By: Tom Barletta, Partner, Steptoe & Johnson LLP; Andy Irwin, Partner, Steptoe & Johnson LLP; & George Leris, Associate, Steptoe & Johnson LLP 
The Obama Administration has been placing greater emphasis on cybersecurity, including enhancing cybersecurity in the acquisition process. Three of the Administration’s more recent acquisition related cybersecurity initiatives are discussed below.
On November 18, 2013, the DoD issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to impose requirements on contractors for safeguarding unclassified controlled technical information and reporting cyber incidents. On the same day, the DoD also issued an interim rule amending the DFARS to address supply chain security in defense contracts.
More recently, DoD and GSA issued a DoD/GSA Final Report on Improving Cybersecurity through Acquisition (“Final Report”) on January 23, 2014, containing recommendations for incorporating cybersecurity standards into the acquisition planning and contract administration process. Those recommendations include instituting baseline cybersecurity requirements; improving cybersecurity training; developing common cybersecurity definitions; instituting a federal cyber risk management strategy; purchasing from trusted sources; and increasing government accountability for cyber risk management.
Safeguarding Unclassified Controlled Technical Information and Cyber-Reporting
The DoD final rule and implementing contract clause require a contractor who has access to or stores specific types of unclassified “controlled technical information” (UCTI) to implement certain security standards on its computer network and to report certain “cyber incidents” to DoD. See DFARS 304.734 & 252.204-7012; see also DFARS 204.703 & 212.301 (regarding solicitations and contracts for commercial items).
The final rule focuses on “controlled technical information” — technical data or computer software, as defined in DFARS 252.227-7013, with a “military or space application” that is subject to restrictions on access, release, and disclosure. In that regard, the final rule references DoD Directive 5230.24, Distribution Statements on Technical Documents, and (in the preamble) DoD Directive 5230.25, Withholding of Unclassified Technical Data from Public Disclosure. Those Directives generally deal with sensitive but unclassified information that is subject to marking or release restrictions under U.S. government programs. Much of this information is likely to be subject to US export control laws and regulations, such as the International Traffic in Arms Regulations (ITAR).
The final rule imposes three requirements on covered contractors. First, the contractor must implement certain National Institute of Standards and Technology (NIST) information systems security procedures in its project, enterprise, or company-wide unclassified information technology (IT) systems to safeguard any UCTI transiting through or residing in its systems. These procedures, drawn from NIST Special Publication 800-53, Revision 4, cover fourteen areas of information security: access control; awareness and training; accountability; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; physical and environmental protection; program management; risk assessment; system and communications protection; and system and information integrity. Alternate methods of protection may be proposed to the contracting officer, and additional security measures beyond the NIST procedures may be required if warranted by risk/vulnerability assessments. (In assessing the security of their information systems, contractors may also want to consult NIST’s more recent, February 12, 2014 Framework for Improving Infrastructure Cybersecurity, which sets out guidelines and processes for cybersecurity activities.)
Second, the final rule requires a contractor to report to DoD any cyber incident affecting UCTI information within 72 hours of the incident. The definition of “cyber incident” in the final rule suggests that the term refers to a deliberate use of a computer network (e.g., “hacking”) that has an adverse effect on a contractor’s IT system or the controlled information residing therein. However, the final rule may have a broader reach, as a “cyber incident” potentially includes “an adverse release” of controlled information (as set forth in DFARS 252.304-7012(d)(1)(xi)), or “any other activities … that allow unauthorized access to the Contractor’s unclassified information system” (as set forth in DFARS 252.204-7012(d)(2)(ii)). The final rule also requires contractors to further investigate any cyber incidents after making the initial report and to cooperate in any DoD damage assessment activities, including responding to requests for information. The reporting requirement also presents difficult parallel export control considerations for contractors, as they may need to consider whether they should file parallel self-disclosures with the export control regulatory agencies.
Third, the final rule’s implementing contract clause includes contains a mandatory flow down to all tiers of subcontractors, including to subcontracts for commercial items. The final rule does not have a separate definition of “subcontractor” and vendors that may not consider themselves subcontractors may therefore be subject to the new rule. For example, the preamble to the final rule states that the requirements can apply to Internet service providers (ISPs) and cloud computing vendors. Furthermore, if a subcontractor experiences a cyber incident, the final rule requires reporting to the Government through the prime contractor.
Interim Rule on Supply Chain Security
This interim DFARS rule grants “pilot” authority to the DoD (to expire on September 30, 2018) to place certain restrictions on IT supply chains in procurements related to “national security systems” (NSS) (as defined in 44 U.S.C. § 3542(b) and including contractor NSS) in order to address supply chain risks. Specifically, the interim rule authorizes certain DoD officials to exclude a source for IT, whether acquired as a service or a supply, based on certain qualification standards and evaluation procedures. It also authorizes them to withhold consent to a subcontract with a particular source or to direct a contractor to exclude a particular source from consideration for a subcontract.
