Attorney Liability & Conduct

Complex Commercial Litigation


Environmental Law

Government Contracts

Labor & Employment

Retail Industry Trade Regulation

White Collar Criminal Defense

RJO Update: Government Contracts
November 2015

Cybersecurity and the Federal Supply Schedule: What to Expect

By Robert S. Metzger and Brian D. Miller

New regulations are coming that will obligate GSA Schedule holders to satisfy federal cybersecurity requirements to protect Controlled Unclassified Information. Understanding that new regulations will affect your business is only the first step.  You will need to recognize when you are hosting or using any of the many forms of Controlled Unclassified Information (CUI) and you will have to assess whether your information systems (or those you depend upon) measure up to new NIST cyber safeguards specifically created for commercial companies. On Tuesday, November 24, at 1:00 p.m., Bob Metzger and Brian Miller of RJO, along with Kevin Lancaster, CEO of Winvale, will provide a free webinar to help Schedule holders prepare for the new requirements and remain both competitive and compliant.

The federal government has embarked on a broad initiative to improve the security of its many forms of CUI against unauthorized access. A pending rule from the National Archives and Records Administration (NARA) establishes 23 categories and 82 subcategories of CUI and creates a single, coordinated approach to reconciling hundreds of legacy methods by which federal agencies sought to protect sensitive but unclassified information. The NIST unit of the Department of Commerce has completed and released Special Publication SP 800-171, describing 14 families of cyber safeguards specifically intended for nonfederal (contractor) information systems. NARA, NIST, GSA and DoD are cooperating to prepare a single FAR rule that will be applied by all agencies to apply minimum cyber security measures as solicitation requirements and contract terms.

Today, there is no GSA-specific cyber/supply chain rule for Federal Supply Schedule contract holders. But requirements are sure to come. Schedule holders who sell to other federal agencies (especially DoD) and to federal prime contractors will find that they are subject to flow-down cyber requirements from these customers. GSA will move to require FSS holders to protect CUI. DoD already has imposed these obligations on its supply chain – including small businesses and COTS suppliers – and DoD is the largest purchaser of IT products and services from GSA’s Schedule 70. Where GSA contractors are entrusted with any form of CUI – including Personally Identifiable Information (PII), Protected Heath Information (PHI) and Controlled Technical Information, as just examples of CUI – the federal government will expect and require measures to secure its information, and these obligations will apply to companies who host, transmit or use such information.

Even though the rules are not now in place, we can foresee both the broad outline and many of the particulars of what will be required.  Companies will need to evaluate what information they receive from federal customers to determine if it will be subject to safeguarding. They will need to assess existing information systems security to see where there is a “fit” and where there are “gaps” against the new SP 800-171 standard.  Policies and practices will be needed to handle new obligations to report on cyber breaches to federal authorities. Small business will face special challenges, as there will be costs to the new cyber rules and demands for technical expertise. Already, there is concern about a so-called “cyber poverty line” that may arise if otherwise reputable GSA contractors find they cannot afford to implement newly required cyber defense measures.

The webinar, sponsored by Winvale, will help you understand these issues and prepare for future reporting requirements when a cyber attack hits your business. This webinar will take on subjects important to all Schedule holders (large and small), including:

  • Outlining new federal cybersecurity initiatives
  • Determining what federal information will require protection
  • How will these initiatives affect eligibility for GSA contracts?
  • What exposure do Schedule contractors face?
  • False certification risks
  • Is there a "cyber poverty line" and how can you stay above it?
  • Challenges for smaller businesses
  • What resources and affordable compliance strategies are available?
  • How to manage and mitigate risks and liability
  • Finding competitive advantage in cybersecurity
RJO’s Bob Metzger and Brian Miller bring extraordinary credentials to this timely subject. Bob, who is the head of RJO’s Washington, D.C. office, is a nationally recognized expert in cyber and supply chain security and is respected by government and industry for this thought leadership in these areas. Brian, who recently joined RJO’s D.C. office, was Inspector General of the GSA from 2005 until May 2014. Highly regarded for his vigilance in prevention of public waste and corruption, Brian previously held several notable positions at the Department of Justice, including a senior management role at the U.S. Attorney's Office for the Eastern District of Virginia, Special Counsel on Health Care Fraud/Senior Counsel to the Deputy Attorney General, and as an Assistant U.S. Attorney in the Eastern District. Most recently, Brian was a Managing Director of Navigant Consulting. Registration for the webinar is at

The content of this article is intended to provide a general guide to the subject matter, and is not a substitute for legal advice in specific circumstances.


Back to top

Government Contracts Publications

See Other RJO Updates

RJO Updates