PII Breach Response Requirements for Contractors on the 2018 Federal Regulatory Agenda

The Trump Administration recently released its Spring 2018 regulatory agenda, which identifies the Administration's current regulatory (or deregulatory) objectives across all federal agencies. The agenda often includes plans for changes to the Federal Acquisition Regulation (FAR), which sets the rules governing procurement by non-defense federal agencies, including uniform provisions that agencies must include in procurement contracts.

The current regulatory agenda includes a proposed rule-making to start this November that will develop FAR provisions and related contract clauses for how federal contractors will have to respond to breaches of personally identifiable information (PII). The agenda listing doesn't include details about requirements contractors will ultimately have to meet — those will no doubt be addressed in the "notice of proposed rule-making" (NPRM) for the process that is scheduled for release in November. Development of the PII breach response requirements for federal contractors is predicated, however, on a January 2017 memorandum from the Office of Management and Budget (OMB) that established an updated PII breach response policy for federal agencies. EDUCAUSE members with significant federal contracting activity may find that the memorandum provides a useful preview of "coming attractions." In particular, Part V, Section B (pp. 11–13), identifies the minimum requirements contractors will be required to fulfill. (Please see the end of this post for the list.)

It is important to note that cooperative agreements and similar types of arrangements also fall under the memorandum's guidance:

Agencies shall ensure that contract terms necessary for the agency to respond to a breach are included in contracts when a contractor collects or maintains Federal information on behalf of the agency or uses or operates an information system on behalf of the agency. To the extent that a cooperative agreement or other such instrument requires another organization or entity to perform such functions on behalf of the agency, the agency must similarly ensure that such cooperative agreements and instruments include the following terms. (p. 11)

Given the differences between federal procurement contracts and cooperative agreements, it seems unlikely that the FAR clause(s) on contractor breach response would automatically apply to such agreements. The text from the OMB memorandum implies, however, that its guidance may ultimately affect the terms of the Program Participation Agreement (PPA) and/or Student Aid Internet Gateway (SAIG) Agreement of the U.S. Department of Education's Office of Federal Student Aid (FSA). In that case, the relevant FAR provisions may serve as a model for what FSA will seek to include in its agreements, making the upcoming FAR process of interest to higher education institutions in general. Similarly, the memorandum discusses potential requirements for federal grantees, opening another avenue for EDUCAUSE member interest:

When a grant recipient uses or operates a Federal information system or creates, collects, uses, processes, stores, maintains, disseminates, discloses, or disposes of PII within the scope of a Federal award, the agency shall ensure that the grant recipient has procedures in place to respond to a breach and include terms and conditions requiring the recipient to notify the Federal awarding agency in the event of a breach. The procedures should promote cooperation and the free exchange of information with Federal awarding agency officials, as needed, to properly escalate, refer, and respond to a breach. (p. 13)

EDUCAUSE currently has a range of issues in front of FSA, so the possibility that the FAR rule-making on PII breach response by federal contractors may eventually influence FSA agreements provides another point for discussion. Regardless, EDUCAUSE will continue to follow developments in this space and engage the expertise of its members to respond as appropriate.

Office of Management and Budget (OMB) Memorandum, M-17-12, "Preparing for and Responding to a Breach of Personally Identifiable Information" (p. 12):

Thus, at a minimum, contracts should include terms that:

• Require the contractor to cooperate with and exchange information with agency officials, as determined necessary by the agency, in order to effectively report and manage a suspected or confirmed breach.
• Require contractors and subcontractors (at any tier) to properly encrypt PII in accordance with OMB Circular A-130³⁶and other applicable policies and to comply with any agency-specific policies for protecting PII;
• Require regular training for contractors and subcontractors (at any tier) on how to identify and report a breach;
• Require contractors and subcontractors (at any tier) to report a suspected or confirmed breach in any medium or form, including paper, oral, and electronic, as soon as possible and without unreasonable delay, consistent with the agency's incident management policy and US-CERT notification guidelines;
• Require contractors and subcontractors (at any tier) to maintain capabilities to determine what Federal information was or could have been accessed and by whom, construct a timeline ofuser activity, determine methods and techniques used to access Federal information, and identify the initial attack vector;
• Allow for an inspection, investigation, forensic analysis, and any other action necessary to ensure compliance with this Memorandum, the agency's breach response plan, and to assist with responding to a breach;
• Identify roles and responsibilities, in accordance with this Memorandum and the agency's breach response plan; and,
• Explain that a report of a breach shall not, by itself, be interpreted as evidence that the contractor or its subcontractor (at any tier) failed to provide adequate safeguards for PII.

---

Jarret Cummings is Director of Policy and Government Relations at EDUCAUSE.