This post was written by Timothy J. Nagle and Gunjan Talati.
On Friday, August 24, the Federal Acquisition Regulation (“FAR”) Council issued a proposed rule that adds a subpart and contract clause to the FAR that would force government contractors to implement basic information-systems safeguards for any non-public information that is provided by or generated for the government. While the proposed rule is intended to plug a hole in the FAR that does not currently require such safeguards, the draft of the rule is so broad that it is not clear what holes it will actually plug. Rather, what we do know is that it adds yet another FAR clause in government contracts to an already long list that companies will have to monitor for compliance. Comments to the proposed rule are due no later than October 23, 2012.
At the outset, we note that the proposed rule does not appear to change security standards. Rather, it appears to expand (without being sufficiently precise) the applicability of the standards. Specifically, the Federal Information Security Management Act (FISMA) of 2002, 44 U.S.C. 3544, states:
(a) In General.— The head of each agency shall—
(1) be responsible for—
(A) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—
(i) information collected or maintained by or on behalf of the agency; and
(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency; [emphasis added].
Thus, agencies already have a duty to identify possible security holes and mitigate risks.
The proposed rule does not change the FISMA requirements. Rather, the proposed rule seeks to “apply the following basic safeguarding requirements to protect information provided by or generated for the Government (other than public information) which resides on or transits through its information systems from unauthorized access and disclosure.”
While there is a definition for “information system” in the proposed rule, it is broad and encompasses just about any information that is not already public. The definition also fails to identify what a “Contractor” information system really is under the rule. There is no clear delineation in the proposed rule between an information system operated by a contractor on behalf of an agency and one operated by just a contractor.
Also, the rule does not supersede any specific safeguards spelled out in a contract. A government contract or statement of work will usually describe the technical requirements and boundaries of an information system required to provide the specified services, and a contractor can price the equipment, technical support and policy development into its bid. And most government contracts will require the contractor to maintain the system to government (FISMA) security standards and be subject to certification and accreditation with subsequent audits. This does not change, and therefore the rule may be of little practical value to contractors that already have such safeguards spelled out in their contracts.
One concern is that the proposed rule might be interpreted to mean that the corporate network of the contractor, which does not directly support any government contract work, is now subject to government standards, inspection and audit if it processes or stores any government information. This could potentially include contract invoices, reports, pricing information or any other documents and data required for contract administration. Without more clarity, no program manager or CIO will know the extent of potential government supervision of their corporate network. Such an interpretation would unnecessarily extend the reach of FISMA. The risk of such interpretations makes it likely this proposed rule will be challenged on several fronts.
If the rule is not challenged and implemented as drafted, contractors will need to ensure that their systems comply. Exactly what constitutes the appropriate basic safeguards would surely vary from company to company with few bright lines. Additionally, the government could take the position that a contractor’s safeguards do not meet the requirements of the rule and use it as a basis for claims, termination for default, and possibly even suspension and debarment (for failing to have adequate internal controls).