By: Kenny Cantrell, Associate, Smith Currie Oles
April 9, 2024

The United States faces increasingly sophisticated cyber campaigns that threaten the public and private sectors’ security and privacy. The public and private sectors have been rocked by vulnerabilities. Such examples include the December 2020 ransomware attack on SolarWinds that paralyzed multinational companies and permanently locked people around the world out of tens of thousands of computers, and the Colonial Pipeline ransomware attack on May 7, 2021 that halted the pipeline system’s access to servers and caused widespread fuel shortages. Government contractors will need to meet the challenges of emerging technologies and significant geopolitical events giving rise to new threats business continuity. The ability to ensure data security is quickly becoming essential for contractors’ survival.

The Federal Acquisition Regulatory (FAR) Council has issued two proposed cybersecurity rules for Government Contractors: Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). Both proposed rules make compliance material to eligibility for and payment under government contracts. Compliance will likely be tethered to potential False Claims Act liability.

This article provides a brief summary of both Cyber Threat and Incident Reporting and Information Sharing (FAR Case 2021-017) and Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019). We will also discuss other considerations such as potential liability under the False Claims Act.

Cyber Threat and Incident Reporting and Information Sharing. 

The first proposed rule emphasizes sharing information about cyber threats and reporting cybersecurity incidents. The proposed rule includes updated definitions, requirements, and representations for government contractors’ cybersecurity. The representations and requirements would encompass preparation and maintenance of cybersecurity infrastructure and protocols, enhanced collaboration with agencies, and subcontractor compliance. We summarize some key highlights below.

New Requirements for Federal Contractors

Software Bill of Materials (SBOM): Federal contractors would be required to develop and maintain a Software Bill of Materials for any software used in contract performance. Other “preparation and maintenance activities” include subscribing to automated indicator sharing (AIS) capability and sharing cyber threat indicators using AIS during performance.

  • IPv6 Implementation: Federal contractors would be required to complete Internet Protocol Version 6 (IPv6) implementation activities in accordance with OMB Memorandum M-21-07, Completing the Transition to Internet Protocol Version 6 (November 19, 2020).
  • CISA Engagement Services: Federal contractors would be required to allow access to and cooperate with the Cybersecurity & Infrastructure Security Agency (CISA) for purposes of threat hunting and incident response. Recommendations from CISA, however, would only be implemented after consultation with the contractor and the agency.
  • Access to Contractor Information and Systems: Contractors would be required to provide CISA, the Federal Bureau of Investigation (FBI), and the contracting agency with full access to applicable contractor information, information systems, and personnel should a security event occur.
  • Operations in a Foreign Country: The proposed rule would seek feedback on barriers for companies that operate outside the United States.
  • Security Incident Reporting Harmonization: Contractors would be required to report security incidents through the CISA incident reporting portal within eight (8) hours of discovery and to provide updates every 72 hours thereafter until the incident is eradicated or remediated.

The proposed rule would include new FAR clauses in Part 39, Acquisition of Information Technology, and two new FAR clauses to be included in solicitations and contracts that will flow down to all subcontracts.

FAR 52.239-ZZ Incident and Threat Reporting and Incident Response Requirements for Products or Services Containing Information and Communications Technology – This would relate to (1) security incident investigation, response, and reporting; (2) Software Bill of Materials; (3) sharing cyber threat indicators and defensive measures; and (4) Internet Protocol Version 6 (Completing the Transition to Internet Protocol Version 6 (November 19, 2020)).

FAR 52.239-AA Security Incident Reporting Representation – This would require offerors to represent that they have (1) submitted in a current, accurate, and complete manner all security incident reports required by existing contracts; and (2) flowed down to each first-tier subcontractor requirements to (i) notify the offeror within 8 hours of discovery of a security incident and (ii) flow down requirements for reporting security incidents to lower-tier subcontractors.

The proposed rule would be included in all solicitations and contracts. Compliance with the requirements would be “material to eligibility and payment under government contracts.” This should pique all contractors’ interest because these requirements could touch every manner of government contracts and unprepared contractors could find themselves behind the eight ball, ineligible for payment. 

Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems. 

The second proposed rule would standardize cybersecurity contractual requirements across government agencies for unclassified information systems. It would also support the government’s efforts to identify, deter, protect against, and respond to cybersecurity threats.

A new FAR Subpart 39.X, Federal Information Systems, would require agencies to prescribe policies and procedures when acquiring services to develop, implement, operate, or maintain an information system.

The proposed rule would add two new contract clauses to be used in contracts for services to develop, implement, operate, or maintain cloud computing systems. Cloud computing is the delivery of computing services over the internet, such as servers, storage, databases, networking, software, analytics, and intelligence. Cloud computing can help businesses improve their IT costs, speed, productivity, performance, reliability, and security. Contractors will want to be prepared for these new responsibilities.

FAR 52.239–XX Federal Information Systems Using Cloud Computing Systems – The primary effect of this new clause is to require contractors to maintain FedRAMP-level security and privacy protections, and to continuously monitor and report activity to the government.

FAR 52.239–YY Federal Information Systems Using Non-Cloud Computing Services – This would require, among other things, that a contractor provide government personnel access to government data and government-related data on the contractor’s IT systems for auditing, inspection, and investigation purposes.

Potential liability under the False Claims Act is real. 

False Claims Act liability is an ever-present risk for contractors. These new cybersecurity initiatives would require contractors to add additional cybersecurity controls to the list of precautions necessary to avoid running afoul of the False Claims Act.

We see this happening already with the Department of Justice’s Civil-Cyber Fraud Initiative. September 2023 saw a qui tam action against Penn State University unsealed. The complaint alleges that the school failed to comply with the Department of Defense’s cybersecurity requirements. Days later, the DOJ announced a $4 million settlement with Verizon Business Network Services LLC to resolve failures in cybersecurity requirements for Verizon’s secure public internet connections to federal agencies.

These examples reflect the focus on cybersecurity compliance as a potential hook for False Claim Act liability. Cybersecurity-related False Claims Act enforcement is likely to surge. Regulators will want to encourage contractors to emphasize meeting cybersecurity requirements and whistleblowers will certainly search for potential cybersecurity-related claims.

Word to the wise for contractors. 

The public comment period for both proposed rules closed on February 2, 2024. At this time, there is no indication of when the finalized rules will be issued. However, the proposed rules could lead to a mass reorganization of agency-specific cyber requirements for federal contractors, and a compliance process that could be long and expensive.

In sum, this compliance landscape requires continuous monitoring. Outside counsel can be instrumental in tackling the complicated web of cybersecurity requirements contractors will face. Contractors can expect to see more enforcement actions from both the government and whistleblowers and should take the opportunity to bolster their compliance efforts now.

The author acknowledges and appreciates the significant contributions of Smith, Currie Oles legal intern Cortland Walton, in developing this article.

Smith Currie Oles provides comprehensive legal services to all parts of the construction industry across the nation. Smith Currie lawyers have decades of demonstrated success representing construction and federal government contracting clients “From the Ground Up,” including procurement matters, contract formation and negotiation, project administration, claims prosecution and, when necessary, in litigation and other forms of dispute resolution.

The views expressed in this article are not necessarily those of ConsensusDocs. Readers should not take or refrain from taking any action based on any information without first seeking legal advice.