Photo of Kate M. Growley, CIPP/G, CIPP/US

The National Institute of Standards and Technology (NIST) recently published a draft special publication titled Systems Security Engineering: Resiliency Considerations for the Engineering of Trustworthy Secure Systems (Volume 2), which provides guidance to professionals responsible for the activities and tasks related to the system life cycle processes in NIST’s flagship publication, NIST Special Publication 800-160 Volume 1 (Volume 1).  Volume 2 is the first in a series of systems security engineering publications supplementing Volume 1, and describes how to apply cyber resiliency concepts, constructs, and engineering practices, as part of systems security engineering.

Volume 1 built upon well-established international standards for systems and software engineering to describe the actions necessary to develop more defensible and survivable systems.  Volume 2 describes cyber resiliency principles that organizations can select and apply to their own systems based on the organization’s threat environment.   These principles help organizations address certain types of advanced cyber-threats that have the capability to breach critical systems, establish a presence within those systems often undetected, and inflict immediate and long-term damage to economic and security interests.  Among other things, developers could look to the draft publication for guidance on how to increase the security of older legacy systems in order to limit potential hackers’ access in the event of a data breach.   NIST is accepting public comments until May 18, 2018.

As defense contractors continue to push towards their end-of-year implementation deadline for NIST SP 800-171 under DFARS 252.204-7012, the National Institute of Standards & Technology (NIST) has given the contracting community some extra time to respond to a draft publication that outlines how they and their customers alike can assess compliance with the security standard.  Initially published on November 28, NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, is now open for comment until January 15, 2018 – several weeks longer than the initial deadline of December 27. 

 

The contracting community is hurrying to keep pace with the bevy of recent privacy and cybersecurity requirements incorporated into their government contracts across all agencies.  On May 4, 2017, at 1:45 PM Eastern, Crowell & Moring attorneys Evan Wolff, Peter Miller, Mark Ries, and Kate Growley will lead a discussion to help contractors wrap their heads around this flurry of activity. Specific topics will include:

  • Covered defense information
  • Controlled unclassified information
  • Insider threats
  • Privacy training requirements
  • M&A cyber due diligence
  • Vendor management
  • General Data Protection Regulation (GDPR)

For more information and to register for OOPS, please click here.

Companies of all sizes are increasingly subject to the practical and legal implications of today’s cybersecurity environment, and contractors are no exception.  On May 26, 2016, at 11:00 AM Eastern, Crowell & Moring attorneys David Bodenheimer, Evan Wolff, and Kate Growley will lead a discussion highlighting some of the past year’s most significant cyber contracting developments, what trends are worth watching for the future, and how contractors can craft a comprehensive approach to get ahead of it all.  Specific topics include:

  • Revisions to DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
  • Publication of FAR 52.204-21, Basic Safeguarding of Contractor Information Systems
  • Managing the “Internet of Things”
  • Approaches to cyber lifecycle management, including compliance, supply chain risk, and information sharing

Check back in the coming days for more updates as we count down to OOPS on May 25th (in DC)! You can also check for updates on Twitter using the hashtag #cm2016oops, and at crowell.com/OOPS.

Click here to register for OOPS on May 25-26th in Washington, DC.

OOPS-2016

Information has become foundational in today’s federal and corporate arenas and is increasingly under threat and exploitation. Last month, attorneys from Crowell & Moring’s Privacy & Cybersecurity group lent their voices to WFED/WTOP radio to discuss how the public and private sectors are responding. Listen in here as our colleagues discuss the cyber threat landscape, what steps the federal government and private industry are taking to protect their information, and what trends they’re keeping their eyes on for the coming year.

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts. 

It seeks to do so primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.” 

Another notable point of expansion would affect subcontractors.  Under the current DFARS Safeguarding Clause, subcontractors suffering a cyber incident must report to the pertinent prime contractor, who then submits the required report to the DoD.  Subcontractors do not report directly to the DoD under the current rule.  The Interim Rule would continue to require subcontractors to report cyber incidents to their primes, but it would also require subs to submit the required report directly to the DoD, creating the potential for inconsistent reports from the prime and sub regarding the same cyber incident.

