Photo of David Bodenheimer

After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in its draft version and provides a blueprint to align cybersecurity efforts, along with the accompanying Roadmap document discussing next steps. Yet many questions remain, including how to further define voluntary adoption and its incentives, the impact on government contracting, and how third parties may use the standards. For a more detailed analysis of the NIST Cybersecurity Framework and its implications, please see our recent Bullet Analysis.

Please also join Crowell & Moring and The Chertoff Group on February 20, as we host panelists from NIST, DHS, the National Security Staff, and the private sector for a lively discussion regarding this and other critical developments, as well as what to expect in the coming year.

As the latest 10-K filing period for corporations draws to a close, the Securities and Exchange Commission (SEC) is expected to intensify its scrutiny on whether companies’ filings adequately disclose both information security breaches that occurred in the past, and the material risks due to cyber threats such companies face in the future.  Since the Senate Commerce Committee focused greater attention upon corporate cybersecurity in a letter to the SEC on May 12, 2011, momentum has been building for expanded corporate disclosure of cybersecurity safeguards and security breaches.  In October 2011, the SEC issued guidance that publicly traded companies have a duty to disclose “material information regarding cybersecurity risks and cyber incidents” where failure to do so would make other disclosures misleading.  Recent developments both inside and outside the SEC show that corporations can expect an even brighter spotlight this year upon their cybersecurity efforts – and shortfalls.  Now more than ever, publicly traded companies need to be prepared to address, whether in responses to SEC comment letters or in preparing future filings, what material risks they may have due to cyber threats and whether they have taken steps to address such risks and vulnerabilities.

Recent Developments:

In its 2013 Examination Priorities, the SEC identified a number of “risk areas” attracting its focus, including enterprise risk management and companies’ “governance and supervision of information technology systems for topics such as operational capability, market access, and information security, including risks of system outages, and data integrity compromises that may adversely affect investor confidence.”  These Examination Priorities were published on February 21, 2013, one week after the President issued an Executive Order on improving critical infrastructure cybersecurity, and several days after the release of the Mandiant report, which tied the Chinese military to cyberattacks on over 140 U.S. and other foreign corporations and entities. Continue Reading Putting the SEC Spotlight on Corporate Cyber Risks

After years of abortive attempts by Congress to enact comprehensive cybersecurity legislation, the President took matters into his own hands on February 12, signing an Executive Order, Improving Critical Infrastructure Cybersecurity.  Identifying the cyber threat as “one of the most serious national security challenges we must confront,” this Order, along with its contemporaneous Presidential Policy Directive, lays out the policy goals for the President’s cybersecurity program, as well as some specific initiatives. 

Overview.  The Order is long on plans for coordinating government cyber efforts, but it is short on concrete details for just how to implement such a unified whole-of-government approach.  The specifics in the eight-page document include two major initiatives relating to information sharing and cybersecurity standards.

Information Sharing.  The Order lays out the goals and requirements for information sharing on cyber threats.  Within 120 days, the Order  provides:  (1) the Secretary of Homeland Security(“the Secretary”), the Director of National Intelligence (“DNI”), and the Attorney General (“AG”) shall issue instructions on producing unclassified reports of cyber threats to specifically targeted entities; (2) the Secretary, the DNI, and the AG shall include in these instructions a process for disseminating classified reports to those entities authorized to receive such information; and (3) the Secretary, in coordination with the Secretary of Defense, shall establish a voluntary information-sharing network called the “Enhanced Cybersecurity Services Program,” which will provide classified threat information to eligible companies.

Cybersecurity Standards.  The Order also requires the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology (“NIST”) to develop a set of standards and processes, incorporating “voluntary consensus standards and industry best practices to the fullest extent possible,” to address cyber risks.  The Order designates this set of standards as the “Baseline Framework.”  In addition, the Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program, using the Baseline Framework as the foundation for entry into the program.  The Order directs the Secretary to establish a set of incentives for private companies to enter into the Program, noting that some of the preferred incentives may require legislation.  Finally, the Order directs the Federal Acquisition Regulatory Council to develop recommendations on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration,” thus signaling a likely push for new cybersecurity acquisition regulations for government contractors and the private sector.

No Safe Harbors.  The Order is almost as notable for what it lacks as for what it includes.  The executive branch lacks the legal authority to indemnify companies that meet certain minimum security standards or to exempt from FOIA any information shared by private entities.  These steps will be vital to ensure private sector cooperation and buy-in to the federal government’s cybersecurity plans.

The Future.  In his State of the Union address, the President underscored the continuing need for cyber legislation, concluding that “Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”  Until Congress acts, questions will remain on just what sort of public-private partnership can exist without protections for participating private entities.  Similarly, government contractors will need to pay close attention to the forthcoming incentives and recommendations on security standards in acquisition planning and government contract administration.

