August 1, 2023

Podcast - Overview of Cybersecurity in Government Contracts

Regulatory Phishing Podcast Series

The first episode of government contracts attorney Eric Crusius’ podcast, "Regulatory Phishing," provides an overview of the latest cybersecurity issues facing government contractors and how significant cybersecurity attacks that have leaked government information to countries such as China, Russia and North Korea threaten national security. He details U.S. government regulations with which contractors must comply, as well as provides key information that government contractors should know, such as the Biden Administration's national security strategy. He also discusses his involvement in the National Contract Management Association's World Congress held July 23-26 in Nashville and the increased interest in cybersecurity matters.

Listen to more episodes of Regulatory Phishing here.

Eric Crusius: Hello, and welcome to the first episode of Regulatory Phishing. As the intro said, this is a podcast that's going to focus on cybersecurity issues in government contracting. And, before we kind of get into the substance, just a little bit about what direction I think we'll go here, we're going to have a bunch of guests from the industry to talk to the latest status of all the cybersecurity news, particularly in the government contracts industry. We have an exciting lineup that's going to be coming up over the next months and years, hopefully, and then also we're going to lean on our partners here at Holland & Knight. We have some really terrific expertise within the firm, particularly in our government contracting and cybersecurity groups, relevant to this podcast. So, we're going to have a bunch of those folks on to talk about the latest issues that are coming up.

I expect one of the very next episodes will be about TikTok and the TikTok ban for government contractors and the impact that it's having on the industry and what contractors are doing. So, you should see that coming to your feed soon after this episode drops.

We decided to start this podcast because it is a topic that is unlike any other. The developments are changing rapidly by the day. They are significant developments. They are impacting contractors large and small of all sizes, and they impact the ability of these contractors to do business with the federal government, and they impact the ability of the federal government to try to expand the defense industrial base and the base of contractors willing to do business with it in civilian agencies also. So, I thought we'd first kind of talk about how we're getting here and why we're here and where we're probably going to go over the next number of months and years, and then the next episodes that will follow will be attacking more specific topics that will be practical — at least, I hope will be practical for everybody listening — how to implement these controls, how to stay compliant, and if you're on the government side, you know what to look out for in the contracting base and how to help those contractors along that are dealing with a whole new slew of issues along the way. 

National Contract Management Association's World Congress

I'm currently at the National Contract Management Association's World Congress (NCMA), and I remember about 10 years ago, I applied to speak on cybersecurity in government contracts at the World Congress, and my session got denied. And I was disappointed, of course, but I understand that you can't win them all every time. So the agenda came out, the final agenda for NCMA World Congress, and I noticed there were no cybersecurity topics at all on the agenda. So I wrote to NCMA, and I said, look, I think this is a really important topic. I think a lot of folks will be interested in it, whether you use my proposal or not or somebody else's proposal, I really think this is something that should be on the agenda. And they relented, and they decided to put my presentation on the agenda. So, I went to speak, and I went into the room, and I presented to a total of four people. It was not a very popular session. Postscript: We're doing two sessions here at this version because there was a lot of interest in it. And our first session yesterday had over 100 people in it, and we'll see how many that one today has. But now we had four people. So, NCMA knew that there wasn't a lot of interest in cybersecurity back then, but since that time, we've had a slew of developments, and by developments, I mean significant cybersecurity attacks.

Cybersecurity Attacks

We had the OPM breach that happened in 2015 that impacted many millions, over 20 million records of folks who have applied for security clearances and their families, and we had breaches that impacted super high-tech programs that the government has poured billions, if not trillions of dollars into, such as the F-35 fire. You know, the government has seen a lot of their information that they've paid a lot of money and time for leak out to the Chinese, to the Russians, to the North Koreans along the way. And that, in turn, has caused Congress to act and has caused the regulatory agencies under the president to act. So Congress has passed and, since then, updated FISMA, the Federal Information Security Management Act. There have been numerous provisions within the National Defense Authorization Act over the last 10 years that have addressed cybersecurity, and then executive orders that have come out from President Obama, President Trump and President Biden have all addressed cybersecurity issues in government contracts. Those statutes and those executive orders turn into regulations eventually, and those regulations are then put into contracts, and contractors have the obligation to follow those regulations or else they face a parade of horribles from contract cancellation, known as termination for convenience or termination for default, negative past performance ratings, whistleblower actions under the False Claims Act, or DOJ investigations and investigations launched by agencies. And we're going to talk about all those kinds of consequences in future podcasts, but, you know, there is a tremendous incentive for contractors to be compliant with these requirements, and these requirements are changing almost by the day.

