Cybersecurity

Supply chain protection has been a point of increasing emphasis by the Government and especially the Department of Defense (“DoD”) in recent years. In no area is this more true than ensuring that Government systems and equipment are free from counterfeit electronic parts, which can raise both security and defect concerns. DoD has accordingly taken several steps, many of which have taken the form of new requirements on contractors, to protect against counterfeit electronic parts. With these requirements has come added risk to contractors that even mistakenly use electronic parts in the goods they sell to DoD. However, an August 30, 2016, final DFARS rule (implemented at DFARS 2301.205-71) seeks to mitigate some of this risk by allowing contractors to recover the cost of replacing counterfeit electronic parts, as long as the contractor has taken certain steps to prevent the use of such parts.
Continue Reading DOD Final Rule Addresses Source Requirements and Cost Recovery for Use of Counterfeit Electronic Parts

On May 16, 2016, the Department of Defense (DoD), General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) issued a Final Rule to add a new subpart and contract clause (52.204-21) to the Federal Acquisition Regulation (FAR) “for the basic safeguarding of contractor information systems that process,
Continue Reading Final FAR Cyber Rule Issued on Basic Safeguarding Requirements

The Department of Homeland Security (DHS) has announced a public meeting on May 18-19, 2016 to “discuss and debate Voluntary Standards for Information Sharing and Analysis Organizations (ISAOs) as they relate to” Executive Order 13691 (EO 13691).  See 81 Fed. Reg. 23506.  This meeting follows the recent passage of the Cybersecurity Act of 2015, which offers liability protections in Title 1 of the Act for the voluntary sharing of cyber threat information and “defensive measures” among federal and non-federal entities.  These liability protections may help with the expansion of ISAOs.

EO 13691 requires the Secretary of DHS to “strongly encourage” the development of ISAOs. The purpose of these ISAOs is to facilitate the voluntary sharing of information to allow for collaboration and response to cyber incidents “in as close to real time as possible.”  EO 13691 at § 1.  These ISAOs are intended to be broader than the Information Sharing and Analysis Centers (ISACs) that have developed on a sector-specific basis.  Indeed, the White House Fact Sheet on EO 13691 recognizes that an ISAO also could be an individual company sharing information with customers or partners.
Continue Reading DHS Seeking Input on ISAO Standards

IT-acquisition reform remains an area of ongoing concern for Federal agencies and government contractors.  Indeed, as we previously discussed, the GAO has added IT Acquisitions and Operations to its bi-annual list of programs it identifies as posing a high risk for fraud, waste, abuse, and mismanagement.  Strengthened by Congress’ passage in December 2014 of the Federal IT Acquisition Reform Act (“FITARA”), OMB has implemented several initiatives to reduce redundancy, improve efficiencies, and lower costs with respect to the government’s procurement and management of IT resources.  However, a recent Department of Defense (“DoD”) Inspector General (“IG”) audit report analyzing one of these initiatives—the Federal Data Center Consolidation Initiative (“FDCCI”) —highlights the ongoing struggle that Federal agencies face when seeking to execute IT reform.  If DoD responds to this audit report by stepping up its efforts under FDCCI, one result could be increased opportunities for IT contractors offering cloud computing and other services.
Continue Reading DoD IG Report Reveals Ongoing Struggles in IT-Acquisition Reform

President Obama unveiled on February 9, 2015 his Cybersecurity National Action Plan (CNAP), a combination of near-term actions and long-term strategy to “enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”  In conjunction with this unveiling, President Obama signed two Executive Orders directed at improving cybersecurity in both the private and public sectors by establishing groups of informed stakeholders to issue federal recommendations for cybersecurity and privacy protections.
Continue Reading President Obama Unveils Cybersecurity National Action Plan and Issues Two New Executive Orders Directed at Cybersecurity and Privacy Concerns

On December 30th, the Department of Defense (DoD) issued a Second Interim Rule amending its “Network Penetration Reporting and Contracting for Cloud Services” Interim Rule and giving  contractors until December 31, 2017 to implement the NIST SP 800-171 security controls required by DFARS 252.204-7012.  As noted in a previous post, DoD has already issued a class deviation giving covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of NIST SP 800-171.  This current revision appears responsive to significant concerns raised by Industry about compliance with the remaining safeguarding requirements imposed overnight on contractors on August 26, 2015.

The Second Interim Rule imposes the following changes:
Continue Reading Time Is On My Side: DoD Hears Industry Concerns – Additional Time Provided to Implement Security Controls Under New Cyber Rule

On October 22, 2015, President Obama vetoed the National Defense Authorization Act (“NDAA”) for Fiscal Year 2016.  In so doing, the President cited concerns over provisions keeping in place the sequester, preventing reforms to modernize the military, and making it more difficult to close Guantanamo Bay.  As a result, the acquisition provisions of the 2016 NDAA are likely to remain unchanged in the version of the bill that is ultimately passed.  Those provisions will have a significant impact on government contractors.  This post addresses some of the key cybersecurity aspects of the bill.
Continue Reading NDAA — Vetoed for Now — Includes New Cybersecurity Provisions for Contractors

Last week, on October 8th, DoD issued a class deviation replacing DFARS 252.204-7012 and 252.204-7008 with revised clauses that give covered contractors up to nine (9) months (from the date of contract award or modification incorporating the new clause(s)) to satisfy the requirement for “multifactor authentication for local and network access” found in Section 3.5.3 of National Institute of Standards and Technology (NIST) Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

We previously reported on the August 26th Department of Defense (DoD) interim rule that greatly expanded the obligations imposed on defense contractors for safeguarding “covered defense information” and for reporting cybersecurity incidents involving unclassified information systems that house such information. The interim rule, which went into effect immediately, requires non-cloud contractors to comply with several new requirements, including those in DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting” and DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls.”  While the class deviation is a welcomed development for contractors that may struggle to implement the NIST SP 800-171 requirements for multifactor authentication, the deviation: (1) requires contractors to notify the government if they need more time to satisfy those requirements, and (2) does not alter any other aspect of the August 26th interim rule. 
Continue Reading DoD Issues Targeted Class Deviation Updating Recently Adopted Cybersecurity DFARS Clauses

Last month, we discussed Information Technology (IT) Schedule 70, one of the largest contract vehicles administered by the U.S. General Services Administration (GSA). GSA now is evaluating whether Schedule 70 should be made more accessible to certain small contractors, new IT providers, and other, similarly situated firms.
Continue Reading GSA Seeks Input on Eliminating IT Schedule 70’s Two-Year Experience Requirement

Earlier this month, the U.S. General Services Administration (GSA) issued a Request for Information (RFI) soliciting feedback from industry on ways to improve the sale of Cybersecurity and Information Assurance (CyberIA) products and services through GSA’s multi-billion dollar Information Technology (IT) Schedule 70. IT Schedule 70 currently features more than a dozen special item numbers (SINs) for cybersecurity products and services.[1] In this RFI, GSA seeks information from vendors and federal agencies as to whether it should consolidate those SINs into one major CyberIA grouping, with a number of categories and subcategories.

The RFI, which was issued just weeks before the Office of Management and Budget (OMB) and the Department of Defense (DoD) announced their own major cybersecurity initiatives, is yet another sign that the federal government is leveraging its substantial buying power to harden government and contractor networks against cyber intrusions. As explained below, GSA’s appeal to industry offers a tremendous opportunity for the private sector to help shape the way commercial CyberIA products and services are bought by and sold to the government.
Continue Reading GSA Seeks Industry Input on Cybersecurity Schedule Offerings