The shifting sands of cybersecurity: DOD’s interim rule further burdens contractors

gov IRG • August 28, 2015

Article by Dentons

Key contacts

Phillip R. Seckman
Partner, Denver
D +1 303 634 4338
Email

Erin B. Sheppard
Counsel, Washington, DC
D +1 202 496 7533
Email

Michael J. McGuinn
Senior Managing Associate, Denver
D +1 303 634 4333
Email

The Department of Defense (DOD) earlier today issued an interim rule, effective immediately, that significantly increases existing cybersecurity requirements for DOD contractors. The requirements in the interim rule, available here , have broad applicability to DOD contractors at both the prime and subcontract levels, including commercial item and small business contractors. Contractors can expect these requirements to begin showing up in new DOD contracts immediately and should begin taking steps to ensure compliance.

The interim rule contains a number of new and revised DOD cybersecurity requirements. The key issues are summarized below.

Scope of the DOD requirements

The interim rule significantly expands the scope of the prior unclassified controlled technical information (UCTI) clause’s safeguarding and reporting requirements. Whereas the prior UCTI clause applied only to unclassified controlled technical information, the new clause—now titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”—applies more broadly to all “covered defense information.”

“Covered defense information” includes controlled technical information as well as export controlled information, critical information related to operations security and any other information marked or otherwise identified in the contract that requires safeguarding under relevant law and policy, including private and proprietary business information. The interim rule further clarifies that the definition of “controlled technical information” does not depend, as it did under the prior UCTI definition, on whether the information “is to be marked” with applicable DOD distribution statements.

This expanded definition, coupled with the clause’s broad flowdown requirement, means that the revised clause requirements likely will apply to virtually all DOD contractors at the prime and subcontract levels. The interim rule also revises Part 212 of the Defense Federal Acquisition Regulation Supplement (DFARS) to clarify that the rule’s requirements are applicable to commercial item contracts and subcontracts.

Security controls

Additionally, internal contractor information systems that contain covered defense information are subject to new safeguarding requirements. The interim rule removes the clause’s previously required security controls from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. DOD replaces those requirements with the controls from the recently-issued NIST SP 800-171, issued on June 18, 2015, and previously discussed here.

The National Archives and Records Administration (NARA) in May 2015 issued a proposed rule, discussed here , that would establish a government-wide policy related to the identification and safeguarding of controlled unclassified information. NARA stated in connection with that rule that it intended to promulgate a Federal Acquisition Regulation (FAR) clause that would apply the requirements of NIST SP 800-171 to contractors. The Office of Management and Budget (OMB) likewise recently proposed guidance seeking to require the use of these same NIST SP 800-171 controls on a government-wide basis for internal contractor information systems, discussed here. DOD’s decision to use the same NIST standards proposed by OMB and NARA is a welcome step to achieve consistency in cybersecurity standards across the federal government.

DOD in the interim rule also creates a new clause, DFARS 252.204-7008, which states that a contractor prior to contract award can provide a written explanation to the government justifying deviations from the NIST SP 800-171 controls. The prior DFARS UCTI clause had a similar provision, although not required pre-award, allowing contractors to provide this written explanation related to the NIST 800-53 controls. Under the interim rule, if seeking a deviation, a contractor must explain: (i) how the company has in place alternative security controls that “compensate for the inability to satisfy a particular requirement” of the NIST SP 800-171 standards or (ii) that a particular control is inapplicable. The new clause likewise clarifies that the contractor may either comply with the NIST SP 800-171 requirements or provide for alternative but equally effective security measures, a determination which must be approved by DOD prior to contract award.

Reporting requirements

The interim rule also expands reporting obligations. The rule requires contractors that discover a cyber incident that affects a covered contractor information system or information contained therein to investigate and report that incident to DOD. As part of its implementation of Section 1632 of the 2015 National Defense Authorization Act, DOD also requires contractors to investigate and report a cyber incident that affects the contractor’s ability to perform “operationally critical support” functions of a contract. Subcontractors are required to report cyber incidents to both the prime contractor and the government, with lower-tier subcontractors required to report cyber incidents up the chain of privity until the prime contractor is reached.

In addition, the rule modifies DFARS 252.204-7012 to permit DOD to release certain contractor information in a number of circumstances, including “to entities with missions that may be affected by such information” and “for national security purposes.” This expands the permissible reasons for sharing included in the prior version of the clause, which had limited the government’s use of contractor information only to “authorized persons for purposes and activities consistent with [the prior UCTI] clause.” Because contractor information now may be disclosed outside the government, contractors should clearly mark information provided to DOD and carefully consider whether particular information should be disclosed in connection with a cyber incident.

