Skip to main content
Top Button
Customs and Border Protection Agency Data Breach Signals Increased Enforcement of Government Contrac Customs and Border Protection Agency Data Breach Signals Increased Enforcement of Government Contrac

Customs and Border Protection Agency Data Breach Signals Increased Enforcement of Government Contracting Cybersecurity Requirements

Recently, the U.S. Customs and Border Protection Agency (CBP) removed a border surveillance contractor, Perceptics, from suspension resulting from its involvement in the May 2019 CBP data breach after Perceptics agreed to follow additional cybersecurity controls. This follows the CBP data breach incident where hackers gained access to images of tens of thousands of individual travelers’ faces and license plates not properly stored. From the data breach to the recent agreement, this case illustrates the federal government’s increased focus on monitoring and enforcing cybersecurity requirements imposed on contractors.

Background

Earlier this year, the CBP reportedly discovered hackers compromised the security of Perceptics’ network to copy data containing images of thousands of individual travelers. CBP suggested Perceptics violated contractual security and privacy protocols by transferring copies of the data to its company network without authorization. A few weeks later, CBP suspended the contractor from federal contracting.

In September, the U.S. Senate Intelligence Committee pressed the CBP for answers concerning the data breach. Sen. Mark Weaver, D-Va., pushed the agency for details on how it was ensuring contractors and subcontractors used effective information security practices.[1] Much to the agency’s chagrin, Sen. Weaver made the following statement about the state of information security in federal contracting:

I have frequently pointed out the derisory state of third-party contractor and subcontractor information security practices and management in industry and across the government. It is absolutely critical that federal agencies and industry improve their track records … Americans deserve to have their sensitive information secured, regardless of whether it is being handled by a first or a third-party.

On October 10, 2019, the CBP made public its agreement to remove Perceptics’ suspension provided that it complied with additional cybersecurity measures. These measures reportedly included, for example, appointing an officer to oversee new security measures, paying for an independent monitor to evaluate compliance, establishing an anonymous employee hotline for reporting violations, and giving the CBP officials regular updates on its progress.[2]

The CBP data breach illustrates the federal government’s increased efforts to enforce cybersecurity regulations. Similar to its recent use of False Claims Act litigation[3], the government has shown its intent to crack down on contractors who fail to comply with cybersecurity obligations.

What are contractors’ cybersecurity requirements? 

Cyber incidents, like the CBP data breach, have spurred federal agencies to develop cybersecurity requirements through regulatory and contractual provisions. Because agencies typically implement their own cybersecurity requirements, this requires contractors to sift through various acronyms such as the Federal Acquisition Regulation (FAR), Defense Acquisition Regulation Supplement (DFARS), National Institute of Standards and Technology (NIST), and the upcoming Cybersecurity Maturity Model Certification (CMMC).
Generally, contractors – and their subcontractors – must use basic safeguarding measures for “covered contractor information systems” as defined under FAR 52.204-21. Additionally, many agencies have their own cybersecurity regimes.

To date, the Department of Defense (DoD) has paved the way by incorporating NIST security controls into DFARS 252.204-7012. For example, this DFARS provision requires contractors to (1) implement security measures set forth in NIST Special Publication (SP) 800-171 and (2) report cybersecurity incidents to the DoD within 72 hours.[4]

Recently, the Department of the Navy (DoN) created its own cybersecurity requirements pursuant the Assistant Secretary of the Navy for Research Development & Acquisition (ASN of the RD&A) recently published Memorandum for Distribution: Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks (DIB Memo).[5] In addition to compliance with DFARS 252.204-7012, the DIB Memo requires contracting officers to contractually include contract data requirement lists (CDRL) that require delivery and approval of a systems security plan (SSP) whenever a risk to a critical program or technology warrants it.

On September 6, 2019, the DoN published the Change 18-08 to the Navy Marine Corps Acquisition Regulation Supplement (NMCARS)[6] which requires contractors to (1) implement SSP and plans of action and milestones (POAM) reviews, (2) ensure NIST SP 800-171 compliance, (3) develop a cyber-incident response plan, (4) participate in Naval Criminal Investigative Service (NCIS) outreach, and (5) participate in NCIS/industry monitoring.

Beyond these current requirements, the DoD is proposing new cybersecurity requirements under the upcoming CMMC framework.[7] Among other things, CMMC will assess contractors’ cybersecurity “maturity” or effectiveness levels and assign them Levels 1-5, basic to advanced. Of note, Level 3 is consistent with DFARS 252.204-7012 / NIST SP 800-171 security controls and, thus, any contractor who is compliant with the DFARS provision should achieve Level 3 rating. In addition to the current self-reporting DFARS framework, CMMC intends to create and require third-party auditing of contractor security controls. The DoD intends to implement CMMC by January 2020 and incorporate it into Requests for Proposals (RFPs) by fall 2020.

How do contractors mitigate risk of noncompliance?

As federal agencies, like the CBP, continue developing cybersecurity regulatory and contractual requirements, it is essential that contractors take proactive steps to develop internal cybersecurity programs and understand their agency counter-parts’ specific requirements. For DoD contractors, complying with DFARS 252.204-7012 / NIST SP 800-171 security controls should inform CMMC maturity level ratings and could be a distinguishing factor in future RFPs.

Ice Miller’s legal professionals help clients understand and comply with federal cybersecurity requirements. To speak with an Ice Miller attorney, please contact Guillermo Christensen, Nick Merker, or Christian Robertson. Ice Miller’s public policy professionals are experienced in advocating for client priorities in cybersecurity policy and related laws and regulations at the state and federal level. For additional information, please contact Clayton Heil, Graham Hill or Andy Mueller.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 
[2] Drew Harwell, Surveillance contractor that violated rules by copying traveler images, license plates can continue to work with CBP, Washington Post, Oct. 10, 2019, https://www.washingtonpost.com/technology /2019/10/10/ surveillance-contractor-that-violated-rules-by-copying-traveler-images-license-plates-can-continue-work-with-cbp/.
[6] See ASN of the RD&A, Change 18-08 of the NMCARS, Sept. 6, 2019.
[7] See Office of the Under Secretary of Defense for Acquisition & Sustainment Cybersecurity, CMMC v0.4, Sept. 2019.
View Full Site View Mobile Optimized