After years of gestation, a final rule was promulgated May 16 to mandate minimum cyber defenses for companies that do government business. This Federal Acquisition Regulations rule – "Basic Safeguarding of Contractor Information Systems" 81 Fed. Reg. 30439 – seeks to protect the confidentiality and integrity of federal contract information (FCI) that resides in or transits through any contractor information system.
Why this rule?
Agencies are required by the Federal Information Security Modernization Act to protect federal information. The obligation extends to nonpublic information provided by the federal government to its contractors. Unauthorized cyber extraction of federal information has caused genuine injury to national interests. Using this new FAR provision, every federal agency now will require minimum cyber protection for FCI.
What is federal contract information?
FCI is defined as nonpublic information that is "provided by or generated for the government" under a contract to "develop or deliver a product or service to the government," but not including information provided to the public or simple transactional information. The new rule protects "information systems" rather than carefully defined information types, however. If a contractor processes stores or transmits any FCI, its information system becomes subject to 15 basic safeguards. Where a contractor information system hosts FCI and other, non-federal information, the rule applies to the whole system.
The new FAR has been in the works since March 2010 – but the subject is complex. Even "basic" protection of federal information involves many variables and requires resolution of tough questions. This FAR rule of general application will affect thousands of companies, and must align with other federal cyber initiatives.
Who is affected?
The new "Basic Safeguarding" contract clause, at FAR 52.204-21, is to be included in every solicitation and resulting contract. It applies below the simplified acquisition threshold, to subcontractors for commercial items, and to services (if there is FCI) – but not to the acquisition of commercial-off-the-shelf items. Flowdown is required: The clause applies to any contract or subcontract that involves receipt, use or generation of FCI, where a contractor information system figures into these functions.
How is protection achieved?
The federal government has a surfeit of cyber controls. Those designed for federal information systems, e.g., NIST SP 800-53, are too costly and burdensome to impose on contractors to protect FCI. Instead, the new rule calls out 15 safeguards, each derived from the 2015 NIST Special Publication, SP 800-171.
(Created for commercial organizations, SP 800-171 states 109 safeguards and applies to federal information that is more sensitive than FCI.)
How will industry respond?
Last summer, the Department of Defense issued the ‘Network Penetration’ Defense Federal Acquisition Regulation Supplement that requires defense suppliers to apply the SP 800-171 safeguards to protect what DoD calls covered defense information. The DFARS met with strong industry resistance because of uncertainty over costs and how to comply. Similarly, many companies likely will object to the new FAR, even though it invokes only 15 cyber safeguards and these are performance standards – goals – rather than prescriptive design standards. The new rule presumes that the required safeguards are consistent with "prudent business practices." Even so, this FAR has been issued because trust in market forces and customary business practices only goes so far.
Are there problems in the final rule?
Predictably, as this rule addresses a highly complex area and applies so broadly, there are drafting issues. One issue is whether companies must apply the minimum safeguards to federal information received before the rule. Companies may be uncertain how to reconcile varying federal cyber controls for different types of protected federal information. Some may ask if it the government’s responsibility, in every case, to designate FCI, or whether contractors are to make their own decisions.
Although expressed at a high level, the rule identifies the 15 safeguards as requirements. The rule provides no method to establish compliance. In the absence of stated process, is self-assessment and good faith sufficient? Some companies will have questions as to how much to do, when, with what test, or what validation, and so forth. The regulation concerns contractor information systems and the intent is minimally sufficient security. The government should assure contractors that they can satisfy the new rule without having to embrace the various, often exacting NIST standards developed for federal information systems or for more sensitive federal information types. For FCI, contractors should be encouraged to use sound commercial practices and methods.
This new rule is a major development. While self-described as "just one step in a series of coordinated regulatory actions being taken or planned" to strengthen federal protections of contractor information systems, it reflects a government decision to use its regulatory power and acquisition authority to mandate minimum cyber defenses for all private companies that do government business.
Robert Metzger is a shareholder at law firm Rogers Joseph O'Donnell PC, where he's a member of the Government Contracts Practice Group and head of the Washington, D.C., office.