plan for the evaluation of the cyber vulnerabilities of the critical infrastructure of the Department of Defense.”
- Section 1652 requires the Director of the Defense Information Systems Agency (DISA), in consultation with the Pentagon’s Acquisitions Chief, to develop a “strategic plan” for evaluating and testing the “adequacy” of efforts for protecting DISA’s IT systems. This plan must be updated every two years.
- Section 1654 requires the Secretary of Defense to report to Congress and the President on the “military and nonmilitary options” for deterring cyber-attacks by foreign governments and terrorist organizations. Among the topics in the report would be an integrated priorities list for cyber-deterrence capabilities. This portion of the report could provide contractors with insight into DoD procurement priorities as the Department seeks to shore up its cybersecurity capabilities and defenses.
The Government’s concerns about cybersecurity are also on display in its Unified Agenda of Federal Regulatory and Deregulatory Actions, published on December 23, 2016. In it, DoD maintains cybersecurity as one of its six priorities and indicates an intent to continue to sharpen its regulatory requirements in this area, including further revisions to its final rule regarding participation in its Defense Industrial Base program. Although the exact parameters of the changes that DoD will make in the cybersecurity area remain to be seen, DoD’s significant emphasis on protecting its own systems should provide a warning to contractors about the importance that DoD and other Government agencies place on the protection of Government information – whether stored on Government or contractor systems.
 Notably, Rev. 1 of NIST SP 800-171 also indicated that the anticipated FAR clause that will apply to all federal contractors in protecting CUI (and presumably will impose NIST SP 800-171 safeguarding requirements Government-wide) will not be issued until 2017.