Beginning in April 2018, the General Services Administration (GSA) will publish for 60 days of public comment updates to its cybersecurity requirements for eventual integration into the GSA Acquisition Regulation (GSAR). [GSAR Case 2016-G511, Information and Information Systems Security, 83 Fed. Reg. 1941 (Jan. 12, 2018).] Then, beginning in August 2018, the GSA will publish for 60 days of public comments updates to its cyber incident reporting requirements for GSA contractors. [GSAR Case 2016-515, Cyber Incident Reporting, 83 F.R. 1941 (Jan. 12, 2018).] GSA’s brief description of the updates and some factors it might consider are summarized below.
I. GSA’s New Cybersecurity Requirements
Currently, the GSA cybersecurity requirements mandate that contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements. The final rule will require contracting officers to incorporate applicable GSA requirements within statements of work to ensure compliance with the new rule; demand that contractors implement best practices for preventing cybersecurity incidents; and impose cybersecurity requirements for internal contractor systems, external contractor systems, cloud systems, and mobile systems. It will also update existing GSAR provision 552.239-70, Information Technology Security Plan and Security Authorization, and GSAR clause 552.239-71, Security Requirements for Unclassified Information Technology Resources, to only require the provision and clause when the contract will involve information or information systems connected to a GSA network.
II. GSA’s New Incident Reporting Requirements
Like the existing cybersecurity requirements, the existing cyber incident reporting policy, GSA Order CIO 9297.2, GSA Information Breach Notification Policy, did not previously go through the rulemaking process. The final cybersecurity incident reporting rule will require contracting officers to include cyber incident reporting requirements within GSA contracts and orders placed against GSA multiple award contracts. The final rule will also outline the roles and reporting responsibilities of the GSA contracting officer, contractors, and agencies ordering off of GSA contracts; establish a contractor’s reporting obligations where the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the information nor information systems owned or managed by or on behalf of the U.S. Government is potentially compromised; establish explicit timeframes for reporting cyber incidents; describe the details and required elements of a cyber incident report; provide Government points of contact for submitting reports; and explain the process for determining which agency will be primarily responsible for the cyber incident. The rule will also outline additional contractor requirements for cyber incidents involving personally identifiable information (PII).
Much like the Safeguarding Covered Defense Information and Cyber Incident Reporting regulation, DFARS 252.204-7012, the new GSAR rule will clarify both GSA and ordering agencies’ authority to access contractor systems in the event of a cyber incident; establish a requirement for the contractor to preserve images of affected systems; ensure contractor employees receive appropriate training for reporting cyber incidents; and outline how contractor attributional/proprietary information provided as part of the cyber incident reporting process will be protected and used.
III. Some Factors GSA Might Consider
There are 23 categories and 84 subcategories of Controlled Unclassified Information and it’s hard to argue that any are less deserving of the protections afforded by the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
For data security, GSA might consider following the DFARS Safeguarding Rule and require that contractors implement the security practices of SP 800-171 in effect at the time of the solicitation and as updated and authorized by the GSA Contracting Officer. GSA might also explicitly recognize that while compliance with SP 800-171 is expected, there may be events in which additional cybersecurity is warranted. Likewise, if the contractor intends to use an external cloud service provider to store, process, or transmit any controlled unclassified information in performance of a GSA contract, the contractor should require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline and that the cloud service provider complies with requirements for cyber incident reporting, media preservation and protection, access for forensic analysis, and cyber incident damage assessment.
For cyber incident reporting, GSA might consider the breach notification obligations under the Department of Homeland Security Acquisition Regulation, (HSAR), Safeguarding Controlled Unclassified Information (HSAR Case 2015-001), proposed rule. The HSAR final rule is expected in September 2018. [82 Fed. Reg. 40293.] Currently, GSA requires that initial notification be completed within 60 calendar days of the date the incident was determined to be a breach, unless communication cannot occur during this time frame. [GSA Information Breach Notification Policy, 9297.2C CIO, July 31, 2017.] As DHS determined, it’s better to notify affected persons sooner rather than later so that they can take steps to protect themselves and their families. Contractors that are subject to certain state data breach notification laws may find that they are subject to shorter reporting obligation deadlines (like 30 days for Florida residents and 45 days for Ohio residents). And, while the GSA determines on a case-by-case basis whether credit monitoring will be offered under the existing policy, it might be better to simply have a standing rule requiring that such services be provided and then see how many people actually sign up for the service.