Acquisition Regulations Governing Federal Cybersecurity

2015© Crowell & Moring

Acquisition Regulations Governing Federal Cybersecurity:

Overview of Acquisition Requirements, Regulatory Issues, and Practical Application

I.  Federal Statutory and Regulatory Hierarchy for Cyber Regulations

A.  General Security Requirements

Current federal information security requirements are spread over multiple statutes (information security, privacy, healthcare, and more), Federal Acquisition Regulation (FAR) provisions, individual federal agency regulations, and various federal (NIST) and commercial (e.g., ISO) standards.

1.  Statutory Requirements

·  FISMA (44 U.S.C. § 3551-58) (federal information & systems)

·  HIPAA (42 U.S.C. § 1320d-2(d) (healthcare data)

·  Privacy Act (5 U.S.C. 552a) (federal systems of records)

·  Issue-Specific Security Laws (e.g., new legislation)

·  Agency-Specific Security Laws (e.g., NDAA § 941)

2.  Federal Regulatory Requirements

·  FAR §§ 7.103(w) & 39.101(d) (information security)

·  FAR § 24.102 (Privacy Act implementation)

·  Federal Acquisition Circular (70 Fed. Reg. 57451) (FISMA)

3.  Agency Regulatory Requirements

·  Agency Acquisition Regulations (various)

·  Agency HIPAA Implementation (e.g., 45 C.F.R. § 164.306)

·  Agency Privacy Act Implementation (various)

·  Agency-Specific Statutory Requirements (various)

4.  Cyber Standards

·  NIST FIPS & Special Publications (40 U.S.C. § 11331(b)(1)(C))

·  Commercial Standards (ISO, COBIT, PCI, etc.)

B.  Flowdown of Cyber Requirements and Regulatory Coverage

DoD
DFARS §204.73, §239.7102 / GSA
GSAM §539.7000, §552.239-71 / DHS
HSAR § 3004.470, § 3052.204-70
NASA
NASA FARS § 1804.470, §1852.204-76 / HHS
HHS FARS § 339.7100, §352.239-72 / State
DOSAR § 639.107-70, §652.239-70 & 71
Commerce
Commerce FARS § 1339.270, §1352.239-72 / Transportation
TAR § 1239.70,
§1252.239-70 / HUD
HUD FARS § 2439.107,
§ 2452.239-70
Education
DoEd FARS § 3439.702, §3452.702 / Energy
DEAR § 904.404(d)(7), §952.204-77 / VA
Formerly VAAR § 852.273-75 (currently withdrawn)

II.  Cyber Requirements under Federal Acquisition Regulation

A.  Acquisition Planning (FAR § 7.103(w)

“Ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OBM’s implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce’s National Institute of Standards and Technology.”

B.  OMB & NIST Standards (FAR § 39.101(d)

“In acquiring information technology, agencies shall include the appropriate information technology security policies and requirements, including use of common security configurations available from the National Institute of Standards and Technology’s Web site at http://checklists.nist.gov. Agency contracting officers should consult with the requiring official to ensure the appropriate standards are incorporated.”

C.  Privacy & Security (52.239-1 Privacy or Security Safeguards)

D.  Delegation to Individual Agencies (FAC 2005-06, 70 Fed. Reg. 57450)

“The Councils recognize that IT security standards will continue to evolve and that agency-specific policy and implementation will evolve differently across the spectrum of Federal agencies, depending on their missions. Agencies will customize IT security policies and implementations to meet mission needs as they adapt to a dynamic IT security environment.” [Emphasis added]

III.  Harmonization of Federal Cyber Acquisition Regulations

A.  Rationale for Harmonization

The support for harmonization of federal cyber acquisition regulations comes from several sources.

1.  Cybersecurity Executive Order 13636 (Feb. 19, 2013)

“Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.” [Emphasis added]

2.  FAR Policy (FAR 1.101)

The FAR grew out of the multiplicity of agency-level regulations and the regulatory divide between the military (DAR) and civilian (FPR) acquisition regulations.

