This week’s episode covers GSA schedule, cybersecurity, and FCA news, and is hosted by partners Peter Eyre and David Robbins. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without.
With even DoD officials acknowledging cyber threats ranging from exfiltrating our top military secrets (“the terabyte of death” per DISA’s Director) to seizing control of SECDEF’s car to sinking Navy vessels with critical infrastructure attacks, both federal agencies and government contractors are in the pressure cooker. For contractors, bad cybersecurity not only opens the door to cyber espionage and privacy breaches followed by costly clean-up and lost trade secrets, but now – with the latest DoD guidance – may put critical contract awards at risk. Join us this Thursday, May 17, at 1:00 PM Eastern, as Crowell & Moring attorneys Paul Rosen, Evan Wolff, David Bodenheimer, and Michael Gruden lead a discussion highlighting recent developments impacting the volatile privacy and cybersecurity sector. Specific topics include:
- Navigating Government Contracts Information Security and Privacy Risks: Updates to NIST Cybersecurity Standards, Pending FAR Cyber Clauses, and DFARS Safeguarding Clause New Developments
- Trekking the Internet of Things (IoT) Cyber Frontier
- Managing Effective Cyber Incident Response: Preparing Incident Response Plans, Practicing Tabletop Exercises, and Executing Effective Cybersecurity Defense
This week’s episode covers False Claims Act items, GAO protests, and cybersecurity and is hosted by partners Peter Eyre and David Robbins. Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without.
We are still accepting questions for Ask Us Anything! Have questions you’d like answered anonymously? Want our thoughts in general on a particular topic? Send in questions and we’ll do our best to feature them in a future podcast. Email your questions to David at firstname.lastname@example.org. Disclaimer: we cannot give legal advice unless and until we have an engagement letter in place.
Please join us for an evening of conversation and cocktails while our panelists from the commercial, industrial, government contracting, higher education, and insurance arenas discuss critical emerging cyber security issues. From the dark web, to cyber pitfalls, cybersecurity policy and legislation, and how to ensure a secure future, our panel discussion will explore the rapidly expanding world of cybersecurity and debate best practices for protecting yourself, your clients, and your business.
When: Thursday, May 18, 2017
Address: 1001 Pennsylvania Avenue, NW
Washington, DC 20004
For more information, register here.
We have already seen many changes from the new administration and it seems more and more are happening every day. What more can you expect and how will this effect government contractors? The team of Crowell & Moring lawyers from our Government Contracts, Labor & Employment, White Collar, Corporate and Privacy & Cybersecurity practice groups discussed this topic during a 90-minute webinar this week. Areas covered included: update on executive orders and other labor and employment issues, costs, claims, commercial item contracting, cyber and privacy issues, compliance, data rights and bid protests (plus many more). If you were not able to participate, we have posted the presentation and the recorded session on our webpage here. As important changes and developments occur, we will continue to provide updates. The best way to stay informed is through these free resources – Bullet Points, blog posts and Podcasts – subscribe today!
Companies of all sizes are increasingly subject to the practical and legal implications of today’s cybersecurity environment, and contractors are no exception. On May 26, 2016, at 11:00 AM Eastern, Crowell & Moring attorneys David Bodenheimer, Evan Wolff, and Kate Growley will lead a discussion highlighting some of the past year’s most significant cyber contracting developments, what trends are worth watching for the future, and how contractors can craft a comprehensive approach to get ahead of it all. Specific topics include:
- Revisions to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- Publication of FAR 52.204-21, Basic Safeguarding of Contractor Information Systems
- Managing the “Internet of Things”
- Approaches to cyber lifecycle management, including compliance, supply chain risk, and information sharing
Check back in the coming days for more updates as we count down to OOPS on May 25th (in DC)! You can also check for updates on Twitter using the hashtag #cm2016oops, and at crowell.com/OOPS.
Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors. Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.
It seeks to do so primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate. Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors. First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls. Second, they must report various cyber incidents to the DoD within 72 hours of their discovery. These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application.
