CS/IA program requirements for contractors
 
As the rule and the CS/IA website note, contractors must:

• Have or acquire DOD-approved medium assurance External Certificate Authority certificates;
• Have an existing active Facility Security Clearance (FCL) granted under the National Industrial Security Program (NISP) with approved safeguarding for at least Secret information;
• Have or acquire a Communication Security (COMSEC) account;
• Get access to DOD's secure voice and data transmission system supporting the CS/IA program;
• Own or operate an unclassified information system that processes, stores, or transmits DOD information; and
• Execute the standardized Framework Agreement (FA).

The Framework Agreement is the starting point of the relationship if all other requirements are satisfied.

Framework Agreement obligations

Once admitted into the program, the Framework Agreement between DOD and DIB contractors requires the DIB contractor to report cyber incidents involving covered defense information on a covered DIB system within 72 hours of discovery. Other incidents relevant to the government’s information assurance may also be reported. The government will assess incidents and provide best practices to the DIB contractor to improve and enhance the DIB contractor’s existing security measures. A detailed digital forensics analysis or damage assessment may occur if DOD and the DIB contractor voluntarily exchange the necessary additional information.

Before sharing any information, the DIB contractor will perform a legal review of its policies and practices relevant to the program to ensure compliance with applicable legal requirements. The government acknowledges information may likely include extremely sensitive information such as trade secrets and proprietary information. Therefore, the government will restrict the use and disclosure of any shared information to only personnel bound by confidentiality obligations and restrictions related to the handling of such information. However, personnel may include those working for contractors supporting DOD.

Additionally, the government may provide government furnished information via unclassified or classified means, and may also share, without attribution, information provided by DIB contractors with other program participants. According to the government, participation is not intended to have any effect, positive or negative, on DOD source selections or competitions.

Unclear how many contractors are eligible or will participate

Estimates differ as to the potential participation under the expanded program. For example, one source indicates that about 8,000 contractors cleared to work with DOD intellectual property were invited to participate, and DOD estimates nearly 1,000 defense contractors will join the program.² Yet, a second source suggests only around 2,000 companies actually qualify.³ Not only is the potential reach of the program subject to differing opinions, so is the assessment of the level of risk contractors will shoulder to advance what all seem to agree is an extremely important goal of information sharing.

Contractors assume risk and expenses

The DIB contractor enters the program entirely at its own risk and expense. Contractors likely will incur some costs to participate in the program, but can unilaterally end its participation (as can the government) at any time if the costs are likely to outweigh the benefits. For uncleared contractors, and for contractors with some degree of FOCI, the expense and risk will be higher because of the threshold requirement to obtain a Facility Security Clearance. Once in the program, the contractor is obligated to protect any government-furnished information, but it is not required to take any affirmative action to use the government furnished information. Failing to act on the government information, however, would appear to carry some third party liability risk.

Facility Clearance requirement Increases barriers to entry

Even though the purpose of the program is to safeguard DOD information that resides on DIB unclassified information systems, a contractor must have an existing active Facility Security Clearance (FCL) at the Secret level in order to participate. There are numerous defense contractors who do not have an FCL, or perform work that does not require access to classified information. So, in order to participate, an uncleared contractor will need to get sponsored and apply for an FCL. Notably, the interim final rule does not address how uncleared contractors who would like to participate might initiate the FCL application process.

If an uncleared contractor is under some degree of FOCI, the FCL application process could be quite burdensome. In order to receive an FCL, any FOCI must be mitigated by the contractor through the implementation of an agreed upon FOCI mitigation measure (i.e., Board Resolution, Security Control Agreement, Special Security Agreement, or Proxy Agreement). While a Board Resolution can be used to mitigate minority, passive foreign investors, foreign-owned and controlled contractors will have to put in place at least an SSA in order to receive an FCL at the Secret level. However, given the additional requirement to have access to a COMSEC account, contractors operating under an SSA will have to take the additional step of requesting a National Interest Determination (NID) in order to have access to proscribed information (i.e., COMSEC information). These additional requirements will likely discourage most contractors under FOCI from participating in an important information sharing program.

Additional considerations: information access, FOIA, and future source selections

Beyond the list of requirements to join the program, contractors need to be cognizant of three additional items: information access, FOIA, and impact on future source selections. First, contractors should be aware that government support contractors will have access to the information shared. This risk, of course, is mitigated by the fact that such support contractors will be bound by confidentiality agreements. Second, there currently is no special statutory provision requiring that information supplied under this program be withheld from disclosure. So, DOD plans to use applicable FOIA exemptions to protect DIB contractor information. Thus, prior to supplying any information, contractors should conduct their own analysis to determine whether information is or is not likely to fall under a FOIA exemption and properly mark all information delivered to the government under the program.

Finally, and perhaps, most significant is the potential impact on future source selection. Participants are likely to improve existing security measures and better understand current or potential DOD clients. Those who do not participate may miss valuable insights. While DOD insists participation will not impact future source selections, participants are likely to tout their participation in the program to gain an edge over their competitors. These arguments may sway evaluators even though they are unlikely to acknowledge this influence in documenting their evaluations.

At the time of this publication, Congress is considering at least two bills that may impact the CS/IA Program. Each bill seeks to limit liability arising from information sharing by prohibiting lawsuits or prosecutions stemming from a private business disclosing or sharing cyber threat information to the federal government. Hogan Lovells will continue to monitor these two pieces of legislation and others that may impact the CS/IA Program.