The presentation that we're doing here at NCMA World Congress — we had to change it a number of times before we finalized it and sent it in just a few days ago to be presented and uploaded to the system that NCMA runs so attendees can access it. But, even since that time, there have been developments that have made a couple of slides obsolete or needed to be changed. So, we'll try to keep folks as current as possible through this podcast and through other measures such as blogs and LinkedIn posts and things like that because, you know, this is not just a national security threat and important for our country, but it's also important for folks who want to do business with the federal government. 

What Contractors Should Know About Cybersecurity in Government Contracts

So with that, I thought I'd run through kind of a few of the things that contractors, from a very high level, should know about with cybersecurity in government contracts. And then in future episodes, we'll kind of dig down in those and also talk about practical things, such as what happens if there's a cybersecurity breach or, you know, what do you do to keep track of everything that's going on, how do you keep track.

National Cybersecurity Strategy

So the first thing I would say is this: The Biden Administration has released a national cybersecurity strategy. They released the general strategy in March. They put some meat on the bones in July with some specific provisions that really kind of drill down and let the community know as a whole what their priorities are, and those priorities will then be reflected in executive orders and regulations. And separate and apart from that, you have Congress acting through the National Defense Authorization Act and standalone statutes, passing legislation that will impact contractors. So, when looking at all of this kind of funneling down into a contract itself, you kind of have a division between the civilian agencies and the Department of Defense.

Department of Defense Regulations

With respect to the Department of Defense, they've really been at the forefront. About six years ago, they issued a new regulation known as 252.204-7012 under the Defense Federal Acquisition Regulation Supplement (DFARS). And the DFARS provision requires compliance with 110 controls in a special publication issued by the National Institute of Standards and Technology, and the publication number is 800-171. So, 800-171 has 110 controls in it. And under this regulation that DOD issued, contractors are required to comply with the 110 controls.

Besides that, they're also required to let DOD know within 72 hours of a breach or an incident, I should say, that incident occurred with some information about the incident. And DOD, Department of Defense, has the right to follow up and continue on that investigation, ask for additional information, ask for the media that was or the servers that were impacted, a copy of them, and also they expect contractors to cooperate in any such investigation, and that's in most DOD contracts that have what's called controlled unclassified information, CUI. We love acronyms here in the D.C. area. So, controlled unclassified information (CUI) is really nonpublic information that is essentially in the CUI registry that's put out by the federal government. And when you look at the CUI registry, it's very broad and includes proprietary information, includes personally identifiable information, includes all kinds of information the government would have CUI. And if the contractor possesses CUI, or creates CUI, or is storing CUI in some way, shape or form, you know, in the performance of a government contract, they're going to be covered by these requirements. They're going to be required to comply with these 110 controls. They're going to be required to cooperate in a DOD investigation, and they're going to be required to disclose any incidents within 72 hours. And that's fairly significant. This has been going on for some time.

Now, it's all a self-certification. The 110 controls that a contractor is required to comply with, nobody is checking up on the contractor to be sure that they're compliant. Really, the only outlet where a third party can look at it is if there's some kind of whistleblower case where there is an employee working at a company that is, you know, sees that there, that the company knows that they're not compliant, it's not doing anything about it, they can file an anonymous whistleblower action in federal court. And that would probably ultimately result in review of the cybersecurity practices of that contractor. It's not the norm or the regular. So, DOD has really has no way to systematically check with contractor compliance with those 110 controls. And, DOD has long said they don't believe that contractors are compliant with those 110 controls. They really believe that contractors are kind of not really paying attention, and that's enabling our adversaries, such as folks in China and Russia, to attack us and get our information.

