Beginning in April 2018, the General Services Administration ("GSA") will publish updates to its cybersecurity requirements for eventual integration into the GSA Acquisition Regulation ("GSAR"). [GSAR Case 2016-G511, Information and Information Systems Security, 83 Fed. Reg. 1941 (Jan. 12, 2018).] The GSA intends to allow 60 days to receive public comments. Then, beginning in August 2018, the GSA will publish updates to its cyber incident reporting requirements for GSA contractors for another 60 days of public comments. [GSAR Case 2016-515, Cyber Incident Reporting, 83 F.R. 1941 (Jan. 12, 2018).] The GSA’s brief description of the updates and some factors it might consider are summarized below.
I. GSA’s New Cybersecurity Requirements
Currently, the GSA cybersecurity requirements mandate that contractors protect the confidentiality, integrity and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated federal cybersecurity requirements. The final rule will require contracting officers to incorporate applicable GSA requirements within statements of work to ensure compliance with the new rule, demand that contractors implement best practices for preventing cybersecurity incidents and impose cybersecurity requirements for internal contractor systems, external contractor systems, cloud systems and mobile systems. It will also update existing GSAR provision 552.239-70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources, to only require the provision and clause to apply when a contract involves information or information systems connected to a GSA network.
II. GSA’s New Incident Reporting Requirements
Like the GSA’s existing cybersecurity requirements, the existing cyber incident reporting policy, GSA Order CIO 9297.2, GSA Information Breach Notification Policy, did not previously go through the rulemaking process. The final cybersecurity incident reporting rule will require contracting officers to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts. The final rule will also outline the roles and reporting responsibilities of the GSA contracting officer, contractors and agencies ordering off of GSA contracts. It will establish a contractor’s reporting obligations where the confidentiality, integrity or availability of GSA information or information systems are potentially compromised or where the information or information systems owned or managed by or on behalf of the U.S. government are potentially compromised. It also will establish explicit time frames for reporting cyber incidents and describe the details and required elements of a cyber-incident report. Finally, it will provide government points of contact for submitting reports and explain the process for determining which agency will be primarily responsible for the cyber incident. The rule will also outline additional contractor requirements for cyber incidents involving personally identifiable information ("PII").
Much like the Safeguarding Covered Defense Information and Cyber Incident Reporting regulation, DFARS 252.204-7012, the new GSAR rule will clarify both GSA and ordering agencies’ authority to access contractor systems in the event of a cyber-incident, establish a requirement for the contractor to preserve images of affected systems, require that contractor employees receive appropriate training for reporting cyber incidents and outline how contractor attributional/proprietary information provided as part of the cyber-incident reporting process will be protected and used.
III. Some Factors GSA Might Consider
There are 23 categories and 84 subcategories of Controlled Unclassified Information, and it’s hard to argue that any are less deserving of the protections afforded by the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
For data security, the GSA might consider following the DFARS Safeguarding Rule and require that contractors implement the security practices of SP 800-171 in effect at the time of the solicitation and as updated and authorized by the GSA contracting officer. The GSA could explicitly recognize that, while compliance with SP 800-171 is expected, there may be contract-related events or circumstances for which additional cybersecurity is warranted. Likewise, if the contractor intends to use an external cloud service provider to store, process or transmit any controlled unclassified information in performance of a GSA contract, the GSA may require the contractor to confirm that its cloud service provider meets security requirements equivalent to those established by the government for the Federal Risk and Authorization Management Program ("FedRAMP") moderate baseline and complies with requirements for cyber incident reporting, media preservation and protection, access for forensic analysis and cyber incident damage assessment.
For cyber incident reporting, the GSA might consider the breach notification obligations under the Department of Homeland Security Acquisition Regulation, ("HSAR"), Safeguarding Controlled Unclassified Information (HSAR Case 2015-001), proposed rule. The HSAR final rule is expected to be published in September 2018. [82 Fed. Reg. 40293.] Currently, the GSA requires that initial notification be completed within 60 calendar days of the date the incident was determined to be a breach, unless communication cannot occur during this time frame. [GSA Information Breach Notification Policy, 9297.2C CIO, July 31, 2017.] The DHS appears to have gone a different direction, deciding that it’s better to notify affected persons sooner rather than later so they can take steps to protect themselves and their families. Federal contractors may also already be subject to certain state data breach notification laws with shorter reporting obligation deadlines (like 30 days for Florida residents and 45 days for Ohio residents). And, while the GSA’s existing policy determines, on a case-by-case basis, whether credit monitoring should be offered, it might be better to simply have a standing rule requiring that such services be provided and then see how many people actually sign up for the service.