Generally Applicable Cybersecurity Requirements

Many federal laws, regulations and rules have the effect of requiring government contractors—regardless of the agency with which they are doing business—to protect the security of electronic systems that house various categories of government information. This page discusses some of the government-wide protections for electronic systems housing “federal contract information,” “personally identifiable information” and “controlled unclassified information” to give the reader an appreciation for the wide scope of federal regulation in this area. The page then flags, without extended discussion, several other types of information developed or compiled by or for the government that are likewise subject to federal cybersecurity rules.

Click on the headings below to learn more:

Federal Contract Information

Government Contractor Cybersecurity Requirements – Cyber FraudSince June 15, 2016, the Federal Acquisition Regulation has required government agencies to require their contractors to adhere to certain cybersecurity standards to protect electronic systems that house “federal contract information.” (FAR § 52.204-21.) Federal contract information is defined as:

Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

These standards apply to contractors along with all their subcontractors and include 15 basic security practices, such as the following:

  • “Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)”
  • “Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.”
  • “Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.”
  • “Identify, report, and correct information and information system flaws in a timely manner.”
  • “Provide protection from malicious code at appropriate locations within organizational information systems.”
  • “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”

Personally Identifiable Information

The Privacy Act of 1974 prohibits, under most circumstances, the federal government from disclosing personally identifiable information (PII), defined by regulation to encompass “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual” (2 CFR 200.79). In 1995, Congress extended the requirements of the Act to contractors who provide or operate “a system of records to accomplish an agency function” (5 U.S.C. § 552a(m)(1)). Such contractors must “establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.”. (5 U.S.C. § 552a(e)(10)).

The Government implements the amended Privacy Act through the Federal Acquisition Regulation, requiring agencies to include certain clauses in contracts with entities participating in the “design, development, or operation of a system of records” for the Government (FAR 52.224-2). These clauses, which must “flow down” to subcontractors also involved in the design, development, or operation of a government records system, require the contractor to adhere not only to the Privacy Act, but also to applicable agency-specific rules and regulations implementing the Privacy Act.

Many of these agency-specific rules, which apply to contractors working on records systems for the agency in questions, require prompt reporting of unauthorized disclosures of PII. For example,

•  The Department of Labor’s Guidance on the Protection of Personal Identifiable Information, which has been on the agency’s website since at least January 21, 2016, requires that “if contract employees become aware of a theft or loss of PII, they are required to immediately inform their DOL contract manager.”

•  A May 14, 2009 order from the Department of Transportation’s Acting Chief Information Officer (DOT Order 1351.19A) and a January 16, 2009 order from the Secretary of Energy (DOE O 206.1) require contractors to report suspected or confirmed breaches of PII “immediately” and “without unreasonable delay” respectively.

•  A May 14, 2007, Department of Defense directive (DoD 5400.11-R) provides that, “When a loss, theft, or compromise of information occurs … the breach shall be reported to: … The United States Computer Emergency Readiness Team (US CERT) within one hour of discovering that a breach of personally identifiable information has occurred.” DOD’s May 6, 2021, Preparedness and Response Plan, relaxes the requirement somewhat, requiring that a breach of PII be reported “as soon as possible and without unreasonable delay.”

•  A July 31, 2017, Government Services Administration’s (GSA) Order requires contractors “with access to Federal information and information systems” to report “the actual or suspected compromise” of PII within one hour of discovery (9297.2C CIO GSA Information Breach Notification Policy). The most recent version of this policy was released on March 27, 2019 (9297.2C CIO CHGE 1 GSA Information Breach Notification Policy) and changed the contractors who are required to report breaches to those “with access to PII or systems containing PII.”

Controlled Unclassified Information

Executive Order 13556, issued by President Obama on November 4, 2010, created an executive branch-wide program to manage government information that was considered sensitive although unclassified. Such information is now referred to as “Controlled Unclassified Information” (CUI) as a result of the title that the White House used for the executive order. The parameters of CUI were subsequently delineated by a regulation as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls” (32 CFR § 2002.4).

