Look for the whole government to take a page from the Pentagon and require that firms notify their agency customers of hacks into company-owned systems within three days of detection, procurement attorneys and federal officials say.
Right now, vendors only have to report compromises of classified information and defense industry trade secrets. The trade secret rule is new and covers breaches of nonpublic military technological and scientific data, referred to as "unclassified controlled technical information.”
That new reporting requirement kicked in Nov. 18, 2013 and applies to all military contracts inked since.
The rule “is impactful in large part because it is one of the first very clear cybersecurity directives," said Anuj Vohra, a Covington & Burling senior associate in the firm’s government contracts practice. "We’ll see more regulations like that among nondefense agencies."
He was interviewed Monday evening after an industry event hosted by the law firm and George Washington University.
Violating certain breach clauses could mean the end of a company's contract or even being banned from government work entirely.
No Similar Rules for Civilian Agencies
Civilian agencies don’t have a comparable breach mandate, even though there has been a steady stream of high-profile hacks governmentwide over the past few years. Examples include computer breaches at Serco, which handled federal employee retirement investments, and USIS, a private firm that conducts background investigations on many civilian and military personnel.
Until there is a uniform rule, there will be unrest within the contracting community over why, for instance, the departments of Defense and Homeland Security have different reporting requirements.
George Washington University law lecturer Richard Gray, who also serves as DOD's associate general counsel, said he is hopeful the Pentagon regulation "will be the vehicle for applying some harmonization across all the agencies.” He spoke to Nextgov, as an academic, not on behalf of the Pentagon, after Monday’s event.
The controlled unclassified rule might provide some consistency and predictability, “even though it’s still always going to be an adaptive open dialogue in this space” of cyber policy, Gray said. “Because it’s new and we don’t really know what we don’t know yet.”
Contractors Asleep at the Switch?
The rule states that within 72 hours of discovering any compromise of unclassified controlled technical information in a company system, the company must disclose which contracts are affected, the location of the leak and a description of the data compromised, among other things -- to the extent they are known at the time.
During his public remarks, Gray said the regulation is mainly directed at companies that have been asleep at the switch on basic network hygiene for a long time.
Many, if not most, hacking techniques exploit "existing known vulnerabilities for which there are patches” and other simple solutions, he said. "Most of the problems that we see right now are companies that are not taking advantage of stuff that’s free, that’s available, that’s been out there for months, maybe years." Think updating Adobe.
Some contract attorneys expect a sharp uptick in efforts to enforce cybersecurity inside contractors’ private offices and facilities.
Agencies are "ramping up the regulations," Robert Nichols, co-chair of Covington's government contracts practice, said during the event.
"You'll see contractors that are suspended or barred for having inadequate systems,” Nichols said. They “may face potential false claims liability if they are putting in invoices, saying, impliedly ‘We are complying with these standards,’ but they are really not.”
However, he said he does not think the 72-hour rule will be feasible in many situations.
Over the next couple of years, the government will recognize “this is close to impossible to effect for the day-to-day issues that arise,” Nichols said. “It will be most important for the large incidents.”