While the federal contracting world was worrying about a giant but slow-moving contractor cybersecurity requirement from the Defense Department, Veterans Affairs went ahead with a doozy of its own. Five months later, Federal Drive with Tom Temin checked in on how it’s going with Holland and Knight partner Eric Crusius.
Tom Temin So this is a cybersecurity rule for contractors Veterans Affairs actually finalized in January. Tell us roughly what it says, what it requires and and then we’ll get to what you’ve seen of the effects of it.
Eric Crusius Well, I really appreciate your introduction to this because CMMC and all the things that DoD is doing has gotten a lot of play and for good reason too, because it’s significant and important for our nation. But meanwhile, while everyone paying attention to DoD, VA slipped in these regulations, which are really significant. They require contractors to do a lot of things and they’re kind of class leading in a lot of ways. So among other things, they require breach notifications within one hour, which is a very difficult task. The DoD is currently at 72 hours.
Tom Temin 72 hours is not bad by federal standards.
Eric Crusius That’s right. It’s actually that’s, if you talk to IT professionals and having responded to help respond to a lot of breaches, 72 hours is difficult, too, because for whatever reason, more often than not we find out on a Friday and a response is due early the following week and that 72 hours doesn’t stop over the weekend. So one hour is really difficult. You’re not going to have a lot of information at one hour. Also, it’s just going to be kind of we had an incident and we’re looking into it.
Tom Temin Well, is that one hour from your discovery of it or from one hour from when it hits your network?
Eric Crusius Well, really, from your discovery, ideally from when it hits your network. But oftentimes breaches aren’t discovered for a long time. Yes. Absolutely. Even years for for some more sophisticated breaches. So they expect within one hour of you knowing that you tell them about it. Also, a lot of the governments moving towards compliance with NIST special publication, 800-171, that’s what DoD is focusing on. There’s a couple of FAR rules in process that will focus on that as well. But the VA took a slightly different approach here and is requiring compliance with VA Directive 6500, as well as some other VA standards for contractors. And it’s not quite aligned with 801-171. But that makes some sense because the VA has different kinds of records than other agencies do. They have a lot of personally identifiable information for the veterans that they care for. So it makes sense that they go a different way slightly with this, but it’s a different standard so contractors should be aware that the standard is different. A couple of other interesting things in there. One is the VA does have a right to visit onsite, the contractor site, to make sure that they’re compliant with the controls. The VA also has the right to not pay invoices if the contractor is not compliant. And something that will probably be significant in the future, we haven’t seen it yet because it’s too early, but there is a clause also that says that if there is a cybersecurity incident and personally identifiable information is involved, the contractor will have to pay liquidated damages to the VA for that.
Tom Temin Yeah. So this has real teeth.
Eric Crusius Right. Absolutely. And that that teeth is right in the contract itself. There’s actually a blank in the clause where the contracting officer is supposed to fill in an amount of the liquidated damages. And for the non-lawyers out there, there are damages that are not are not knowable at the time that the contract is being written. So you do best guesstimate of what they are. And so the contracting officer will write a number and say like $3 per record or something like that. That covers breach response costs and and credit monitoring, things like that. But if there’s a million records involved, that’s a $3 million liquidated damages fine to the contractor unless they can show actual damages were less.
Tom Temin Right. And often, I mean, this is a pretty far reaching rule. It imposes a lot of responsibility on the contracting function, the contracting officers and the contracting officer representatives, I guess, by extension. Is there any evidence that it’s dawned on the contracting officers yet? Are your clients seeing this yet, in effect?
Eric Crusius Right. I haven’t seen any of these clauses in the wild yet. They’re there, they’re in place. They’re supposed to be in new contracts that come up. And my reach is not is not the entire government, of course, but I have not seen these new regulations in contracts yet. I expect we will. It just takes some time to for these things to filter in. Sometimes there isn’t an education on the side of the VA or any other agency about those clauses having to go in contracts. And I’m sure there will be some response as these clauses make their way in. It’s going to be significant. I think contractors it’s kind of everyone’s kind of sleeping on this right now, but I think we’ll hear a lot about it pretty soon.
Tom Temin We’re speaking with attorney Eric Crusius. He’s a partner at Holland and Knight. And those could be challenged in court, perhaps. I mean, are these do these go beyond what you might find in the uniform commercial code, for example, these liquidated damages. I mean, if you don’t report something, but there is no harm. Say you take 2 hours to report it, but nothing happened. No data breach was lost. Nonpayment of the contract seems like it may not even hold up in court.