Cybersecurity Requirements for Government Contractors – Cybersecurity FraudPresident Obama’s executive order designated the National Archives and Records Administration (NARA) as the government agency that, based on information provided by all executive branch agencies as to the material they treated as CUI, would “approve categories and subcategories of CUI and associated markings to be applied uniformly throughout the executive branch.” These categories, subcategories and markings become effective upon publication in NARA’s CUI registry.

A number of agencies, including the Department of Defense (DOD), NASA (NPR 2810.7, effective October 22, 2021), the Department of Energy (DOE O 471.17, effective January 13, 2011), and the Department of Commerce (DOC) (OPBM-NP-18-001, effective August 14 2019), through contractual provisions require contractors who process, store or transmit CUI to adhere to the requirements of a set of recommended cybersecurity practices issued by the National Institute of Standards and Technology (NIST) for the protection of CUI: NIST SP 800-171. On December 18, 2020, the Department of Education notified institutions of higher education that they will soon also be required to comply with NIST SP 800-171 since most of the information they receive from the federal government is CUI.

Examples of the hundreds of recommended practices found in NIST SP 800 that are made mandatory by DOD, NASA, DOC, Department of Energy and Department of Education contracts include the following:

  • “Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.”
  • “Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.”

Other agencies impose CUI requirements independent of NIST SP 800-171. For example, since March 10, 2021, the GSA Public Building Service has required its contracting officers to include a clause in contracts with companies who handle CUI outlining requirements such as:

  • “Building information designated as CUI must be protected with access strictly controlled and limited to those individuals having a Lawful Government Purpose to access such information”
  • “Electronic transmission of SBU information outside of the GSA network must use session encryption (or alternatively, file encryption) … via an approved NIST algorithm with a valid certification”
  • “All improper disclosures or receipt of CUI building information must be immediately reported to the CO and the GSA Incident Response Team Center”

(PBS 3490.3 CHGE 1 Security for Sensitive Building Information Related to Federal Buildings, Grounds, or Property.)

Sensitive Personally Identifiable Information

The National Archives and Records Administration (NARA) has designated a subset of Personally Identifiable Information—a category of personal data that is has labelled as “Sensitive Personally Identifiable Information” (SPII)—as “Confidential Unclassified Information.” NARA’s designation is significant because, as discussed above, many agencies mandate through contractual clauses that contractors handling CUI must follow a strict set of cybersecurity guidelines found in a publication of the National Institute of Standards and Technology.

NARA defines SPII as information that, “if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual,” specifically to include Social Security Numbers, fingerprints, or an individual’s name when paired with their date of birth, citizenship status, truncated Social Security Number, or account password.

Individually Identifiable Health Information

The protection of personally identifiable health information is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and detailed regulations that the Department of Health & Human Services has published to implement that law. VSG partner Shelley Slade has previously written about the consequences of these regulations for whistleblowers in this article for The Health Lawyer.

Educational Information

Education records, defined as “those records that are: (1) Directly related to a student; and (2) Maintained by an educational agency or institution or by a party acting for the agency or institution” (with certain exceptions) is subject to the Family Educational Rights and Privacy Act of 1974 (FERPA) and implementing regulations issued by the Department of Education.

Classified Information

Classified information is, of course, subject to its own set of very strict access, use and protection rules, with criminal penalties for violations.

When a government contractor or subcontractor knowingly violates these requirements, that may be the basis for a qui tam action under the False Claims Act. The Department of Justice’s Civil Cyber-Fraud Initiative assists whistleblowers in pursing such lawsuits.

If you are thinking about blowing the whistle on cybersecurity violations, contact VSG at 202-537-5900 for a confidential conversation. Our lawyers have vast experience representing whistleblowers in government contractor fraud lawsuits and are nationally recognized as leaders in winning rewards for our clients.