President Donald Trump on Sept. 20, 2018, unveiled a new National Cyber Strategy (Strategy). This Strategy follows the release of the May 2017 White House Cybersecurity Executive Order (EO) 13800. The EO addressed key issues and areas related to federal networks detailed in a prior blog as well as a focus on critical infrastructure sectors. Key U.S. Department of Homeland Security (DHS) officials also rolled out the new cybersecurity strategy at a recent State of Cybersecurity Conference. The new Strategy includes four main pillars of priority, including the need to:
The Strategy continues to reinforce the role of the U.S. Department of Homeland Security (DHS) in securing federal departments and agency networks, other than those run by the U.S. Department of Defense (DoD) and U.S. Intelligence Community (IC) systems. Pillar I includes two main areas of impact to government contractors – "Strengthen Federal Contractor Cybersecurity" and "Improve Federal Supply Chain Risk Management."
Under this first area, implementation of the National Cyber Strategy will affect federal contractors in important ways. It envisions a more proactive government role in assuring that contractors' information systems are adequately protected. The Strategy explicitly states that "The United States cannot afford to have sensitive government information on systems inadequately secured by contractors." It requires federal contracts to contain provisions authorizing the government to review contractor cyber protections by "testing, hunting, sensoring, and responding to incidents on contractor systems." It therefore contemplates government officials accessing and testing contractor systems, rather than its previous primary reliance on contractors to attest to the security of their systems. Present DoD and civilian agency contracts for the most part depend on contractors to evaluate and test their own systems, or use a third-party consultant. The Strategy focuses on "acute concerns" for defense-related contractors as well.
The Strategy also calls for the consolidation of cyber acquisition strategies to reduce the costs of utilizing contract provisions that differ from agency to agency. At present, DoD has its own cybersecurity regulations and contract clauses (DFARS), and individual civilian agencies supplement the Federal Acquisition Regulation (FAR) cyber provisions with their own requirements. As this complex and sometimes conflicting set of requirements on federal contractors doing business with multiple agencies has been a significant compliance challenge, a more unified approach to cyber regulations and contract clauses protections may be a benefit to the contracting community.
The second area of importance for government contractors includes a focus on supply chain security. Supply chain security has been a growing risk and concern by the federal government for some time. The Strategy calls for the creation of a brand new "supply chain risk assessment shared service" that will centralize information about supply chain threats. Of more direct relevance to federal contractors, the document requires implementation of new and "more streamlined" authorities to exclude risky vendors, products and services. It does not, however, specify whether these authorities will be in addition to, or integrated in, current debarment and suspension regulations. Federal contractors should monitor implementation of these provisions carefully as they could significantly impact how companies are excluded from the procurement process. Certainly, any federal contractors who are also part of the 16 critical infrastructure sectors will also find themselves subject to new cybersecurity priority action items, including where DHS and other federal agencies will lay out expectations on the private sector and where "The Administration will develop a comprehensive understanding of national risk by identifying national critical functions ... related to cybersecurity risk management."
In addition to the White House National Cyber Strategy, the DoD also rolled out a cybersecurity strategy that focuses on government contractors in the defense industrial base (DIB). The report explicitly states:
"Our focus working with DIB entities is to protect sensitive DoD information whose loss, either individually or in aggregate, could result in an erosion of Joint Force military advantage. As the Sector Specific Agency (SSA) for the DIB and a business partner with the DIB and DCI, the Department will: set and enforce standards for cybersecurity, resilience, and reporting; and be prepared, when requested and authorized, to provide direct assistance, including on non-DoD networks, prior to, during, and after an incident."
It is clear that both civilian federal contractors and defense-related contractors can expect a much more robust set of contracting standards and requirements than in the past. More information on these issues will be shared in the future or readers can contact the authors for more information.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.