Eric Crusius It seems pretty harsh overall. And I mean, you look at the DoD 72 hour requirement, a GAO study a year or two ago, or maybe even as close to six months ago, said that half the DoD contractors are not reporting this within 72 hours. I like to always say that that’s not true of any of my clients because we always report something, even if we don’t have the full information.
Tom Temin Film at 11.
Eric Crusius Well, we’ll tell you more later. But at least we’re telling you there’s something that happened. But the hour notification response is so difficult. You don’t you barely know what’s happening at that time. It’s really a fog of war kind of deal where there’s just a lot of chaos sometimes. So I could see that kind of provision being challenged and maybe an an inspection of the of the contractor systems resulting in a nonpayment being challenged. There’s a lot of angles here. And as we’ve seen with court decisions over the last few years, especially in the wake of COVID, the power of the regulatory state to make regulations on contractors has has been curtailed a little bit. So I wonder if these regulations can be challenged in that way. I don’t see a specific path, but with the way that decisions are going, you never know.
Tom Temin Sure you have courts are taking one way or the other very strongly. It’s just a matter of which venue I guess you end up in. That’s where they hire people like you, to shop the right venue to figure it out.
Eric Crusius That’s my hope anyway.
Tom Temin And we started with an oblique reference to CMMC, which nobody knows where that train is headed, either to the side rail or it’s going to come powering down one morning. But there is the Defense Federal Acquisition Regulation, DFAR, the use of supplier performance risk system assessments. Now that rule was finalized towards the end of March.
Tom Temin Quick review of that and any effect there yet?
Eric Crusius Sure. This is a really interesting one also, because it’s another one that kind of flew under the radar, but I think will be significant for a lot of contractors. It requires DoD contractors to use the supplier performance risk system to look at item risk, price risk and supplier risk. All three obviously, item risk only for products contracts, but it requires contracting officers to evaluate all those before awarding a contract. And if you look at price risk specifically, that means that contracting officers have to do an analysis of whether the price poses an undue risk on the contract. And that’s a price realism analysis that oftentimes contracts have to specifically state a price realism analysis. It has to be done in order for it to be done here. I kind of get the sense you can make the argument that’s built into the clause. So if a price is too low, anybody could file a protest saying they didn’t comply with this, with this new clause DFAR 252 to 4724. So we’ll have to see how this bumps along. But there’s the price risk and supplier risk and item risk are all things that will be evaluated based on a sliding scale. There’s a database within DoD. Contractors have a chance to view that database. I could see some litigation coming from this, especially if there are protests, if there are not awards made because of it. And it also kind of brings attention to that supplier performance risk system, which contractors are supposed to be using now to input their compliance with 800-171, the NIST special publication. So I think it’s going to encourage contracting officers to look at that spurs for 800-171 compliance as well as these other things. So it makes compliance with 800-171 even more important at this point.
Tom Temin Right. But getting back to the pricing question, I guess it’s the government’s perception of the Defense Department’s perception that overly under bidding or that’s such a phrase, pricing too low presents a risk.
Eric Crusius And I’ve argued that in a number of protests, it’s sometimes not successful because they sometimes say we’re not obligated to do this because we haven’t announced in the in the solicitation that we are going to do it. And I we often make the argument, I’m not the only one other attorneys do, too, that the low price presents a technical risk to the debate shows that you don’t know what the project’s all about, shows that you’re going to cut corners, etc., etc. and the government.
Tom Temin Or lose money and you can’t deliver ultimately.
Eric Crusius Right. Right. That’s exactly right. You should help me write these protests. But and here there is built into the clause, something where they do have to look at that. So I’m hopeful that that will cause that will allow a more fulsome review sometimes when the price is really low.
Tom Temin And the debt ceiling. Right. That crisis was averted, but just kind of as closure, give us a sense of what contractors would have faced had some sort of shutdown or some sort of interruption happened with the debt ceiling being reached because it’s going to come up again.
Eric Crusius It’s a really difficult situation because with the shutdown, at least the contractor stops taking on a lot of expenses because the government shuts down. The contractor can’t perform anymore, but they don’t have to pay those salaries and all those kinds of things. Of course, they have other costs that they can’t get rid of that quickly. But with the debt ceiling, contractors still have to perform for the most part. They’re just not going to get paid in a timely fashion for that performance. And you can guess that contractors are going to be near the bottom of the list of whose pay, they’re going to be behind the Social Security recipients. They’re going to be behind the bondholders and all that. So, contractors should really be looking at their cash balance and taking note of that and ensuring they have the cash to move forward, at least for a temporary basis.