Other key provisions of the DFARS Safeguarding Clause, however, would remain same.  For example, the Interim Rule would continue to apply to all solicitations and contracts, including those for commercial items.  The government would also remain required to protect any proprietary information that contractor reports pursuant to the Interim Rule.  The reporting timeline of 72 hours would also remain the same, which the Interim Rule dubs “rapid reporting.”  Additionally, and importantly, the Interim Rule would continue to recognize the probability that even information systems with “adequate security” may still suffer a cyber incident.  That is, the Interim Rule would explicitly state that the fact that a contractor has suffered a cyber incident and submitted a corresponding report would not necessarily mean that the contractor had failed to comply with the Clause’s broader cybersecurity requirements.

The Interim Rule likely does not come as a surprise to many.  Congress passed provisions to the National Defense Authorization Acts of 2013 and 2015 that called for the regulations that the Interim Rule now seeks to implement.  The Interim Rule has thus been a long time coming, but that the DoD chose to publish it now seems appropriate.  The executive branch has been implementing a whirlwind of cyber regulations specific to federal contractors, all in an effort to stem the nation’s cyber vulnerabilities.  Just last week, the Office of Management & Budget released proposed cybersecurity guidance that could lead to further amendments to the Federal Acquisition Regulation (FAR).  

 

Comments on the Interim Rule, which separately addresses cloud computer services and is discussed here, are due on or before October 26, 2015.

 

 

Crowell & Moring is proud to announce that the ABA Public Contract Law Section has recognized Partner David Bodenheimer, along with Maureen Kelly of Northrop Grumman and Annejanette Pickens of General Dynamics, for their exceptional efforts as co-chairs of the Section’s Committee on Cybersecurity, Privacy, and Data Protection.  The Section recently presented the Committee with the prestigious “Committee of the Year Award” and praised the co-chairs’ “significant contributions to attorney development, Section programming, and the practice of public contract law.”  Congratulations on a well-deserved honor!

 

In conjunction with his remarks at the White House Summit on Cybersecurity at Stanford University earlier this month, President Obama signed Executive Order 13691, entitled “Promoting Private Sector Cybersecurity Information Sharing.”  Published in the Federal Register last week, the Order is intended to encourage and facilitate cybersecurity information sharing within the private sector, and also between government and the private sector.  The Order emphasizes that, because a large majority of the nation’s critical infrastructure is privately owned, cybersecurity is necessarily a shared public-private mission.  At the same time, however, it also recognizes that cybersecurity must balance the exigency of security against the privacy and civil liberties of the American people.

For a complete summary of the Order and its implications, continue reading here.

After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in its draft version and provides a blueprint to align cybersecurity efforts, along with the accompanying Roadmap document discussing next steps. Yet many questions remain, including how to further define voluntary adoption and its incentives, the impact on government contracting, and how third parties may use the standards. For a more detailed analysis of the NIST Cybersecurity Framework and its implications, please see our recent Bullet Analysis.

Please also join Crowell & Moring and The Chertoff Group on February 20, as we host panelists from NIST, DHS, the National Security Staff, and the private sector for a lively discussion regarding this and other critical developments, as well as what to expect in the coming year.

The executive cyber machine continues to hum along. Last month, the White House previewed possible “cyber incentives” that could coax private industry into following the cyber “best practices” that the government will promulgate in the not-too-distant future. The target audience is critical infrastructure: private companies that provide services so vital to the nation’s day-to-day function that the government feels obligated to ensure their resilience. Think standard utilities like water and electricity, cell phone and internet service, and banking.

Seven months ago, on February 12, 2013, President Obama signed Executive Order 13636, which called for a three-part approach to mitigating the cyber threats that the nation’s critical infrastructures face – information sharing, privacy, and cybersecurity practices. In an effort to promote the last of these three, the White House has been working with critical industry owners and operators to define a set of best practices that it will eventually consolidate into a “Cybersecurity Framework.” The Framework would become the standard for a “Voluntary Program” in which critical infrastructure companies participate. The hitch, however, is how to convince those private sector companies to actually join the Program. Continue Reading White House Previews Potential Incentives for Voluntary Cyber Framework