New FAR Rules Likely for "Critical Infrastructure" Contractors
On February 12, 2013, President Obama signed an Executive Order (the Order) intended to enhance the cybersecurity of the country's critical infrastructure. According to the Order, "[t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront." The Order requires federal agencies and critical infrastructure owners and operators to work together to reduce cyber risks, and calls for the development of new security standards and best practices for critical infrastructure owners and operators.
In addition, the Order portends the establishment of new evaluation criteria and contractual obligations for government contractors. Among other things, the Order instructs the General Services Administration (GSA) and the Department of Defense (DoD) to consider incorporating cybersecurity standards into federal acquisition planning and contract administration.
It seems likely that in the months ahead the Federal Acquisition Regulation (FAR) will be amended to include new cybersecurity requirements. A proposed cybersecurity law the White House sent to Congress in May of 2011 may offer clues about the potential shape and scope of these FAR requirements. The White House's proposed legislation would have required critical infrastructure owners and operators to develop plans, based on federally developed, risk-based standards, for addressing cyber threats. Such plans would have been reviewed by third-party, commercial auditors. In addition, the proposed legislation would have established a comprehensive data breach notification requirement intended to "simplify and standardiz[e] the existing patchwork of 47 state laws."
It would not be surprising, then, in the wake of the Order, to see similar requirements contractually imposed on federal contractors that operate cyber systems, and to see cybersecurity issues become part of agency evaluation criteria in managing procurements and awarding contracts. To win contracts, a cyber system operator likely will need to have effective plans and systems in place, along with an ability to write proposals that explain convincingly how those plans and systems will help the cyber system operator deter and stand up to threats. These obligations will likely be triggered where the offeror or contractor is an entity designated as part of the U.S. critical infrastructure, or where the offeror, after contract award, will operate a facility that has been deemed part of the U.S. critical infrastructure.
The Order defines the term "critical infrastructure" as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Section 1016 of the USA PATRIOT Act (P.L.107-56) (Oct. 16, 2001) employs the same definition. Examples of sectors likely to be deemed "critical infrastructure" include the following:
- Public Health
- Emergency Services
- Defense Industrial Base
- Information and Telecommunications
- Banking and Finance
- Chemical Industry
- Postal and Shipping
The Department of Homeland Security, DoD and the Department of Treasury will be responsible for determining which entities are part of the critical infrastructure. The Order requires that the Secretary of Homeland Security establish a process through which entities can challenge a classification and request reconsideration.
Contractors that want to be a part of the process now should consider getting involved in the DHS Critical Infrastructure Partnership Advisory Council. They might also review the National Institute of Standards and Technology "preliminary Framework" when it is published (within 240 days of the date of the Order) and consider providing comments.
While the Order will create new obligations for some federal contractors, it should also engender new opportunities. For example, the Order directs the Secretary of Homeland Security to "expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis" and seeks to "establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure."
© 2013 Perkins Coie LLP