CategoriesDefense

Cybersecurity for Government Contractors

Cybersecurity has become one of the most important concerns for companies of all sizes, and for good reason. A data breach can not only be financially devastating but can also damage your organization’s reputation. However, there is an additional risk for government contractors, as sensitive government data is often involved. Therefore, contractors must take extra precautions to ensure that their cybersecurity protocols are up to date.

The General Services Administration (GSA) manages numerous  IT security programs, which help government agencies implement IT policies. These policies promote public safety and enhance the resiliency of the government’s systems and networks. Also, several federal agencies, including the Department of Defense (DoD) and the National Aeronautics and Space Administration (NASA), have issued acquisition regulations that impose new cybersecurity requirements on contractors. Below are the top five requirements with which your organization should be familiar: 

1. FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems 

2. DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting 

3. NIST 800-171 – Protection of Controlled Unclassified Information 

4. CMMC Model – Cybersecurity Maturity Model Certification 

5. Executive Order (EO) 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 

Each of these requirements is discussed in more detail below: 

1. FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems 

The FAR 52.204-21 regulation requires contractors to put basic security measures in place to protect the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI)/Covered Defense Information (CDI) stored on their information systems. Some security measures include multi-factor authentication, least privilege principles, and physical security controls. 

2. DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting 

The DFAR Clause 252.204.7012 regulation requires contractors to take additional steps to safeguard CUI/CDI, including implementing a plan for detecting, reporting, and responding to cybersecurity incidents. This regulation also requires contractors to have a written information security program that includes specific security measures and procedures. 

3. NIST 800-171 – Protection of Controlled Unclassified Information 

The NIST 800-171 regulation is a set of security standards that contractors must meet to protect CUI/CDI. These standards cover access control, incident response, and system documentation. 

4. CMMC Model – Cybersecurity Maturity Model Certification 

The Cybersecurity Maturity Model Certification (CMMC) is a new cybersecurity framework that will soon be required for all DoD contractors. This framework consists of five levels of maturity, each with its own set of requirements. Contractors must earn certification at the appropriate level to bid on specific contracts. 

5. Executive Order (EO) 13800 – Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 

EO 13800 requires federal agencies to improve the cybersecurity of their networks and critical infrastructure. This includes risk assessments, incident response plans, and cyber threat information sharing. While this Executive Order does not directly apply to contractors, it is vital to be aware as it will likely indirectly impact how contractors do business with the government. 

Tips for Meeting Contractor Cybersecurity Requirements

  • Get certified and accredited. Certification is essential in demonstrating to the government that your organization is serious about cybersecurity. The most common certification for contractors is the ISO 27001 standard. 
  • Limit access to those with a need-to-know. One of the best ways to protect CUI/CDI is to limit its access. Make sure that only those who absolutely need access to CUI/CDI have it and only have access to the specific information they need. 
  • Implement strong security controls. Strong security controls are essential for protecting CUI/CDI. This includes multi-factor authentication, least privilege principles, and physical security controls. 
  • Have a plan for incident response. In the event of a cybersecurity incident, it is crucial to have a plan in place for how to respond. This plan should include containment, eradication, recovery, and communication steps. 
  • Stay up to date on new requirements. The landscape of contractor cybersecurity is constantly changing, so it is essential to stay current on new requirements. One way to do this is to sign up for updates from the Center for Internet Security (CIS).

As a government contractor, cybersecurity should be one of your top priorities. If sensitive government data falls into the wrong hands, the consequences could be disastrous – not just for your business, but also for national security. By ensuring your systems are certified and accredited, that access is strictly limited to those with a need-to-know, and that vulnerabilities are promptly remediated, you can help protect yourself against cyberattacks and maintain compliance with government regulations.


Grow your Federal business with actionable insights from G2Xchange

G2Xchange delivers the most valuable intel on GovCon opportunities, awards, protests, and people – daily. Sign Up Free Today!

CategoriesDefense

8 Things Contractors Need to Know About the Government Contractor Defense

There are several unique defenses available to government contractors facing product liability lawsuits. One of the most common defenses is the “government contractor defense,” which protects private contractors from specific liability claims when they do business with the U.S. government. The two primary forms of defense are a common law defense and a statutory defense, also known as the SAFETY Act. 

1. Components of defense.   

In the landmark case Boyle v. United Technologies Corp., 487 U.S. 500, 512 (1988), the Court recognized the following three components of the government contractor defense: (1) the United States approved reasonably precise specifications for the product being supplied; (2) the product conformed to those specifications; and (3) the supplier warned the United States about any dangers in use of the product known to the supplier but not known to the United States. 

Typically, the government contractor defense applies to design-defect claims, failure to warn claims, and breach of warranty claims. However, it generally does not apply to manufacturing defect claims. How state law defines a suit determines whether the defense can be used. 

2. Other claims in which the government contractor defense may be applied. 

Although many courts uphold that the government contractor defense can be applied to contracts for both military and nonmilitary equipment, some courts rule that defense only applies to cases involving military equipment. Additionally, courts have applied defense to claims about supply contracts, subcontracts, and service contracts. 

3. There are similar defenses for state and local procurement. 

While Boyle does not recognize cases involving an underlying state or local government contract, some jurisdictions have applied similar defenses to product liability claims. 

4. The government contractor defense can provide an independent basis for removal. 

One valuable benefit of claiming the defense is that it can provide an independent basis for removing a case to the federal government.   

5. Develop the defense before litigation.

Before any litigation arises, contractors should lay the groundwork for the defense. Start by reviewing the contracts to ensure that the functions and aspects of the designs are accurately noted within the contract documents. Furthermore, when establishing a defense, it is vital to understand that the extent to which the government was involved in approving specifications will play a huge role. 

When possible, obtain written confirmation from the government that the final product (or service) conforms with the government’s specifications. Lastly, contractors should always document their efforts to warn the government of any identified hazards or dangers associated with the product.

6. Establishing the defense may lead to requests for discovery. 

Asserting the government contract defense requires an in-depth analysis of contract specifications and the government’s role in the approval process of such specifications. This evaluation may elicit unique concerns for discovery. During the Rule 26(f) discovery conference, all issues should be discussed in the appropriate protective order.

7. Establishing the defense could mean going to trial. 

Because facts intensely drive the defense, it typically does not fit the qualifications for a dispositive motion. It is treated as a liability defense rather than an “immunity.”

8. There are other defenses available to government contractors.

Contractors may access other defenses, including Westfall immunity, the combatant activities exception, the political question doctrine, and various potential statutory defenses. 

References

  1. 63A Am. Jur. 2d Products Liability §§ 1347-1389 (2018).
  2. 6 CFR Part 25. Regulations Implementing the Support Anti-terrorism by Fostering Effective Technologies Act of 2002. (the SAFETY Act).
  3. Boyle v. United Technologies Corp., 487 U.S. 500 (1988). 9 September, 2018.
  4. Brian Sheppard, Annotation, The Government Contractor Defense to State Products-Liability Claims, 53 A.L.R.5th 535 (2018).
  5. Department of Homeland Security. Safety Act for Liability Protection. DHS, Washington, DC: 2016.
  6. National Contract Management Association. 2016 Annual Review of Government Contracting. NCMA, Ashburn, VA: 2017.

Grow your Federal business with actionable insights from G2Xchange

G2Xchange delivers the most valuable intel on GovCon opportunities, awards, protests, and people – daily. Sign Up Free Today!