While hardly a new topic for anyone doing business with the government, current events and the challenges of COVID-19 provide a cautionary tale and proactive reminder that doing business with the government carries with the burden of ensuring applicable data privacy and security protections are in place. As companies consider existing relationships with the U.S. government, or potentially pursuing new business with the U.S. government in responding to current challenges, we thought it a good time to provide a high-level summary of what to expect.
All organizations store, maintain, and process data to some extent. However, organizations that contract with the federal government may also be storing controlled unclassified information (“CUI”). The federal government requires that CUI be protected from public disclosure; or other unauthorized use. Protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly affect the ability of the federal government to successfully conduct its essential missions and functions. For example, over the last decade, cyber criminals have increasingly targeted contractor organizations to extract information in an attempt to weaken the federal government’s supply chain. Accordingly, companies can expect to see an emphasis on security of CUI when contracting with the federal government as they process CUI and other types of data on the government’s behalf, whether directly as a prime contractor or subcontractor to a prime contractor of the government.
In December 2017, all Department of Defense (DoD) contractors processing sensitive types of government information were required to comply with the security controls described in NIST 800-171, Rev. 1. Earlier this year, NIST released Revision 2 (“Rev. 2”) providing agencies with updated guidance to specifically secure CUI on systems and organizations existing outside of the federal government. Specifically, Rev. 2 provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI:
- when such information is resident in nonfederal systems and organizations;
- when the systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
- where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulations, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.
As a result, companies that may have placed data security on the back burner of its list of priorities will need to adopt administrative, technical, and physical safeguards to secure any CUI it may engage by virtue of contracting with the federal government. For example, organizations will need to identify controls it has adopted to address:
- access control,
- security awareness and training,
- configuration management,
- identification and authentication,
- incident response,
- media protection,
- personnel security, and
- risk and security assessments.
Indeed, failing to implement such controls will jeopardize the organization’s ability to keep that contract or possibly get contracts in the future.
In addition, in January 2020, the DoD released its highly anticipated new set of cybersecurity standards that companies must eventually adhere to if they want to do business with the any DoD agency. Cybersecurity Maturity Model Certification Version 1.0, or CMMC, is an effort to force the defense industrial base to better protect its networks and CUI against cyberattacks and theft by competitors and foreign governments. NIST 800-171, Rev. 2 is one of the many cybersecurity control standards that CMMC will combine to create one unified standard for cybersecurity. The DoD has also indicated that it will begin using CMMC as a means to verify that organizations wishing to work with the DoD are fulfilling essential digital security requirements. DoD officials will begin working with a third party to audit potential contractors for compliance with CMMC by June 2020. Contractors wishing to get ahead of the curve, however, can seek certification from an approved auditor. More information is available from the Office of the Under Secretary of Defense for Acquisition & Sustainment’s website on CMMC.
As you might imagine, implementing such a program requires a significant investment of time, if not money. As the public and private sector both look to doing business with the federal government. Those already compliant with NIST will find this easier to achieve, assuming that they start now. Many RFPs will require companies to represent in their proposals that they are compliant with NIST standards or provide other assurances that their companies and systems are ready. These representations should not be made lightly. Companies misrepresenting NIST compliance can find themselves in trouble for having made a false statement to the U.S. Government. Indeed, complying with NIST is a cost of doing business with the government. If you have not started evaluating your company’s status, planning or implementing to become compliant, now is definitely the time. Taft’s Government Contracting and Privacy & Data Security practice groups can help strategize on the best risk-based approaches to meeting such requirements.