“The Federal Acquisition Regulations System is established for the codification and the publication of uniform policies and procedures for acquisition by all executive agencies.” [Emphasis added]

3.  ABA Comments

“The variations in these statutes, regulations, and policies create significant compliance challenges for contractors doing business with the Government across the spectrum of federal agencies. As a core goal of establishing an information security framework for federal acquisitions, the Government should use this opportunity to provide more consistency and uniformity when applying such requirements and standards.”[1]

B.  Multiplicity of Regulations

FAR §§ 7.103(w) & 39.101(d)
[No specific guidance or direction]
DoD
DFARS §204.73, §239.7102 / GSA
GSAM §539.7000, §552.239-71 / DHS
HSAR § 3004.470, § 3052.204-70
NASA
NASA FARS § 1804.470, §1852.204-76 / HHS
HHS FARS § 339.7100, §352.239-72 / State
DOSAR § 639.107-70, §652.239-70 & 71
Commerce
Commerce FARS § 1339.270, §1352.239-72 / Transportation
TAR § 1239.70,
§1252.239-70 / HUD
HUD FARS § 2439.107,
§ 2452.239-70
Education
DoEd FARS § 3439.702, §3452.702 / Energy
DEAR § 904.404(d)(7), §952.204-77 / VA
Formerly VAAR § 852.273-75 (currently withdrawn)

C.  Variations in Regulations

The agency-level cyber acquisition regulations have included both similarities and differences in requirements, specificity, and structure.

Security Provision / DoD
§ 239.7102 / GSA
§ 552.239-71 / DHS
§ 3052.204-70 / NASA
§ 1852.204-76
Reference to Internal Policy / Yes
(DoD Directives) / Yes
(CIO IT Guide) / Yes
(DHS 4300A) / Yes
(CIO list)
Reference to NIST Standard / No / Yes
(800-116 & 37) / No
(“Federal policies”) / No
(“FISMA”)
Security Plan or Procedure / No
(see Directive) / Yes / Yes / Yes
Security Controls / No
(see Directive) / Some Controls
(not NIST) / Some Controls
(not NIST) / Some Controls
(not NIST)
Security Audit & Access / No
(see Directive) / Yes / Yes
(“security test”) / Yes
Incident Response Plan / No
(see Directive) / No / No / No
Security Training / Yes
(§ 252.239-7001) / No / No / Yes
(NASA policy)

IV.  Agency-Specific Cyber Acquisition Regulations

Many agencies have specific acquisition regulations addressing information security (or information assurance). Examples include the following.

A.  Department of Defense (DoD)

1.  Security & Privacy for Computer Systems (DFARS 239.7102-1)

The DFARS includes general information assurance requirements for acquisition of information technology.

Agencies shall ensure that information assurance is provided for information technology in accordance with current policies, procedures, and statutes, to include –

(1) The National Security Act;

(2) The Clinger-Cohen Act;

(3) National Security Telecommunications and Information Systems Security Policy No. 11;

(4) Federal Information Processing Standards;

(5) DoD Directive 8500.1, Information Assurance;

(6) DoD Instruction 8500.2, Information Assurance Implementation;

(7) DoD Directive 8570.01, Information Assurance Training, Certification, and Workforce Management; and

(8) DoD Manual 8570.01-M, Information Assurance Workforce Improvement Program.[2]

The primary references defining specific security controls and requirements (DoD Directive 8500.1 and DoD Instruction 8500.2) have been cancelled and superseded by DoD Instruction 8500.01 and DoD Instruction 8510.01 issued in March 2014.

2.  Safeguarding of Unclassified Technical Information (204.7300)

The DFARS includes separate acquisition regulations regarding “Safeguarding Unclassified Controlled Technical Information” in a separate Subpart.

This subpart applies to contracts and subcontracts requiring safeguarding of unclassified controlled technical information resident on or transiting through contractor unclassified information systems. [DFARS 204.7300(a)]

This DFARS rule includes an express reference to marking data “in accordance with DoD Instruction 5230.24.” DFARS 204.7301.

3.  Supply Chain Risk (DFARS 239.7300)

The DFARS also incorporates a National Defense Authorization Act requirement for supply chain risk.

This subpart implements section 806 of the National Defense Authorization Act for Fiscal Year 2011 (Pub. L. 111-383) and elements of DoD instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Network (TSN) at (http://www.dtic.mil/whs/directives/corres/pdf/520044p.pdf).

These supply-chain requirements “shall be applied to acquisition of information technology for national security systems, as that term is defined at 44 U.S.C. 3542(b), for procurements involving [certain source selections and/or task/delivery orders for covered systems or items].” DFARS 239.7301.

4.  DoD Breach Notification Standards

For defense contractors, the DoD public laws, regulations, and internal policies impose a variety of different requirements for data breach notification, depending upon what type of data the contractor held or whether the data was compromised during the breach.

