Photo of Kate M. Growley, CIPP/G, CIPP/US

 

 

After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in its draft version and provides a blueprint to align cybersecurity efforts, along with the accompanying Roadmap document discussing next steps. Yet many questions remain, including how to further define voluntary adoption and its incentives, the impact on government contracting, and how third parties may use the standards. For a more detailed analysis of the NIST Cybersecurity Framework and its implications, please see our recent Bullet Analysis.

Please also join Crowell & Moring and The Chertoff Group on February 20, as we host panelists from NIST, DHS, the National Security Staff, and the private sector for a lively discussion regarding this and other critical developments, as well as what to expect in the coming year.

The executive cyber machine continues to hum along. Last month, the White House previewed possible “cyber incentives” that could coax private industry into following the cyber “best practices” that the government will promulgate in the not-too-distant future. The target audience is critical infrastructure: private companies that provide services so vital to the nation’s day-to-day function that the government feels obligated to ensure their resilience. Think standard utilities like water and electricity, cell phone and internet service, and banking.

Seven months ago, on February 12, 2013, President Obama signed Executive Order 13636, which called for a three-part approach to mitigating the cyber threats that the nation’s critical infrastructures face – information sharing, privacy, and cybersecurity practices. In an effort to promote the last of these three, the White House has been working with critical industry owners and operators to define a set of best practices that it will eventually consolidate into a “Cybersecurity Framework.” The Framework would become the standard for a “Voluntary Program” in which critical infrastructure companies participate. The hitch, however, is how to convince those private sector companies to actually join the Program. Continue Reading White House Previews Potential Incentives for Voluntary Cyber Framework

2013 has been a historic year for cybersecurity, privacy and data breach issues. From the President’s Executive Order, to the revised NIST security & privacy controls, and to the groundbreaking Mandiant report on cyber espionage, the pressure is on for companies to secure their handling of sensitive data.

In order to mitigate the risk of data breach, cyber theft, and the loss of trade secrets and other intellectual property, both the government agencies and private companies need to understand the sector-specific rules and requirements for information security, privacy, and data protection. Only after the rules of the road are fully understood can agencies and contractors implement policies to mitigate the risks posed by cyber threats. Continue Reading Cybersecurity and Data Privacy in 2013: Contracting in a Time of Increased Scrutiny

On February 12, 2013, President Obama signed Executive Order 13636 for Improving Critical Infrastructure Cybersecurity (EO), along with Presidential Policy Directive-21 on Critical Infrastructure Security and Resilience (PPD-21). Now, some 120 days later, federal agencies are feeling the crunch to report back to the White House with their findings on the state of federal cybersecurity and their recommendations going forward.

Among those with a June 12, 2013, deadline are the Department of Defense and the General Services Administration. Under Section 8(e) of the EO, the two agencies were to consult with the Department of Homeland Security (DHS) and the Federal Acquisition Regulation (FAR) Council to craft recommendations regarding how to improve cybersecurity within federal procurement. Specifically, their June 12 report should inform the President on the feasibility of incorporating cybersecurity standards into federal acquisitions, along with the security benefits and other relative merits of doing so. Continue Reading How Quickly 120 Days Pass – Deadline for Cyber EO

After years of abortive attempts by Congress to enact comprehensive cybersecurity legislation, the President took matters into his own hands on February 12, signing an Executive Order, Improving Critical Infrastructure Cybersecurity.  Identifying the cyber threat as “one of the most serious national security challenges we must confront,” this Order, along with its contemporaneous Presidential Policy Directive, lays out the policy goals for the President’s cybersecurity program, as well as some specific initiatives. 

Overview.  The Order is long on plans for coordinating government cyber efforts, but it is short on concrete details for just how to implement such a unified whole-of-government approach.  The specifics in the eight-page document include two major initiatives relating to information sharing and cybersecurity standards.

Information Sharing.  The Order lays out the goals and requirements for information sharing on cyber threats.  Within 120 days, the Order  provides:  (1) the Secretary of Homeland Security(“the Secretary”), the Director of National Intelligence (“DNI”), and the Attorney General (“AG”) shall issue instructions on producing unclassified reports of cyber threats to specifically targeted entities; (2) the Secretary, the DNI, and the AG shall include in these instructions a process for disseminating classified reports to those entities authorized to receive such information; and (3) the Secretary, in coordination with the Secretary of Defense, shall establish a voluntary information-sharing network called the “Enhanced Cybersecurity Services Program,” which will provide classified threat information to eligible companies.