So, DOD, in the last few years, has devised a program called the Cybersecurity Maturity Model Certification program (CMMC). And the idea of CMMC is that a third party will come in and verify compliance with those 110 controls. Now, CMMC has had quite a few delays in its rollout, but it is making progress. The CMMC rules are now with the Office of Management and Budget, and that's the final stage a rule gets before it's released to the general public. We don't know whether it's going to be released as a proposed rule at this time or if it's going to be released as a final interim rule. And that difference is significant. If it's a proposed rule, it doesn't take effect yet, and it's open for notice and comments from the industry and from anybody else who wants to comment for 60 days. DOD will take those comments, review them and issue a final rule. And that could take up to a year. Now, if it's issued as a final interim rule, the rule is effective immediately upon issuance or for a period of time, 30 or 60 days, whatever is noted in the rule itself. And DOD then continues to take notice of comments like before. But, while it's considering those comments, you know, the adjudication of those comments, the rule will be in effect. And parties that have the CMMC rule in their contract will have to get a third-party certification under CMMC. So, we'll have to see where this goes in the next six to nine to 12 months, but it could significantly impact the defense industrial base. This applies to DOD contractors, not civilian contractors, of course.

Now, seeing how long that CMMC was taking to roll out, DOD decided to kind of issue a Band-Aid. And that Band-Aid is in the form of another rule: DFARS 252.204-7019 and 7020. And this requires contractors to go into the supplier performance risk system and state affirmatively how many of those 110 controls they're compliant with. And what DOD is finding is that most contractors are saying they are not compliant with those 110 controls despite having the 7012 clause in their contract for many years prior. So, DOD is not taking a punitive approach right now. They're really looking at getting folks up to speed, getting contractors to make sure they're compliant with all the controls along the way. So, they're really trying to work with contractors to get there. But, under these regulations, DOD has the right to audit compliance. So, they have a right to come in and look at a system and say, you know, you said you're complying with 110, let's see if you really are. And, if the audit finds that the contractor has less than perfect compliance, then the contractor may be up for some, you know, side eyes from the Department of Defense. We don't know exactly what that would look like or if DOD is still going to take a carrot versus stick approach. But, it really leaves the contractor vulnerable to attack from the Department of Defense. So contractors who are putting in the scores into those supplier performance risk systems should be very confident about the scores they're putting in, should not put in a perfect score unless they've had a third party come in and done a kind of a self-audit of the company's cybersecurity compliance because right now DOD is really looking closely at those contractors that state that they're compliant with all 110 controls because they really just don't believe it as a whole.

Now, there are some who are, particularly the large defense contractors, have spent a lot of time and money getting up to speed. So, it's not altogether surprising that they would be completely compliant with those 110 controls. But for smaller and middle-sized contractors, it's not surprising to see a DOD audit of a perfect score. So, we should really be cognizant of that score and how that score is inputted and what, you know, what it's based off of.

Now, there are some contractors who are really brutally honest, and they have a score that's in the negative numbers range. And there is a risk, of course, that DOD will no longer want to do business with those contractors. So for the folks who are in that position, you know, I urge them to try to get up to speed and update their scores as quickly as possible so it doesn't impact their ability to win future work. And you don't, of course, want existing contracts to be canceled. That would be fairly significant in a negative way. So you have that from the DOD. And, you know, they're in the process of rolling out CMMC. They've really been on the front lines of kind of issuing new regulations and getting their defense industrial base up to speed. 

Civilian Cybersecurity Regulations

On the civilian side, we've seen much less activity to date where we have a baseline federal acquisition regulation clause, which is not really significant in protecting information, it just runs to the very basics. So, what we've seen is other agencies kind of stepping in, individual agencies stepping in and issuing regulations.

Veteran Affairs (VA) and the Department of Homeland Security (DHS) have issued fairly comprehensive cybersecurity regulations this year, 2023, and these regulations go a lot further than the baseline that's in the Federal Acquisition Regulation. So, if you're a contractor and you're doing business with those agencies, you should really be paying attention to these new requirements.