The interim rule includes a new solicitation provision and a new contract clause to be included in all solicitations and contracts for the development or delivery of information technology that are subject to the DFARS (i.e. not just for contracts for NSS). Those provisions give notice that DoD may use its exclusionary authority to manage supply chain risk. Contractors are required to flow the clause down to “all subcontracts involving the development or delivery of any information technology, whether acquired as a service or supply.” (Emphasis supplied).
The interim rule includes required procedures for taking exclusion actions and indicates that those actions should only be taken where there is a significant supply chain risk to a particular NSS. However, the interim rule does not define what qualification standards or evaluation factors DoD officials will use in considering supply chain risks and excluding supply sources. Furthermore, the interim rule gives DoD authority to limit disclosure of information relating to an exclusion decisions and provides that exclusion actions are not reviewable in a bid protest.
DoD/GSA Final Report on Improving Cybersecurity through Acquisition
The Final Report aims to establish a unified framework to address federal cyber risk management and acquisition processes, and, in particular, cyber risk in the acquisition of commercial information and communications technology. (The report essentially indicates that it does not apply to acquisition practices applicable to NSS.)
The Final Report identifies several important cyber risk related issues affecting federal acquisitions, and provides joint DoD/GSA recommendations on mitigating them at the federal level. At the top of the list are intentional or unintentional vulnerabilities that may come from inside or outside the supply chain, but which increase acquisition risk. The risk of counterfeit, “grey market,” or other nonconforming information and communications technology (ICT) components entering the supply chain also adds to the risk in supply chain management. Finally, the operations, maintenance, and disposal stages of ICT present significant risks when supervised and/or implemented improperly. The Final Report indicates that a well-functioning and unified federal acquisition approach to such issues is likely to reduce cybersecurity threats to the supply chain.
To that end, the Final Report lays out six recommendations which aim to reduce exposure to cyber risks in commercial ICT federal acquisition. First, it recommends establishing “baseline cybersecurity requirements” as a condition to awarding a contract. These requirements encompass basic protections (e.g., up-to-date virus protection and software patches; multiple-factor logical access; and methods ensuring data confidentiality). These elements should be expressed as technical requirements, and include performance measures and be clearly described in the relevant contract language. Importantly, the Final Report recommends that these requirements should be harmonized with other FAR/DFARS rule making actions, including the final rule discussed above on safeguarding UCTI in contractor IT systems.
Second, the Final Report recommends increasing the cybersecurity awareness of employees and entities working in federal acquisitions. It suggests that additional education and training opportunities for employees involved with procurements will lead to improved cyber risk management, including avoiding over-specifying and under-specifying cybersecurity requirements. It also proposes a government-sponsored cybersecurity outreach campaign targeting stakeholders to familiarize them with the government’s changing approach to cybersecurity.
Third, the Final Report recommends adopting common cybersecurity definitions for federal acquisitions. It acknowledges that use of unclear and inconsistently defined terms in the acquisition process (e.g., “cyber incident”) can lead to “suboptimal outcomes for both cybersecurity and efficiency” (e.g., changes, terminations, and disputes). The Final Report suggests that a having common definitions will reduce problems with, inter alia, cost estimates, solicitations, and award and performance of contracts.
Fourth, the Final Report recommends the creation of an interagency “federal acquisition cyber risk management strategy,” which would identify a unified hierarchy of cyber risks. It would also develop “overlays” – i.e., sets of flexible, risk-based security requirements and supplemental guidance – that an agency would tailor to its specific needs for specific products. These overlays would, for example, identify different security controls depending on the type of acquisition. As the Final Report highlights, different acquisitions present different risks and warrant different cybersecurity responses. Applying standardized but flexible overlays across markets segments and similar types of procurement will, according to the report, reduce the costs and duration associated with an acquisition.
Fifth, the Final Report emphasizes that federal agencies must ensure that the goods they acquire are authentic, as any sub-par goods drastically increase cyber risks (e.g., they may arrive with outdated security updates, or built to different specifications). Accordingly, it recommends identifying “trusted sources” – manufacturers, suppliers, or resellers, and taking other steps, appropriate to the particular acquisition, to qualify vendors as a means of reducing cyber risks. Further, the Final Report indicates that in cases involving the greatest risk, it may be appropriate for government personnel to determine whether a vendor is a “trusted source,” while in other less risky cases, attestation of company conformance to external standards may be appropriate.
Finally, the Final Report recommends increasing government accountability for cyber risk management. It details a four-step process for holding key personnel accountable for upholding cyber standards. Specifically, such personnel should: 1) address cyber risks when a requirement is being defined and a solution is being analyzed; 2) certify that the solicitation includes the appropriate cybersecurity requirements; 3) participate in the proposal evaluation process and provide for consideration of cybersecurity in best value decisions; and 4) continue to monitor post-award performance to the extent relevant to cybersecurity.
The three actions discussed above reflect the increased emphasis on cybersecurity in the acquisition process and indicate that cybersecurity will be an important issue for the acquisition community going forward.
 Tom Barletta is a partner in the Washington D.C. office of Steptoe & Johnson LLP and head of the Government Contracts group. Andy Irwin is a partner in its International Regulation & Compliance and Government Contracts group. George Leris is an attorney in Steptoe’s Privacy and Cybersecurity practice.