By Susan Cassidy, Alex Sarria

On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.” CUI is defined in a recently issued proposed FAR rule as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”

Although the OMB memorandum is a laudable attempt to create uniformity across the federal government, the Guidance leaves many questions unanswered and the details of its implementation by federal agencies remains to be seen. As described below, even with this Guidance, contractors will continue to encounter inconsistent requirements for what constitutes a “cyber incident,” how quickly a cyber incident must reported to the government, and what security controls are considered “adequate” for safeguarding CUI.

This Covington Alert outlines the guidance provided by OMB, and notes important questions left unanswered by the proposed memorandum.