The National Institute of Standards and Technology (“NIST“) issued on August 8 an updated Computer Security Incident Handling Guide (NIST Special Publication 800-61, Rev. 2) (“Publication”). The Publication provides guidance to Federal agencies on detecting, analyzing, prioritizing, and handling computer security incidents. Like most NIST Special Publications, this guidance “may be used by nongovernmental organizations on a voluntary basis”. However, organizations doing business with the federal government—and particularly those government contractors that are subject to the Federal Information Security Management Act (FISMA)—often find themselves subject to NIST standards by virtue of federal contract terms.
The Publication defines a “computer security incident” as a “violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices”. This definition encompasses a broad spectrum of occurrences in a system or network, including malware infestations that compromise data; unauthorized workstation access; exposure of sensitive information; web server crashes; unknown wireless point access; anonymous threats to an organization’s IT system; and other types of network intrusions.
The recommendations set out in the Publication are “technology neutral” in the sense that they neither assume nor mandate particular hardware platforms or software configurations.
Core elements of a computer security incident response capability described in the Publication include:
• creating an incident response policy, plan, and procedure;
• selecting, staffing, and training a proficient incident response team; and
• sharing information both inside and outside the organization where appropriate.
Emphasis is placed on sharing information with outside parties, such as law enforcement, external experts, internet service providers, and software vendors. For Federal agencies, “sharing information” includes a requirement to report computer security incidents to the Department of Homeland Security’s United States Computer Emergency Readiness Team (“US-CERT“), which is a governmentwide incident response organization that proactively manages cyber risks and incident handling efforts. (Pursuant to OMB Memorandum M-07-16 and other policy, Federal agencies already are obligated to report incidents involving personally identifiable information to US-CERT.)
A key question for government contractors is (i) whether the Publication will be applied via incorporation in contracts; and (ii) whether and to what extent these guidelines impose or imply a duty to report certain types of computer security incidents to the contracting agency as a means to facilitate intragovernmental reporting, response, and other defensive measures.
Accordingly, whenever a contractor encounters a computer security incident, the precise terms of its federal contracts—including references to Federal law, information security policy, and NIST guidance—are critical. Because there is no uniform Federal Acquisition Regulation (“FAR”) clause that applies, agencies fill the void with a patchwork of homegrown clauses, many which reference FISMA and NIST standards such as the Publication. A contractor’s incident response program, and the immediate steps taken in response to a specific security incident, may influence whether the government has a valid basis for default termination, a breach of contract claim, an adverse responsibility determination, or other prerogatives. It also may affect the availability of defenses to the contractor, as well as the quantity and quality of potential damages. Could incorporation of the Publication in a contract result in an implied obligation in terms of whether a contractor’s handling of a breach is or is not negligent?
Efficient and effective response to computer security incidents is a complex task. For government contractors the complexity is compounded by, among other issues, the fact that (i) there are few guide posts for application of traditional government contract clauses and legal principles to computer security incidents; and (ii) there is consistent confusion about whether and how FISMA and associated NIST standards apply to different categories of contractors. Although there have been several high-profile data breaches in recent years involving computer security, generally those matters have been settled without government contracts litigation or the issuance of a published court or board decision. Hence uncertainty about a contractor’s duty—and the customer’s rights— lingers on; the possibility of revived cybersecurity legislation next year or an Executive Order on same adds to the uncertainty.
As the volume of security incidents climbs each day, it is clear that responding to and handling these incidents will continue to be a challenging area for organizations doing business with the federal government.
Bill Ferreira is a senior associate in Hogan Lovells’ government contracts practice.
 Depending on the subject matter of the contract, applicable FAR clauses may include 52.224-1 (Privacy Act Notification); 52.224-2 (Privacy Act); and 52.239-1 (Privacy or Security Safeguards). Where applicable, FAR 52.239-1 (Privacy or Security Safeguards) provides for government access to the contractor’s facilities and records to carry out a program of inspection to safeguard against threats and hazards to security, integrity, or confidentiality of government data; it also requires the government and contractor to bring to the other’s attention if new or unanticipated threats or hazards are discovered by either party, or if existing safeguards have ceased to function.