Feds: New Rules Needed to Tighten IT Contractor Security
The U.S. government is worried about the improper release of federal information that finds its way into the electronic IT systems of all federal contractors. In a recent notice, the government said it was seeking comment from the business community on a proposal to tighten security related to the transmission of "non-public" information through the IT systems of contractors working for federal agencies.
The proposal covers the full range of all contracting activities -- from construction projects, to IT systems, to consumer product protections.
Generally, the rule would apply to contracts valued at more than US$150,000, but it could be invoked for smaller contracts if the government deemed it necessary to do so. The proposal applies to all federal contractors and appropriate subcontractors, regardless of size or business ownership.
The proposal, published in the Aug. 24 Federal Register, would add a contract clause to address the basic safeguarding of contractor information systems "that contain or process information provided by or generated for" the government, except for public information.
The Federal Acquisition Regulation (FAR) notice covers such IT venues as public computers or websites, transmission of electronic information, and voice and fax transmissions. In addition, the proposal covers functional operations involving physical and electronic barriers, sanitization, intrusion protection and transfer limitations.
While contractors must be mindful of handling government information, currently there are no standard contractual clauses or obligations that require contractors to follow any particular standard of care for safeguarding non-public data, observed Jon Burd, an attorney with Wiley Rein.
"The proposed rule attempts to close the gap by imposing minimum contractual obligations on contractors and subcontractors to implement and adhere to basic information safeguarding protocols," he told the E-Commerce Times.
The agencies that make up the government's FAR Council -- the Department of Defense, the General Services Administration, and the National Aeronautics and Space Administration -- concluded that the proposed requirements are an extension of mandates of the Federal Information Security Management Act of 2002 (FISMA).
Views Differ on Impact
The government downplayed the proposal's potential burden on contractors.
"The resultant cost impact is considered not significant, since the first-level protective measures, such as updated virus protection or the latest security software patches, are typically employed as part of the routine course of doing business," GSA said in the proposal.
Conversely, the lack of protection in contractor IT systems could be important -- impede federal IT performance and potentially lead to the loss of valuable information.
As a result, "the benefit of securely receiving and processing government information that will be resident on, or transiting through contractor information systems offers substantial value to contractors and the government by reducing vulnerabilities to contractor systems by keeping information safe," GSA said.
As often happens with government proposals, however, the devil is in the details.
"Although the individual requirements may not appear independently burdensome, taken together, the proposed rule imposes yet another layer of compliance obligations on government contractors that will require coordination amongst contractors, contractor employees, subcontract administrators, and information technology specialists to ensure compliance," noted Erin Sheppard, an attorney at McKenna Long & Aldridge.
Also, there are ambiguities in the proposal's language urging contractors to review and comment on the notice, Sheppard pointed out.
For example, the proposed rule would prohibit federal contractors from using publicly available devices such as computers at airport kiosks or hotel business centers. The proposal requires that contractors protect government information "by at least one physical and one electronic barrier (e.g., locked container or room, login and password) when not under direct individual control.
IT Resources Deemed Adequate
However light or heavy the burden of compliance may be, most major federal contractors should be able to address the proposal with existing IT resources, Sheppard suggested.
"Many sophisticated government contractors may already have similar safeguards in place, and will therefore not feel much of an impact from the proposed rule beyond ensuring compliance with subcontract flow-down requirements," she told the E-Commerce Times.
For businesses serving the government, the proposed rule "could present an opportunity for vendors to assist the less-sophisticated government contractors, but we do not see this rule as creating much of a new market for such products and services with the more sophisticated government contractors who already have such safeguards in place," Sheppard said.
"The proposed rule does not have a direct effect on individual agency IT acquisition policies," she added.
"Obviously, the proposed rule would require covered contractors to implement basic intrusion protection measures, such as antivirus and antispyware products," Wiley Rein's Burd said.
"Most large and mid-size businesses employ these types of products in the normal course, because they are sound business practices in today's environment, so it is difficult for me to imagine a significant new opportunity for the IT companies who provide those products," he added.
"Many of the proposed requirements are behavioral and will depend on contractor personnel, just as much as technology standards, to ensure compliance," Burd said.
The impact of the proposal on the current drive to improve IT performance throughout the federal government would be minimal, he suggested.
"I would not expect this proposed rule to in any way affect other federal IT initiatives, especially those focused on the federal government's own IT products and services requirements," said Burd.
The government is taking comments on the proposal (referenced as FAR Case 2011-020) through Oct. 23.