The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI). CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule. But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.” Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes. To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Another notable point of expansion would affect subcontractors. Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD. Subcontractors do not report directly to the DoD under the current rule. The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.
Other key provisions of the DFARS Safeguarding Clause, however, would remain same. For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items. The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule. The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.” Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident. That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.
The Interim Rule likely does not come as a surprise to many. Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement. The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate. The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities. Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).
Comments on the Interim Rule, which separately addresses cloud computer services and is discussed here, are due on or before October 26, 2015.
Contractors felt the squeeze from budget cutbacks and increased compliance requirements during 2013. As government agencies continue to operate under constrained budgets, competition for the federal contracts will remain intense. What should contractors expect in 2014? Join our Crowell & Moring team on Thursday, January 9 at 1:00 pm EST for a free webinar as we discuss the hot issues contractors will be facing next year. We will cover the likely trends in the areas of costs, suspension and debarment, cybersecurity, bid protests, international issues, procurement fraud, small business, OFCCP, claims/contractor recovery, data rights, and many others. Presenters include some of the most experienced attorneys in the field, and we hope you can join us.
Please click here to register.
The past year has showcased major developments in cybersecurity: unprecedented thefts and attacks, with losses estimated in the hundreds of billions of dollars; expanding sector-specific cybersecurity statutes and regulations; and a sweeping Executive Order on cybersecurity for critical infrastructure followed by a recent push for cyber intelligence sharing from Congress. Expect even more significant developments to follow in the coming months.
On May 15, at Crowell & Moring’s annual Ounce of Prevention Seminar (OOPS), C&M attorneys will describe the recent changes to the cyber landscape, as well as give a preview of things to come, in a program called Navigating Cyber Landmines in the Corporate Boardroom: Why & Where Government Contractors Must Tread Carefully. Jim Regan will lead a panel featuring David Bodenheimer, Bryan Brewer and me. We will discuss the exploding risks, escalating legal requirements, and expanding regulatory and RFP burdens in cybersecurity.
Government contractors can register and find more information on the 29th annual OOPS program, including the complete OOPS agenda, here.
Proponents of the Cyber Intelligence Sharing and Protection Act (more commonly known as CISPA) won a small battle last month when the House of Representatives passed the proposed bill by a vote of 248 to 168, with 42 yays from Democrats. Yet the war for comprehensive cybersecurity legislation is far from over, as CISPA’s next campaign – the Senate – is expected to be a tougher fight. Even if it were to prevail there, the White House has stated that it would likely veto the bill.
Still, CISPA supporters believe that last-minute amendments may persuade some opponents into reconsidering their positions. According to an Office of Management and Budget statement made prior to the vote, the Obama Administration’s primary concerns were that CISPA did not go far enough to protect critical infrastructure; that it repealed portions of electronic surveillance law without implementing counterbalancing privacy protections; and that it granted too much shelter to the private sector from cyber liability. Representatives Rogers (R-MI) and Ruppersberger (D-MD), the bill’s co-sponsors, have since responded that regulating critical infrastructure is beyond the purview of the House Intelligence Committee – from whence the bill came – and that the now-approved changes to the bill narrow the government’s ability to retain and then use shared data. The amendments have yet to scale back liability exemptions, provisions that remain popular with industry. The White House has yet to comment on the revised bill.
In its current form, CISPA has won the support of Internet and technology companies such as Facebook and Symantec. Notably, though, some companies have jumped ship and now oppose the legislation. Civil rights groups, including the ACLU, also remain unconvinced. Cyber activist group Anonymous has been particularly vociferous in its opposition, calling for a series of protests and "swift messages" against industry supporters.
CISPA is not the only cybersecurity bill to face growing scrutiny. Members of the House and the Senate have offered at least nine other cybersecurity bills, including separate proposals from Senators Liberman (I-CT) and McCain (R-AZ). As with CISPA, some critics believe Congress has yet to advance legislation comprehensive enough to cure the country’s growing cyber vulnerabilities while protecting the citizenr’s civil liberties – a familiar quandary in post-9/11 America.