Cybersecurity Standards.  The Order also requires the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology (“NIST”) to develop a set of standards and processes, incorporating “voluntary consensus standards and industry best practices to the fullest extent possible,” to address cyber risks.  The Order designates this set of standards as the “Baseline Framework.”  In addition, the Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program, using the Baseline Framework as the foundation for entry into the program.  The Order directs the Secretary to establish a set of incentives for private companies to enter into the Program, noting that some of the preferred incentives may require legislation.  Finally, the Order directs the Federal Acquisition Regulatory Council to develop recommendations on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration,” thus signaling a likely push for new cybersecurity acquisition regulations for government contractors and the private sector.

No Safe Harbors.  The Order is almost as notable for what it lacks as for what it includes.  The executive branch lacks the legal authority to indemnify companies that meet certain minimum security standards or to exempt from FOIA any information shared by private entities.  These steps will be vital to ensure private sector cooperation and buy-in to the federal government’s cybersecurity plans.

The Future.  In his State of the Union address, the President underscored the continuing need for cyber legislation, concluding that “Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”  Until Congress acts, questions will remain on just what sort of public-private partnership can exist without protections for participating private entities.  Similarly, government contractors will need to pay close attention to the forthcoming incentives and recommendations on security standards in acquisition planning and government contract administration.

Just before the closing bell for 2012, the federal government gave its first approval for government-wide security authorization to a cloud service provider.  On December 26, the General Services Administration (GSA) certified its first cloud service provider under the Federal Risk and Authorization Management Program, more commonly known as FedRAMP.  The GSA expects last month’s authorization to pave the way for more in early 2013, with some anticipating as many as 10 to 15 authorizations over the course of the year.

In an effort to better implement the government’s “Cloud First” policy, the GSA collaborated with private industry and other executive agencies – including the NIST, DHS, and DOD – to standardize security requirements for federal cloud contractors.  Begun in June 2012, certification under the FedRAMP standards will become mandatory by the same month in 2014.

North Carolina-based Autonomic Resources has been the first cloud service provider to check all of FedRAMP’s boxes, but its journey to complete federal endorsement is not over.  Cloud service providers seeking FedRAMP approval must undergo a four-step application process.  Either a contractor or an agency may initiate a FedRAMP review.  Contractors must then retain a “third party assessor” (3PAO) to perform an independent assessment of whether the contractor’s security systems comply with Federal Information Security Management Act (FISMA) and NIST standards.  With a 3PAO’s security assessment package in hand, the contractor may then apply for provisional authorization from FedRAMP’s Joint Authorization Board (JAB), comprised of the Chief Information Officers (CIOs) from the DOD, DHS, and GSA.  This is the certification that FedRAMP has granted Autonomic Resources, but the key word is “provisional.”  The JAB “authorization to operate” (ATO) is but an initial endorsement of the contractor’s security controls and their acceptable risk.  Specific agencies are to then leverage this threshold approval to streamline their more tailored ATOs.  Although not formally a part of the application process, it is worth noting that, even after agency approval, the contractor must provide FedRAMP with continuous monitoring reports and various updates.

As the former federal CIO stated, the idea behind the FedRAMP process is “approve once, use often.”  This practice seeks to maximize transparency between cloud contractors and the federal agencies, while minimizing duplicative efforts.  The GSA expects the result to be a universal and trustworthy security authorization process that consumes less time and fewer taxpayer dollars.  Current GSA estimates predict that, with the help of the FedRAMP system, agencies will save approximately $200,000 per authorization.  Until the GSA ushers more prospective cloud contractors through the FedRAMP process, however, federal agencies will have to wait for such savings.  In the meantime though, nothing is preventing agencies from relying on FedRAMP guidelines to independently scrutinize the security of their contractors.

For more information about federal cloud computing and acquisitions, see http://www.crowell.com/files/Cloud-Computing-Acquisitions-Cybersecurity.pdf.

As a part of the Senate’s recent passage of the 2013 National Defense Authorization Act, Senator Carl Levin (D-MI) has introduced an amendment that would direct the Department of Defense to establish procedures requiring contractors with security clearances to make disclosures when their covered networks have been successfully breached. Amendment 3195 appears to be the latest chapter in the recent trend at the federal and state levels to expand private sector obligations to report data security breaches.

However, this latest breach notification proposal by the Senate Armed Services Committee Chairman raises significant questions for those that it seeks to regulate. In particular, the Amendment creates uncertainty about its scope and the notification process. SA 3195 broadly asks the DOD to determine not only the process by which contractors must report breaches, but to also determine which contractor networks are subject to that process. If the DOD interprets the Amendment expansively, it could extend not only to classified networks, but also to those that are unclassified. Given the expanded responsibilities of the Defense Security Service (DSS) to assist government contractors with cybersecurity for both their classified and unclassified networks, the implementing the DOD procedures would presumably follow suit and opt to include reporting requirements covering unclassified, in addition to classified, networks.