·  Cleared Defense Contractors. In the event of a “successful penetration” of a cleared defense contractor’s network, that contractor must “rapidly report” the event to DoD, including the “technique or method used,” a “sample of the malicious software,” and a summary of DoD information on the system.[3]

·  Technical Information. For unclassified controlled technical information, a defense contractor has 72 hours to report a “cyber incident involving possible exfiltration, manipulation, or other loss or compromise” of such data and to provide 13 categories of information to DoD regarding this incident.[4]

·  Cloud Service Providers. For commercial cloud service providers, DoD has issued a policy memorandum requiring such contractors to report a “data breach” within 60 minutes.[5]

B.  Homeland Security Acquisition Regulations

The Homeland Security Acquisition Regulations (HSAR) include some discussion of information security, but reserve most of the security guidance in an internal Department of Homeland Security (DHS) policy (DHS Sensitive System Policy Publication 4300A).

1.  Basic Security Clause

For information security, DHS acquisition regulations (HSAR) include the following clause at HSAR 3052.204-70 “Security Requirements for Unclassified Information Technology Resourses.”

As prescribed in (HSAR) 48 CFR 3004.470-3 Contract clauses, insert a clause substantially the same as follows:

SECURITY REQUIREMENTS FOR UNCLASSIFIED INFORMATION TECHNOLOGY RESOURCES (JUN 2006)

(a) The Contractor shall be responsible for Information Technology (IT) security for all systems connected to a DHS network or operated by the Contractor for DHS, regardless of location. This clause applies to all or any part of the contract that includes information technology resources or services for which the Contractor must have physical or electronic access to sensitive information contained in DHS unclassified systems that directly support the agency’s mission.

(b) The Contractor shall provide, implement, and maintain an IT Security Plan. This plan shall describe the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under this contract.

(1) Within ____[“insert number of days”] days after contract award, the contractor shall submit for approval its IT Security Plan, which shall be consistent with and further detail the approach contained in the offeror's proposal. The plan, as approved by the Contracting Officer, shall be incorporated into the contract as a compliance document.

(2) The Contractor’s IT Security Plan shall comply with Federal laws that include, but are not limited to, the Computer Security Act of 1987 (40 U.S.C. 1441 et seq.); the Government Information Security Reform Act of 2000; and the Federal Information Security Management Act of 2002; and with Federal policies and procedures that include, but are not limited to, OMB Circular A-130.

(3) The security plan shall specifically include instructions regarding handling and protecting sensitive information at the Contractor’s site (including any information stored, processed, or transmitted using the Contractor’s computer systems), and the secure management, operation, maintenance, programming, and system administration of computer systems, networks, and telecommunications systems.

(c) Examples of tasks that require security provisions include—

(1) Acquisition, transmission or analysis of data owned by DHS with significant replacement cost should the contractor’s copy be corrupted; and

(2) Access to DHS networks or computers at a level beyond that granted the general public (e.g., such as bypassing a firewall).

(d) At the expiration of the contract, the contractor shall return all sensitive DHS information and IT resources provided to the contractor during the contract, and certify that all non-public DHS information has been purged from any contractor-owned system. Components shall conduct reviews to ensure that the security requirements in the contract are implemented and enforced.

(e) Within 6 months after contract award, the contractor shall submit written proof of IT Security accreditation to DHS for approval by the DHS Contracting Officer. Accreditation will proceed according to the criteria of the DHS Sensitive System Policy Publication, 4300A (Version 2.1, July 26, 2004) or any replacement publication, which the Contracting Officer will provide upon request. This accreditation will include a final security plan, risk assessment, security test and evaluation, and disaster recovery plan/continuity of operations plan. This accreditation, when accepted by the Contracting Officer, shall be incorporated into the contract as a compliance document. The contractor shall comply with the approved accreditation documentation. [Emphasis added]

2.  Internal DHS Policy

The DHS regulation refers to the “DHS Sensitive System Policy Publication, 4300A (Version 2.1, July 26, 2004).” An internet search locates DHS Sensitive Systems Policy Directive 4300A, Version 8.0 (March 14, 2011), which spans 125 pages. In turn, this Directive refers to the DHS 4300A Sensitive Systems Handbook and nine specific DHS Management Directives (MD).

3.  NIST Standards

The DHS regulations include general references to security controls (e.g., security plan, security test and evaluation, and continuity of operations plan), but no specific reference to NIST standards, such as NIST SP 800-53, Rev. 4 (“Security and Privacy Controls”).[6] Such references do appear in the internal guidance, including DHS Sensitive Systems Policy Directive 4300A, Version 8.0.

4.  Personnel Access

The DHS regulations generally limit personnel access to federal IT systems to U.S. citizens.[7] In response to the Cybersecurity Executive Order, the DoD/GSA Final Report stated:

In general, implementation must be harmonized with, and be built upon as appropriate, existing international and consensus based standards, as well as statutes and regulations applicable to this field, including the Federal Information Security Management Act of 2002 (FISMA) . . . .[8]