March 01, 2017 Public Contract Law Journal

Tackling the Cyber Threat: The Impact of the DoD's "Network Penetration Reporting and Contracting for Cloud Services" Rule on DoD Contractor Cybersecurity

by Jessica A. Gunzel

Jessica A. Gunzel ( jgunzel@law.gwu.edu) is a J.D. candidate at The George Washington University Law School and a member of the Public Contract Law Journal. She would like to thank Professor Mark J. Nackman for his valuable feedback and guidance during the development of this Note. She would also like to thank her family and Alex Kutrolli for their unwavering
support and encouragement throughout the writing process.

I.  Introduction

On June 4, 2015, the Office of Personnel Management (OPM) made a startling announcement: a “cyber-intrusion” led to hackers stealing roughly four million current and former federal employees’ personal information.1 As four million people came to terms with the fact that their Personally Identifiable Information (PII)2 was now in the hands of some unknown entity, news agencies quickly labeled this attack as one of “the biggest ever of the government’s computer networks.”3 On July 9, 2015, OPM dropped a second bomb: in a second “cyber incident,” hackers stole the personal information4 of 21.5 million people, including “19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominately spouses or co-habitants of applicants” from OPM’s background investigation databases,5 along with 5.6 million fingerprint records.6

Although these numbers are staggering, attacks like these are rapidly becoming the norm in an increasingly cyber-focused age. In December 2013, retail giant Target announced hackers had stolen the personal information of over seventy million customers and the credit card information of forty million shoppers through malware planted in Target’s servers.7 In November 2014, a previously unknown hacker group named Guardians of Peace claimed it stole 100 terabytes of data from Sony Pictures Entertainment in a massive data breach.8 Sony later confirmed the hackers made off with the personal records of 6,000 employees, as well as unreleased movies, private emails between executives, and unfinished scripts, while destroying 3,000 computers and 800 servers in the process.9 In February 2016, the Internal Revenue Service announced that as a result of a 2015 cyberattack, hackers gained access to and stole tax data from up to 700,000 taxpayer accounts and attempted to break into another 575,000 accounts unsuccessfully.10 In July 2016, online publisher WikiLeaks11 released 19,252 emails and 8,034 attachments hacked from the accounts of top members of the U.S. Democratic National Committee between January 2015 and May 2016.12 It is therefore no surprise that James R. Clapper, former Director of National Intelligence, has named cyber threats as the top “strategic threat to the United States.”13

With cyberattacks affecting both the private and public sectors, the U.S. government has recently focused its efforts on strengthening the cybersecurity of protected information used by government agencies. However, the contractors that work with these agencies usually bear a higher risk.14 Contractors often are the targets of hacker groups because they offer a potential “backdoor” into government agencies that give hackers access to agency data.15 The OPM attacks demonstrate just how crucial a contractor’s data can be to the security of a government agency. KeyPoint Government Solutions provided background check services for OPM as its primary contractor.16 In December 2014, the government confirmed “the computer files of more than 40,000 federal workers may have been compromised by a cyberattack.”17 Although KeyPoint denied liability for the OPM breach,18 during a hearing before the Senate Appropriations Subcommittee on Financial Services and General Government, former OPM Director Katherine Archuleta admitted the hackers “leveraged a compromised KeyPoint user credential to gain access to OPM’s network.”19

After the OPM cyberattacks, it became clear the regulations governing the cybersecurity of government contractors were insufficient to counter cyber threats. In August 2015 and December 2015, the Department of Defense (DoD) issued two interim rules on “Network Penetration Reporting and Contracting for Cloud Services” that amended several sections of the Defense Federal Acquisition Regulation Supplement (DFARS) and greatly increased DoD contractors’ cybersecurity responsibilities.20 On October 21, 2016, the DoD issued the final rule.21 Although this new rule improves the pre-existing cyberattack reporting system for defense contractors and covers a much broader range of data than past regulations, it also raises a series of pressing issues. The extensiveness of the regulation places a heavy burden on contractors to adhere to new security and reporting requirements that many defense contractors will not be able to bear. Furthermore, the new rule does not address some of the lingering issues that have limited contractor compliance in the past. If the DoD does not address the new issues that stem from the final rule, it is possible that (1) there will not be full compliance with the regulation, forcing many contractors to walk away from DoD contracts; or (2) contractors will risk False Claims Act violations by claiming compliance, leaving covered defense information unprotected from cyberattacks. If the DoD truly wishes to improve the cybersecurity of its defense contractors and subcontractors, the DoD needs to address these issues before progress can be made.

Part II of this Note provides a brief history of cyberattacks on government agencies leading up to the OPM attack in June 2015 and explores previous steps taken by the U.S. government to improve the cybersecurity framework between government agencies and their contractors. Part III of this Note introduces the “Network Penetration Reporting and Contracting for Cloud Services” rule implemented by the DoD in response to the OPM cyberattacks. Part III assesses the new rule’s improvements over the previous DoD contractor cybersecurity regulations and discusses new problems created by this rule that will make contractor compliance difficult, if not impossible, to achieve. Finally, Part IV suggests short- and long-term changes the DoD could make in the future to remedy these issues.

Premium Content For:
  • Public Contract Law Section
Join - Now