Government Contractors Face New Data Breach Disclosure and Investigation Requirements

The government’s lead contracting agency plans to formalize how and when contractors are required to disclose data breaches and to mandate better government visibility into how serious those breaches are.

The proposed rule will mandate that the General Services Administration and the agency that’s being served by the contract have access to breached contractor systems, according to a regulatory roadmap set to be published in Friday’s Federal Register.

Contractors will also be required to preserve images of the affected systems for the government to review, the roadmap states.

The proposed rule is scheduled to be published in February with a comment period that closes in April.

Contractors have frequently been a weak point for federal cybersecurity efforts.

In 2014, for example, two separate contractor breaches exposed background check information about 48,000 and 25,000 government employees respectively. Those breaches were soon overshadowed by the massive Office of Personnel Management breach of more background checks on more than 20 million current and former federal employees and their families in 2015.

In 2011, the contractor Science Applications International Corp. lost track of health records about 4.9 million military health care beneficiaries when the records were stolen from an employee’s car.

The cybersecurity firm BitSight found in a February report that over 8 percent of health-sector government contractors and 5.6 percent of aerospace and defense contractors had disclosed a data breach since January 2016.

Contractor cybersecurity was generally significantly lower than federal agency cybersecurity, the BitSight report said.

GSA’s proposed rule will also require contractors to disclose any data breach that compromises the “confidentiality, integrity, or availability” of data or information systems owned or managed on behalf of government agencies.

Those requirements already exist but have not gone through a formal rulemaking process and aren’t consistently adhered to, according to the notice.

The rule will also outline how the government will use and protect any proprietary information a contractor shares as part of a breach investigation, the notice states.