The interim rule further establishes DFARS 252.204-7009, Limitation on the Use and Disclosure of Third-Party Contractor Reporting Cyber Incident Information. This clause is required in contracts that involve contractor support for government activities related to safeguarding covered defense information and cyber incident reporting. It imposes nondisclosure obligations on contractors handling reporting information and provides that a contractor’s breach of its nondisclosure obligations may be subject to criminal, civil, administrative and contractual actions brought by the government, or, importantly, by the impacted reporting party.

Cloud computing requirements

And if the foregoing was not enough, the interim rule also contains a number of new requirements relating to the acquisition of cloud computing services. The interim rule adds a new DFARS subpart, 239.76, which formalizes DOD guidance in this area and mandates that DOD may only award contracts for cloud computing services to contractors that have obtained a provisional authority to operate from the Defense Information Systems Agency (DISA). The new subpart requires the inclusion of specifically enumerated government protections in any DOD cloud services purchase order.

The interim rule also establishes two new contract clauses, DFARS 252.239-7009, Representation of the Use of Cloud Computing, and DFARS 252.239-7010, Cloud Computing Services, for use in any acquisition for information technology services. These clauses require contractors to: (i) implement administrative, technical and physical safeguards and controls outlined in DISA’s Cloud Computing Security Requirements guide; (ii) maintain all government data in the United States unless authorized otherwise in writing; and (iii) restrict access to government data. DFARS 252.239-7010 also mandates that contractors report all cyber incidents related to the cloud services provided under the contract and imposes reporting and compliance obligations that parallel the access and investigation cooperation requirements included in the new UCTI clause.

Comments on the interim rule are due by October 26, 2015. Dentons lawyers will continue monitoring key developments in this area. Additionally, starting in the fall of 2015, Dentons lawyers will be presenting on behalf of the Public Contracting Institute a six-part series addressing the detailed compliance requirements and best practices relating to government contracts cybersecurity. More information about the series can be found here or by contacting the authors of this client alert.

< Older Post

Newer Post >

Share

Mail

Change in Single Audit Requirement: Threshold Increase from $750,000 to $1 Million

November 5, 2024

The Single Audit threshold for organizations that receive Federal awards has been increased from $750,000 to $1 million, effective for fiscal periods starting on or after October 1, 2024. This adjustment is designed to streamline audit requirements and is intended to allow federal oversight resources to focus on larger awards. Here is a look at what this change means for organizations and how to prepare. What Is a Single Audit? A Single Audit is an audit of a non-federal entity’s financial statements and federal award expenditures, conducted to ensure that federal funds are used in compliance with relevant laws and regulations. Single Audits must adhere to Generally Accepted Auditing Standards (GAAS), Generally Accepted Government Auditing Standards (GAGAS) issued by the Comptroller General of the United States, and the Uniform Guidance. These audits assess compliance with federal award conditions and verify that organizations follow applicable financial and regulatory requirements. The Uniform Guidance, outlined in Title 2 of the Code of Federal Regulations, Part 200, establishes the standards for recipients of federal funds. It includes rules on cost principles, administrative requirements, and audit obligations to promote consistency in the management of federal awards. The New $1 Million Threshold – WHAT DOES THIS MEAN FOR BUSINESSES? Starting in fiscal years beginning on or after October 1, 2024, only organizations with federal expenditures of $1 million or more in a single fiscal year will be required to undergo a Single Audit. This threshold increase is intended to lessen the audit burden for entities with smaller awards and allocate audit resources toward higher-dollar programs. This change may benefit various organizations, including universities, non-profits, healthcare providers, and smaller government entities, that receive federal funding but typically fall below the $1 million expenditure mark. Key Points to Consider 1. Reduced Audit Burden : Organizations with federal awards under $1 million will no longer need to undergo a Single Audit, which may reduce administrative expenses and allow staff to focus more on their core programs. 2. Focused Oversight : With a higher threshold, federal audit efforts can concentrate on larger awards, where potential compliance risks may be greater. 3. Compliance Responsibility : Even if a Single Audit is not required, entities must still comply with federal requirements for award expenditures and conditions. Internal audits and controls remain essential for ensuring compliance. 4. Preparing for the Change : Organizations with federal expenditures that may vary across fiscal years should monitor their spending closely to determine when a Single Audit is needed. Resources for Navigating Single Audit Requirements While the threshold has increased, maintaining compliance with federal standards remains critical. The following resources provide additional information on Single Audits and compliance under Uniform Guidance: - Council on Governmental Relations (COGR): 2024 Uniform Guidance Readiness www.cogr.edu/sites/default/files/UG%20Readiness%202024_5th%20Look_Final%20Draft_9.17.24.pdf - U.S. Department of Health & Human Services: Office of Inspector General - Single Audit FAQs oig.hhs.gov/compliance/single-audits/frequently-asked-questions-faqs/single-audits-faqs/ The increase in the Single Audit threshold is likely to reduce administrative demands for many organizations. However, maintaining sound internal controls for managing and reporting federal funds remains essential. Preparing now for these changes will help organizations transition smoothly and stay compliant with federal requirements. Consulting with audit professionals or compliance advisors is recommended to ensure internal processes align with the latest federal guidelines. About govIRG govIRG is the government contract specialist with deep expertise across CFO Services, Contracts Management, Accounting, Accounting System Implementations, and Human Resources. Our mission is to provide government contractors with peace of mind by simplifying compliance and increasing business value. With a dedicated team focused on the unique needs of government contractors, govIRG delivers tailored solutions that streamline processes, ensure regulatory compliance, and foster business growth. We are the audit professionals you need. If you have any questions, please contact us.