Amendment 3195 does establish broad audit and inspection rights for the DOD to probe the private networks of cleared DOD contractors. Specifically, the bill states that any resulting DOD process must include a mechanism by which the DOD can access a contractor’s networks to perform forensic analyses. Such right of entry may create some of the same tensions that DOD contractors experience in dealing with the scope of the Defense Contract Audit Agency’s access to a contractor’s financial and other sensitive information during an audit. Beyond the usual confidentiality concerns, this provision could open the door to other types of investigations if the DOD network audit uncovers wrongdoing unrelated to the original security breach. How deeply may the DOD penetrate the contractor’s networks? What happens if the DOD security auditors trip across attorney-client privileges or other secrets unrelated to the original purpose of the audit? Will a safe harbor be available to contractors? These questions remain unanswered.

Regardless of its future progress in Congress, Amendment 3195 – like many other legislative and regulatory expansions – reflects the growing scrutiny of contractors for data security breaches and cybersecurity shortfalls.

Proponents of the Cyber Intelligence Sharing and Protection Act (more commonly known as CISPA) won a small battle last month when the House of Representatives passed the proposed bill by a vote of 248 to 168, with 42 yays from Democrats.  Yet the war for comprehensive cybersecurity legislation is far from over, as CISPA’s next campaign – the Senate – is expected to be a tougher fight.  Even if it were to prevail there, the White House has stated that it would likely veto the bill.

Still, CISPA supporters believe that last-minute amendments may persuade some opponents into reconsidering their positions.  According to an Office of Management and Budget statement made prior to the vote, the Obama Administration’s primary concerns were that CISPA did not go far enough to protect critical infrastructure; that it repealed portions of electronic surveillance law without implementing counterbalancing privacy protections; and that it granted too much shelter to the private sector from cyber liability.  Representatives Rogers (R-MI) and Ruppersberger (D-MD), the bill’s co-sponsors, have since responded that regulating critical infrastructure is beyond the purview of the House Intelligence Committee – from whence the bill came – and that the now-approved changes to the bill narrow the government’s ability to retain and then use shared data.  The amendments have yet to scale back liability exemptions, provisions that remain popular with industry.  The White House has yet to comment on the revised bill.

In its current form, CISPA has won the support of Internet and technology companies such as Facebook and Symantec.  Notably, though, some companies have jumped ship and now oppose the legislation.  Civil rights groups, including the ACLU, also remain unconvinced.  Cyber activist group Anonymous has been particularly vociferous in its opposition, calling for a series of protests and "swift messages" against industry supporters.

CISPA is not the only cybersecurity bill to face growing scrutiny.  Members of the House and the Senate have offered at least nine other cybersecurity bills, including separate proposals from Senators Liberman (I-CT) and McCain (R-AZ).  As with CISPA, some critics believe Congress has yet to advance legislation comprehensive enough to cure the country’s growing cyber vulnerabilities while protecting the citizenr’s civil liberties – a familiar quandary in post-9/11 America.

In an effort to comply with the 2011 Budget Control Act, the Department of Defense has proposed a “difficult but manageable” budget that will save approximately $259 billion over the next five years, totaling $487 billion in savings within a decade. Coordinated with President Obama’s defense strategy guidance, this new budget provides a glimpse into the government’s evolving national security priorities, focusing on military agility abroad and economic stability at home. 

Among the major takeaways is a strategic shift from an emphasis on land-based conflict to one conducted via sea and air, where the U.S. believes it can best exploit its comparative advantages. In concert with withdrawals from Afghanistan and Iraq, the Army is expected to see eight of its brigade combat teams dissolved. This would be but one component of the suggested 15% reduction in the Army’s total active forces. As the government grows reluctant to engage in large-scale and prolonged military operations, the Marine Corps, too, would not escape unscathed. Its total number faces a 10% reduction, including the loss of at least one infantry regiment, with more potentially on the table. What is more, the procurement of F-35 Joint Strike Fighters would be cut from 42 to 29, along with additional delays. 

In contrast, the Navy and Air Force stand to gain from the DOD’s realignment of priorities. The Navy would retain its current fleet of eleven aircraft carriers and ten air wings, while enhancing its submarine cruise missile capacity. Not to be outdone, the Air Force would continue to receive funding for its new long-range bombers, and drone patrols could increase in capacity from 65 to 85, calling attention to the perceived need for military flexibility.

This brings us to another notable focal point – the DOD’s technological capabilities. In an effort to remain responsive and keep pace with other nations, the government would maintain its financing of unmanned intelligence, surveillance, and reconnaissance (ISR) systems on a broader basis, and funding for cyber operations would actually jump – one of the few defense projects to receive such a boon.

Yet Leon Panetta and others have not completely abandoned their previous military champions. For example, in contrast to the diminution of general ground forces, the DOD intends to stay the course concerning its special operations forces. The number of these elite groups has doubled since 2001, and their continuance reflects the Department’s ongoing counterterrorism efforts.