Since the emergence of cybersecurity and privacy as high risk issues in the public sector, the Government Accountability Office (GAO) has been at the forefront – identifying risks, reviewing progress of federal agencies, and keeping Congress informed on the latest developments in the cyber and technology arena.  In this role, GAO has reported on the most pressing issues in these areas, as a sampling of its 2012 reports illustrates.

These reports have been produced under the leadership of GAO’s Gregory C. Wilshusen  who not only has extensive expertise with cybersecurity and privacy, but is one of the most experienced witnesses testifying before Congress on information security, privacy, and data protection issues.

On February 20, 2013, from noon to 1:30 pm, Crowell & Moring’s Washington, D.C. office (1001 Pennsylvania Ave., NW, Washington, D.C.) will host an ABA program featuring Mr. Wilshusen on “Information Security, Privacy, and the Government Accountability Office:  Perspectives on Risks, Requirements, and Emerging Issues in the Public Sector.”  David Z. Bodenheimer (Partner, Crowell & Moring LLP; ABA SciTech Division Chair, Security, Privacy, & Information Law; ABA PCL Co-Chair, Cybersecurity, Privacy, & Data Protection Committee) will moderate the program and Sharon Larkin (GAO Contract Appeals Judge and Assistant General Counsel, Procurement Law; Chair-Elect, ABA Public Contract Law Section) will provide introductory remarks on behalf of GAO.  To attend this exciting program in person or by telephone, please register here.  For those who register to attend via teleconference, the ABA will provide dial-in information.  For any questions, please contact David Bodenheimer (dbodenheimer@crowell.com) or Olivia Lynch (olynch@crowell.com).

As a part of the Senate’s recent passage of the 2013 National Defense Authorization Act, Senator Carl Levin (D-MI) has introduced an amendment that would direct the Department of Defense to establish procedures requiring contractors with security clearances to make disclosures when their covered networks have been successfully breached. Amendment 3195 appears to be the latest chapter in the recent trend at the federal and state levels to expand private sector obligations to report data security breaches.

However, this latest breach notification proposal by the Senate Armed Services Committee Chairman raises significant questions for those that it seeks to regulate. In particular, the Amendment creates uncertainty about its scope and the notification process. SA 3195 broadly asks the DOD to determine not only the process by which contractors must report breaches, but to also determine which contractor networks are subject to that process. If the DOD interprets the Amendment expansively, it could extend not only to classified networks, but also to those that are unclassified. Given the expanded responsibilities of the Defense Security Service (DSS) to assist government contractors with cybersecurity for both their classified and unclassified networks, the implementing the DOD procedures would presumably follow suit and opt to include reporting requirements covering unclassified, in addition to classified, networks.

Amendment 3195 does establish broad audit and inspection rights for the DOD to probe the private networks of cleared DOD contractors. Specifically, the bill states that any resulting DOD process must include a mechanism by which the DOD can access a contractor’s networks to perform forensic analyses. Such right of entry may create some of the same tensions that DOD contractors experience in dealing with the scope of the Defense Contract Audit Agency’s access to a contractor’s financial and other sensitive information during an audit. Beyond the usual confidentiality concerns, this provision could open the door to other types of investigations if the DOD network audit uncovers wrongdoing unrelated to the original security breach. How deeply may the DOD penetrate the contractor’s networks? What happens if the DOD security auditors trip across attorney-client privileges or other secrets unrelated to the original purpose of the audit? Will a safe harbor be available to contractors? These questions remain unanswered.

Regardless of its future progress in Congress, Amendment 3195 – like many other legislative and regulatory expansions – reflects the growing scrutiny of contractors for data security breaches and cybersecurity shortfalls.

Congressman Langevin (RI-D) serves as one of the leading experts and thought-leaders on Capitol Hill on cybersecurity developments and initiatives. He is the Co-Founder and Co-Chair of the bipartisan House Cybersecurity Caucus and previously co-chaired the Center for Strategic and International Studies Commission on Cyber Security for the 44th Presidency, whose recommendations he is currently implementing. Congressman Langevin was also the chair of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.

David Z. Bodenheimer, a Crowell & Moring Government Contracts Partner and Co-Chair of both the SciTech Homeland Security Committee and the Public Contract Law Cybersecurity, Privacy, and Data Protection Committee, will serve as moderator for Congressman Langevin’s discussion of how cyber threats affect our national and economic security, how we can protect our national assets, how to promote cybersecurity, and why both public and private sector lawyers should be intimately involved in the process. 

Register now here. We hope to see you there!