Overview of Provisional Billing Rates

By Chuck Anderson and Associates at govIRG • October 4, 2024

Government contractors with cost-reimbursable contracts are required to submit provisional billing rates (PBRs) annually. While this may seem like a tedious compliance requirement, it’s actually an exercise that all companies should perform in some form. The insights gained not only help with billing on cost-reimbursable contracts but also offer a deeper understanding of a company’s finances. Developing PBRs is essentially a budgeting exercise that provides indirect rates representing the company’s break-even point. These rates are then used for invoicing on cost-reimbursable contracts in the following year. There are various ways to determine these rates, but the key requirement is that the process be well-documented and the data organized in a clear, intuitive format. Before starting the budgeting process, it’s crucial to ensure your Chart of Accounts (COA) is structured to categorize costs by “objective.” Typically, this structure will divide your COA into sections for recording costs such as Direct, Fringe, Overhead, G&A, and Unallowable. With this setup, you can easily identify and present the necessary details for calculating and submitting your PBRs. The budgeting process itself will vary based on the size, structure, and complexity of your business. The goal is to balance the time and cost of developing the budget with the accuracy of the results. govIRG can help you find the “sweet spot” to deliver an accurate forecast with the right level of effort. Our team can support this process at whatever level is appropriate for your company. Whether you need simple calculations and presentation or a deep dive into the details, we have the expertise to help you efficiently and accurately prepare your annual PBR. Government contractors operate in a world where compliance is key. While developing PBRs may seem like a compliance obstacle, it’s actually a great opportunity to improve your company’s management. govIRG’s comprehensive approach to compliance management helps contractors avoid cash flow issues, stay compliant with government regulations, and ultimately increase the value of their business.

What is SBIR/STTR?

By Kevin Hoskins • August 23, 2024

SBIR , or Small Business Innovation Research , and STTR , or Small Business Technology Transfer , are government-funded programs designed to engage small businesses in research and development efforts across the United States. These programs aim to boost the commercialization of federally funded research, enhance national investment, and foster technological innovation. The difference between SBIR and STTR The SBIR program is a three-phase award system that offers qualified small businesses the opportunity to propose innovative solutions that address the federal government’s specific research and development needs. The three phases are as follows: Phase I focuses on creating a proof of concept for the innovation; Phase II involves continuing research and development efforts; and Phase III is dedicated to pursuing commercialization in the private sector. STTR is intended to promote technology transfer by facilitating cooperative research and development between small businesses and research institutions. The key distinction from SBIR is that STTR requires the small business to formally partner with a research institution. At the time you apply for a SBIR you might also be eligible for “TABA (Technical and Business Assistance)” funds that is in addition to the SBIR funding to help you with your IP (Intellectual Property), Accounting System setup, and other things. You might also be eligible for R&D (Research & Development) Credits when you win an SBIR. GovIRG is committed to helping businesses thrive by simplifying compliance and increasing their business value. Our goal is to help businesses understand the available options and resources that can set them on the path to success. Some of this article references information found from SBIR.gov and U.S. Department of Education.