“In the face of the government’s present inability or unwillingness to directly regulate critical infrastructure and beyond, I would think that anyone in the contracting space should be paying attention to the framework and seeing how they stack up to its expectations,” said Megan Brown, a partner at Wiley Rein LLP. “The contracting community has often been at the forefront of new government efforts, because it is easier to tack on additional responsibilities to contracts than to regulate private industry directly.”
Contractors have been subject to a host of cybersecurity regulations in recent months, many stemming from the same executive order that created the new voluntary cybersecurity framework. Late in 2013, the U.S. Department of Defense published a rule requiring its contractors to safeguard unclassified technical data and report breaches that affected that data, as well as a rule allowing the DOD to disqualify contractors for sensitive information technology procurements because of perceived cybersecurity risks in those companies’ supply chains.
The General Services Administration and DOD also recently published a report on reforms that could improve cybersecurity in federal acquisitions, and the DOD has run a voluntary threat sharing program with members of its defense industrial base. The government is also expected to amend the Federal Acquisition Regulation in 2014 with a rule requiring all contractors to implement basic information safeguarding policies.
Because of those and other regulations, and the fact that the stakes are so high for contractors handling sensitive DOD information, most defense contractors will be ahead of the curve if they want to adopt the voluntary approach laid out in the framework, according to Charles Blanchard, a partner at Arnold & Porter LLP who previously served as general counsel for both the Air Force and the Army.
But because the framework could provide the basis for legislation that includes cybersecurity incentives prized by the private sector — including grants, subsidized cybersecurity insurance and protection from liability for compliant companies — defense companies will be watching the framework’s evolution closely, he said. And nondefense contractors could look to the framework to see the kinds of best practices they can use to prepare for the upcoming FAR rule.
“For defense contractors that have government technical information that they need to safeguard, the DOD regulation is probably a more important document. This framework, if the incentives come in, could be an extra benefit. It could reward them for complying with the DOD regulations,” Blanchard said. “Most contractors, however are not DOD contractors. For those contractors, this framework could be a hint as to what they can expect when the FAR rule comes out.”
While the framework has been generally well-received by industry stakeholders, some were disappointed by its silence on the issue of incentives, like a safe harbor for companies who follow the NIST guidelines and best practices but still find themselves the victim of a data breach. That kind of safe harbor would have to come through federal legislation, because different states have pursued their own approaches to data breach reporting and liability, and a federal statute is needed to replace that patchwork of state laws, Blanchard said.
Contractors and other companies at risk for cyberattacks can still use their compliance with the NIST guidelines when defending themselves against litigation related to a data breach, although it’s no sure bet, according to Elizabeth Ferrell of McKenna Long & Aldridge LLP.
“I think it would be much more comforting for companies with critical infrastructure, contractors and other companies implementing cybersecurity recommendations if they were able to get some kind of liability limitation in return,” Ferrell said. “They want to make it official instead of rolling the dice on whether a judge or jury would accept these steps as the standard of care and say, ‘You’ve done all you needed to do.'”
While states have created a patchwork of liability laws, federal agencies have also been forced to go it alone, each attempting to manage cyberrisks through their contracts or regulatory power, Ferrell said.
“Agencies are free to tailor their own contract clauses and they are doing so,” Ferrell said. “We are now engaged in a patchwork of cybersecurity initiatives because every part of the federal government recognizes that it is critical to protect our cyberresources, and that the next big attack against the United States could be in the cyberworld.”
The NIST framework, along with its more detailed guidelines on specific issues like password security and physical access controls, could help standardize that patchwork if agencies or Congress use them as a starting point in new regulations and legislation, Ferrell said.
“Even though this framework is only for critical infrastructure, and it is voluntary, there is the sense that this will become the first building block in future regulations,” Ferrell said. “There’s a notion that this framework may be made mandatory for critical infrastructure and other regulated companies, like contractors.”
Replacing the current patchwork of cybersecurity standards with a more centralized guidance could make it easier for contractors to track their responsibilities, leading to lower compliance costs and improved security for agencies and contractors, according to Evan Wolff, a partner at Crowell & Moring LLP.
The stakes are high for contractors that are asked to revamp their cybersecurity practices, especially if the government demands a certification that the contractors comply with security standards in the framework or in other regulations. If there’s a breach or attack, and the contractor is found to have overstated its security, that could lead to risks ranging from contract penalties and poor performance reviews to debarment or False Claims Act liability.
“You could start to see the government expecting more assurances from its contracting partners, and if your abilities are not up to their expectations, you could be at a disadvantage in contracting,” Brown said.
Contractors will also face more government scrutiny than most industries, because the government can use its contracting authority to affect a broader section of the overall economy by forcing contractors to police their supply chain for risks and flow down cybersecurity responsibilities to their subcontractors. The government has already taken that approach in other areas, including in recent rules requiring contractors to police their supply chains for signs of human trafficking or counterfeit electronic parts.
“The government could really attempt to expand its reach if it tries to grab the contracting community and reach one or two circles beyond the prime contractors,” Brown said.