Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007.  The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII).   In addition to setting forth requirements for federal agencies to prepare for and respond to breaches, the policy also includes required contractual terms regarding breach preparedness and response for certain federal contractors.

The policy states that the contractual requirements should be inserted into any contract, cooperative agreement or other similar instrument where the contractor collects or maintains PII, or uses or maintains an information system, on behalf of the Government.  Contractors subject to these provisions will be required to:

  • Encrypt PII in accordance with OMB guidance and any agency-specific requirements;
  • Conduct regular training for contractor employees on how to identify and report a breach;
  • Report breaches (including breaches of hard-copy information) as soon as possible and without unreasonable delay;
  • Maintain capabilities to track access to information (including the time of access and the identity of the party accessing the information), construct a timeline of activity, and identify attack vectors;
  • Cooperate with the agency, including any necessary exchange of information, in order to effectively report and manage a suspected breach;
  • Allow for inspection, investigation, forensic analysis, and any other necessary actions to comply with the policy; and
  • Identify roles and responsibilities consistent with the policy and with the agency’s breach response plan.

The contract must also state that a breach, by itself, shall not be interpreted as evidence of a failure to provide adequate safeguards for PII.  The policy notes that an agency may include provisions that require a contractor to provide notification to affected individuals and take measures to mitigate risks to those affected individuals, but does not require such a provision in all agreements.

The memorandum also requires agencies to ensure that entities that have access to PII in relation to a federal grant have “procedures in place to respond to a breach and include terms and conditions requiring the recipient to notify the Federal awarding agency in the event of a breach.”

In addition to the contractual requirements outlined above, the policy also sets forth minimum requirements for agencies to prepare for and respond to breaches.  The policy requires agencies to develop and implement a breach response plan and describes the required elements of such a plan, including the identification of the members of a breach response team, plans for providing any appropriate notification, and procedures for risk assessment and mitigation.  According to the policy, agencies must hold annual tabletop exercises and conduct an annual review of the breach response plan.  The policy also states that agencies should arrange for appropriate logistical and technical support, such as forensic experts or call center support, in advance of a breach.

The policy applies to all breaches, regardless of medium (including hard-copy information), and specifically notes that individuals should report any suspected breaches and should not wait for confirmation of a breach to report it.  Once a breach has been reported, the policy states that the agency should respond in accordance with its breach response plan.  The policy requires agencies to comply with applicable breach notification requirements, but notes that agencies should balance the need for transparency against the dangers of over-notification in determining whether providing notification would benefit the affected individuals.

The policy also requires agencies to track and document all breach responses.  In furtherance of this requirement, an appendix to the policy includes a model internal reporting template to track breaches and any notifications provided as a result.  If the agency reports a breach to Congress, the policy requires the agency to convene its breach response team to review its response to the breach and any “lessons learned” as a result of the response.

Per the policy, agencies must submit an updated breach response plan that complies with the policy within 180 days of the policy’s issuance on January 3rd.  Contractors that handle PII on behalf of agencies, or use or maintain agency information systems, should prepare to comply with new breach-related contractual provisions in accordance with the policy’s requirements for certain federal contracts.

Tags: "Government Contracts", breach notification, Cybersecurity, Data Breach, Data Security, federal agency, Government Contracting, OMB, White House
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less