Many contractors we talk to believe that cybersecurity requirements are exclusively a concern of contractors working with DoD or with highly-classified, top secret projects. While perhaps true to some degree in the past, that belief is now outdated. In recent years, the federal government has steadily expanded the reach of cybersecurity requirements imposed on contractors and contracts of all shapes and sizes, and that trend is expected to continue.
As an example, one year ago this month the government implemented a new FAR clause, FAR 52.204-21, entitled "Basic Safeguarding of Covered Contractor Information Systems." This clause, which went into effect on May 16, 2016, brings basic cybersecurity requirements to many federal contracts. The clause is supposed to be inserted in every solicitation and contract where a contractor or subcontractor at any tier may have federal contract information ("FCI") residing in or transitioning through its information system. FCI is broadly defined as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public." Prime contractors are also expected to flow down the clause to subcontracts at all tiers that may have FCI in their systems, including subcontracts for commercial items (but not subcontracts for commercial off-the-shelf items).
One year later, many contractors are likely finding FAR 52.204-21 in their contracts for the first time. At first blush, the requirements imposed by this clause appear fairly basic, almost common-sense. For example, the requirements include limiting access to your information system, and identifying system users. And the clause does envision fairly basic measures to safeguard FCI. That said, what may be basic and easy-to-accomplish for more established and experienced firms could be more challenging for the uninitiated and smaller businesses. And, regardless of your organizational sophistication, compliance requires documented processes and procedures and the fortitude to stick to it.
The first step is awareness – knowing when this contract clause is in your contract and should be flowed down to subcontractors. This requires an understanding of whether there is FCI in your system or your subcontractors' systems which means you need to talk with your subcontractors about this. And, after that determination is made, you have to execute the appropriate technical procedures to comply with the clause, as well as the necessary contractual mechanisms to ensure your subcontractors comply. This will need to be a coordinated effort between contracting and IT. You should also have clear written internal procedures and make compliance part of your code of ethics and employee handbook so you can demonstrate your good faith efforts should anyone ever question your compliance.
It is also important to understand that FAR 52.204-21 may be only the tip of the iceberg in terms of contractual requirements for cybersecurity compliance. Many clients have been surprised to understand – after contract award – the full scope of the cyber requirements imposed on them through their contract. There may be a tendency to assume the requirements do not apply to you given the nature of your contract. But if the requirement is in your contract, it applies to you. And compliance may be onerous and expensive. You could seek a modification or equitable adjustment to your contract, but the better approach is to understand and discuss the cyber requirements with your customer at the proposal stage. That way, you and your customer can avoid being caught off guard by requirements that may have been inappropriately included in the contract or that were not accounted for in the price proposal. As they say, knowing is half the battle.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.