Information Technology Contracting

In recent years, both Congress and the Executive Branch have made it a key priority to mitigate risks across the industrial and innovation supply chains that provide hardware, software, and services to the U.S. government (“USG”).  Five of these initiatives are likely to result in new regulations in 2020, each of which could have a fundamental impact on companies’ ability to sell Information, Communications, Technology and Services (“ICTS”) to the USG.  As these requirements begin to take hold, federal contractors should be mindful of potential impacts and the actions that can be taken now to prepare for increased USG scrutiny of their supply chain security.

Continue Reading Contractor Supply Chain Readiness – An Update on Expected Regulatory Changes

On May 5, 2020 the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management (“SCRM”) Task Force (the “Task Force”) released a six-step guide for organizations to start implementing organizational SCRM practices to improve their overall security resilience.  The Task Force also released a revised fact sheet to further raise awareness about ICT supply chain risk.

As we discussed in a prior blog post on the Task Force’s efforts, the Task Force was established in 2018 with representatives from 17 different defense and civilian agencies, as well as industry representatives across the information technology and communications sectors.  The Task Force has been focused on assessing and protecting security vulnerabilities in government supply chains.  Since its founding, the Task Force has inventoried existing SCRM efforts across the government and industry, including some of the practices reflected in the guide.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Releases New Guidance on Security Resiliency

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s (“CISA”) Information and Communications Technology (“ICT”) Supply Chain Risk Management Task Force (the “Task Force”) recently released an interim public report.  The report describes the Task Force’s efforts over the last year to develop recommendations for securing the Government’s supply chain, and outlines the potential focus areas of each of its working groups over the coming year.

The report is particularly relevant to contractors that either sell ICT related products or services to the Government, or that sell ICT related components to higher tier contractors, because it offers some insight into potential supply chain risk management (“SCRM”) best practices, as well as requirements that the Government may seek to impose on contractors in the future.
Continue Reading CISA Information and Communications Technology Supply Chain Risk Management Task Force Issues New Interim Report

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.  Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.  And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.  Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171.  Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.

Continue Reading DoD Continues to Up the Ante on Cybersecurity Compliance for Contractors

On the eve of the recent government shutdown over border security, Congress and the President were in agreement on a different issue of national security:  mitigating supply chain risk.  On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act”) (P.L. 115-390).  The Act includes a trio of bills that were designed to strengthen the cyber defenses of the Department of Homeland Security (“DHS”) and mitigate supply chain risks in the procurement of information technology.  The last of these three bills, the Federal Acquisition Supply Chain Security Act, should be of particular interest to contractors that procure information technology-related items related to the performance of a U.S. government contract.  Among other things, the bill establishes a Federal Acquisition Security Council, which is charged with several functions, including assessing supply chain risk.  The bill also gives the Secretary of DHS, the Secretary of the Department of Defense (“DoD”) and the Director of National Intelligence authority to issue exclusion and removal orders as to sources and/or covered articles based on the Council’s recommendation.  Finally, the bill allows federal agencies to exclude sources and/or covered articles deemed to pose a supply chain risk from certain procurements.

Continue Reading Jumping to Exclusions: New Law Provides Government-Wide Exclusion Authorities to Address Supply Chain Risks

The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  A draft of this guidance was made available for public comment in April 2018.  As noted in our original post on the draft guidance, DoD’s proposed approach raised significant questions as to what role offerors’ implementation of the security controls in NIST SP 800-171 would play in bid protests, contract performance, and post award audits.  In the memorandum accompanying the final guidance documents, DoD notes that it has incorporated comments it received from the public into the final guidance.  As discussed below, although the DoD has addressed some of the issues raised by the April draft, the final guidance adds some additional concerns and ambiguities.

Continue Reading DoD Issues Final Guidance for Assessing Contractor Compliance with NIST SP 800-171

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018. The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.
Continue Reading NIST to Host CUI Information Security Workshop

Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.

Continue Reading NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance

On February 7, the Department of Defense (DoD) awarded REAN Cloud a contract valued at up to $950 million to work with defense agencies to migrate existing applications to commercial cloud solutions. The award is of significant relevance to efforts currently underway in connection with the upcoming DoD Joint Enterprise Defense Infrastructure—or “JEDI”—procurement. However, the award is also important in a broader context in that it was issued as a follow-on production contract to an “other transaction” (OT) prototype agreement awarded on an expedited basis by DoD’s Defense Innovation Unit Experimental organization (DIUx). The award, therefore, reflects DoD’s increased comfort with issuing high-value production contracts following preliminary work with DIUx under OT prototype agreements.

Continue Reading DIUx and DoD Other Transaction Prototype Agreements: The Fast Track to DoD Funding

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ IoT devices by directing executive agencies to include specified clauses in contracts for the acquisition of Internet-connected devices.

The bill’s provisions leverage federal purchasing power to improve the security of IoT devices by requiring, among other things, IoT device, software, and firmware providers to certify compliance with specified security controls and requirements relating to vulnerability patching and notification, unless such contractors otherwise satisfy one of three waiver requirements.

The bill also directs the Department of Homeland Security (“DHS”) to issue vulnerability disclosure guidance for government contractors; to amend federal statutes, specifically the Computer Fraud and Abuse Act (“CFAA”) and Digital Millennium Copyright Act (“DMCA”), to exempt certain “good faith” activities by cybersecurity researchers; and require all executive branch agencies to maintain an inventory of IoT devices active on their networks.

In addition, the statute would require the Director of the Office of Management and Budget (“OMB”) to issue guidelines to federal agencies consistent with the bill within 180 days of enactment.

The bill is summarized below.
Continue Reading A Summary of the Recently Introduced “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”