By Brandon Basso
“What does this FAR clause say?” This is the common question among government contractors when doing business with each other. The Federal Acquisition Regulations (FAR) is a set of regulations that dictates the way in which government contractors write their contracts, share data, impose liability, disclose amounts of money spent to make a product, bid on solicitations, etc. For example, a prime contractor (as an entity) is responsible for attaching pertinent FAR clauses in a contract with a buyer, or with a subcontractor working for the prime to develop a product. Further, attaching FAR clauses to contracts is an attempt to protect an entity from liability. For instance, attaching FAR clauses to an expressed contract is like a general partnership filing to be a LLP; the FAR clauses create a liability shield that protects the government contractor and its employees from liability. While jointly developing a product together, if a prime contractor learns that a subcontractor cannot, or will not, comply with the FAR clause requirements, then the prime contractor will find another subcontractor who will comply with the FAR.
First, FAR compliance started with the implementation of the SAFETY Act. The word “SAFETY” stands for Support Anti-Terrorism by Fostering Effective Technologies. Originally enacted in 2002, the SAFETY Act awarded liability protection for product and service providers, such as government contractors, following a certified terrorist event. By limiting the government contractor’s liability, the Act encouraged more contractors to develop cyber-products that would aid in the prevention of terrorist attacks (including cyber-attacks). Therefore, the Act allows certified government contractors to enjoy wide immunity when developing qualified anti-terrorism technology.
One such type of technology is the Tactical Local Area Network Encryption (TACLANE Encryptor), sold by the contractor, General Dynamics, which serves as a private highway for classified information. The TACLANE encrypts internet and satellite communication between military personnel, and stores and protects big data. Without it, valuable information could be leaked to the public, and rogue actors could use such information to plot against our government. Thus, government contractors like General Dynamics must comply with the FAR when building such equipment because the sensitive technical data and proprietary information that is used to build such equipment should not be shared. If this information is leaked, then the entity that leaked the information or negligently allowed such information to be stolen (due to noncompliance with the FAR) will face significant penalties from the federal government.
An example of such information is “controlled technical data,” which is a type of technical information with military or space application subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Also, there is information passed between government contractors that is just not suitable for the public to know about. This information is referred to as “federal contract information,” which is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public or simple transactional information, such as necessary to process payments.” Information made public on government websites is not considered “federal contract information.”
Defense contractors must comply with Federal Acquisition Regulations because they use sensitive information to build high technology cyber equipment that, if disclosed, will weaken the government’s defense structure. FAR clause 52.204-21 states that the “Contractor shall apply the following basic safeguarding requirements and procedures to protect covered contractor information systems,” and then lists the necessary safeguarding procedures. Additionally, DFAR 252.204–7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) states, “if the Contractor discovers a cyber-incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract the Contractor shall. . .” and then lists the way in which the contractor shall report cyber incidents.
Complying with these regulations is absolutely necessary. Otherwise, noncompliance results in arrests of government contractor employees, such as the employee from Booze Allen Hamilton, who was arrested for illegally removing highly classified information from the National Security Administration (NSA), and storing the material in his house and car. It is too dangerous for federal proprietary information to end up in the wrong hands. Additionally, there’s good reason that over $19 billion is invested in cyber security (35% increase from the fiscal year 2016), and it’s so nations who like to engage in cyber-attacks for espionage or economic gain, such as the Chinese military, are not able to attack the U.S. defense network. These nations use various techniques to obtain information about the U.S.’ spy networks, classified information, and proprietary information. Also, terrorist organizations usually target critical infrastructure with the aim of incapacitation.
With that, the TACLANE encryptor is one of various types of cyber equipment used to prevent such incapacitation from happening. Moreover, compliance with the FAR while building such equipment will keep federal information safe and secure from rogue actors.
Student Bio: Brandon is a Staff Member on the Journal of High Technology Law. He is currently a 2L at Suffolk Law, and possesses a B.A. in Government from Georgetown University.
Link: http://farsite.hill.af.mil/
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
