Last month the Federal Acquisition Regulatory (FAR) Council announced a major proposal regarding cybersecurity incident reporting and information. Comments currently are now due by February 2, 2024.
The proposed reporting changes raise several significant challenges. Several representative samples are below.
- The proposal states that, “[The] proposed rule underscores that the compliance with information-sharing and incident-reporting requirements are material to eligibility and payment under Government contracts. [emphasis supplied].” “Materiality” is a required element of proof in False Claims Act (FCA) claims. FCA claims are the “Nuclear” enforcement mechanism actively and increasingly used by the Justice Department in its enforcement of cybersecurity compliance.The proposed definition of “information and communications technology” (ICT) is broad and applied to “all solicitations and contracts” — not only those plainly for ICT. In the absence of a careful reading of the definition this application may appear to a zealous contract administrator not to be limited, as it says when read completely, to “information technology and other equipment, systems, technologies, or process, for which the principal function is the creation, manipulation, storage, display, receipt, or transmission of electronic data and information, as well as any associated content.” [emphasis supplied] The potential effect of such a misreading minimally could be imposition of reporting burdens on contracts involving only incidental or no ICT. The cost of compelled compliance in such circumstances could be beyond the reach of some (especially small) contractors, resulting in “no-bid” decisions reducing competition.
- The increasing proliferation of new and existing devices (the Internet of Things), and yet unimagined future “connected” functions and devices meeting this broad definition, and an absence of clarity regarding the proposal’s application to these devices, may similarly result in “no-bid” decisions or perhaps even decisions to exit federal acquisition entirely. This lack of clarity ultimately points to higher government cost and reduced competition. Both are suboptimal results – even absent the additional risk of an FCA enforcement action.
- The proposed definition of “security incident” is also very broad including “actual or imminent” event including laws, and security policies, security procedures, or acceptable use policies. The breadth and imprecision of what is included muddles what is and is not subject to a reporting obligation. Two additional related factors make matters somewhat more confusing. Those are: (a) OMB’s mandated transition of federal information systems to Internet Protocol version 6 (IPv6), and (b) inclusion of Operational Technology (as defined in the proposal). The individual and collective effect of all these matters point to potentially undesirable and negative incentives.
- The proposal includes a mandatory duty of cooperation whenever a reportable incident occurs. That duty requires contractors to cooperate fully with three federal entities: (a) the contracting agency, (b) the Cybersecurity and Infrastructure Security Agency (CISA), and (c) the FBI. Instances requiring contractors to grant the Government unfettered access to their personnel and information systems will likely be viewed as troublesome and constituting disincentives. Prudent contractors are unlikely to be sanguine about allowing any Government entity such access due to the negative events that could result. Such negative events could involve potential damage to the information systems themselves, as well as potential liabilities under or negative effects involving obligations owed to third parties under unrelated agreements.
- Federal acquisitions involving international subcontractors and suppliers introduces further complicating factors. The complexity of compliance and risk assessment within the U.S. alone requires impressive effort and expense. International subcontractors and suppliers require that international agreements and sanctions regimes must be considered and monitored. Foreign subcontractor (and supplier) compliance with U.S. obligations and local law adds exponential complexity, expense and risk to the burdens. Threading such needles may be possible but will certainly be expensive — particularly when countries with unique legal frameworks are involved. In the final analysis, the cost of risk assessment and compliance in these situations can become substantial, especially where the Justice Department chooses to use the FCA as an enforcement measure.
The Bottom Line
These proposed obligations could seriously affect competition as well as the Government’s access to cutting edge innovation. The most innovative smaller businesses and startups simply may choose not to participate in federal acquisition rather than risk an FCA claim by the Government. Such decisions will affect overall competition and Government access to cutting edge innovation.