Last month, the Federal Acquisition Regulation (FAR) Council released important proposals regarding cybersecurity incident reporting and information. He currently has until February 2, 2024 to comment.
The proposed changes to the report raise some significant challenges. Some representative samples are shown below.
- The proposal states:[The] The proposed rule emphasizes the importance of complying with information sharing and incident reporting requirements. material Eligibility and Payments Under Government Contracts. [emphasis supplied]” “Materiality” is an essential element of proof in False Claims Act (FCA) claims. The FCA’s claims are a “nuclear” enforcement mechanism that the Department of Justice actively uses in enforcing cybersecurity compliance.
The proposed definition of “information and communications technology” (ICT) is broad and applies to “all solicitations and contracts,” not just those relating to ICT. Without reading the definition carefully, this application may appear to an avid contract manager to be not limited to “information technology and other equipment, systems, techniques, or processes” when read in full . for that major function Refers to the creation, manipulation, storage, display, reception, and transmission of electronic data and information and related content. ” [emphasis supplied] The potential impact of such a misreading, even if minimal, could result in reporting obligations being imposed on contracts where ICT is included only incidentally or not at all. The cost of enforcing compliance in such situations may be unaffordable for some (especially smaller) contractors, with the result that a “no bid” decision may be uncompetitive. It will lower it.
- New and existing devices (Internet of Things) will become more and more popular, and future “connected” features and devices that meet this broad definition have not yet been imagined, and the application of the proposals to these devices will be Lack of clarity can similarly result in “not being connected.” This includes a decision to “bid” or perhaps even a decision to terminate the federal takeover altogether. This lack of clarity ultimately represents increased government costs and reduced competition. Even without the additional risk of FCA enforcement action, both outcomes are suboptimal.
- The proposed definition of “security incident” is also very broad, including any “actual or imminent” event that involves laws, security policies, security procedures, or acceptable use policies. The breadth and inaccuracy of what is included creates confusion about what is and is not subject to reporting requirements. Two related factors further confuse matters. They are (a) the OMB-mandated transition of federal information systems to Internet Protocol version 6 (IPv6), and (b) the incorporation of operational technologies (as defined in the proposal). The individual and collective effects of all these issues point to potentially undesirable negative incentives.
- The proposal includes an obligation to cooperate whenever a reportable incident occurs. This obligation requires that the contractor cooperate fully with three federal agencies: (a) the contracting government agency, (b) the Cybersecurity and Infrastructure Security Agency (CISA), and (c) the FBI. You can Requiring contractors to give the government unfettered access to their personnel and information systems is likely to be seen as onerous and disincentive. A prudent contractor is unlikely to be optimistic about granting such access to government agencies because of the negative events that may result. Such negative events may include not only potential damage to the information system itself, but also potential liability and negative consequences based on obligations to third parties under unrelated contracts. .
- Federal acquisitions involving international subcontractors and suppliers introduce additional complicating factors. The complexity of compliance and risk assessment within the United States alone requires significant effort and expense. International subcontractors and suppliers must consider and monitor international agreements and sanctions regimes. Complying foreign subcontractors (and suppliers) with U.S. obligations and local laws dramatically increases complexity, cost, and risk. Threading such a needle may be possible, but it will certainly be costly, especially when countries with their own legal frameworks are involved. Ultimately, the cost of risk assessment and compliance in such situations can be substantial, especially if the Department of Justice chooses to use her FCA as an enforcement tool.
conclusion
These proposed mandates could have serious implications not only for competition but also for government access to cutting-edge innovation. The most innovative small businesses and startups may choose not to participate in a federal acquisition rather than risk an FCA charge by the government. Such decisions impact overall competition and government access to cutting-edge innovation.
This publication is for general information purposes only and is not a solicitation for the provision of legal advice or legal services. The information contained in this publication is not intended to create, and receipt of, does not constitute an attorney-client relationship. Readers should not act on this information without consulting professional legal counsel. The views and opinions expressed herein represent only the author’s personal views and not necessarily those of his Clark Hill PLC. Although we strive to ensure that postings on our website are complete, accurate, and up-to-date, we do not assume any responsibility for their completeness, accuracy, or timeliness.