The VA, for instance, gives the VA the right, if the regulation is applicable to the contractor, to come in and audit unannounced the contractor's systems. It also requires, in certain circumstances, the disclosure of a cybersecurity incident within one hour. It also allows for incidents to require contractors to pay a significant amount of liquidated damages, which are damages that cannot essentially be predicted in the future. The contracting officer will write in the amount in the contract when the contract is issued, and it would be on a per-record basis. So, if the breach involves personally identifiable information of certain kinds and the breach involves, say, 3 million records and the number in the contract is $4, that is $12 million that the contractor has to pay to the VA for that breach. So, these are fairly significant developments on the VA side.

DHS similarly has issued new regulations within the last few months, and those DHS regulations signify that they're going in a similar direction to the VA. They require compliance with certain DHS standards. Those standards can change at any time. The regulations contain a link to a website on DHS' website that DHS says they're in the process of updating that will have the standards in them. Now, I wonder, I'm just talking out loud here, but I wonder if that's going to be compliant with the Administrative Procedures Act (APA). I'm not sure because the standards can change without the rule changing. The requirements of a contractor can change. Contractors may want to challenge that or not. But I understand [why] DHS is doing that: The threat landscape is changing all the time, and that requires changes to standards quickly. And, a lot of times, going through that notice and comment period just takes too long, and it makes the regulations by the time they're issued ineffectual.

As an example, the proposed rules for the cybersecurity regulations at DHS were first proposed in 2017, six years ago. So, it took six years to go from a proposed rule to a final rule with these regulations, which is just way too long when you're talking about an adversary that is changing their techniques by the day. So we'll see how this gets out and what those new standards look like from the DHS side. But it is a significant development.

Now, the Federal Acquisition Regulatory Council (FAR), which are the folks who kind of make the FAR regulations or craft them for comment, they're working on a slew of new cybersecurity regulations, some aimed at requiring compliance with NIST 800-171, which is where DOD is already in one end with a breach notification response requirement. So, we should see those regulations sometime in 2023 or early 2024, and they will really up the ante for those contractors who only contract with civilian agencies. So, we have a lot of new developments coming on the civilian side and on the side of DOD. 

Final Thoughts

And this podcast will hopefully cover all of that and more and offer analysis from some folks in the industry and allow for you all who are listening to get practical advice on how to handle these things.

The one thing I would really say from a practical standpoint is for the contractors to look to your contract. Those are the requirements that you have today. Everything that's happening in the cybersecurity space could seem overwhelming. There's a lot going on, but at the end of the day, the only thing that is required is to comply with what's in the contract. That's helpful on a day-to-day basis.

It's a little bit more complicated when thinking about the things that take a long time to implement, like the 110 controls. Those are long lead-time developments that take three, six, nine months for a contractor to get up to speed on. So, you really, as a contractor, if you're listening, you really have to plan in advance for that. And that is because civilian agencies and the Department of Defense are paying very close attention to this area. It is not a coincidence that we've had a number of memos issued by various agencies talking to that.

For instance, the Department of Justice issued a memorandum towards the end of 2021 that stated that they're starting the Civil Cyber-Fraud Initiative, and this initiative is looking at contractors, cybersecurity compliance and encouraging the use of the False Claims Act on the civil side to go after contractors who are not compliant with cybersecurity controls. So, DOJ has already netted a few settlements from that, and there are other cases in the works based on what I'm hearing on the ground where DOJ is taking a really aggressive approach against contractors who are noncompliant.

Last summer, the Department of Defense also issued a memorandum that instructed its contracting officers to look closely at cybersecurity compliance among its contractors and to ensure that they are compliant, encouraging contracting officers to look at that but also terminate contracts where contractors are unwilling or unable to be compliant with cybersecurity controls.

So, you have the Department of Defense, you have the Department of Justice, you have the civilian agencies — everyone is looking very closely at this, and that leads to the inevitable conclusion that contractors are just going to have to get up to speed if they want to still do business within the federal government.

With that good news, we will pause here for this episode, and we will then kind of turn to more specific and practical topics in the episodes to come. Really glad that you're listening, and I hope you stick around for more information and, hopefully a little bit of fun along the way. Thank you.

Related Insights