Photo of Evan D. WolffPhoto of Kate M. Growley, CIPP/G, CIPP/USPhoto of Maida Oringher LernerPhoto of Peter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTPhoto of Judy ChoiPhoto of Payal NanavatiPhoto of Michael G. Gruden, CIPP/G

The National Institute of Standards and Technology (NIST) recently published a draft special publication titled Systems Security Engineering: Resiliency Considerations for the Engineering of Trustworthy Secure Systems (Volume 2), which provides guidance to professionals responsible for the activities and tasks related to the system life cycle processes in NIST’s flagship publication, NIST Special Publication 800-160 Volume 1 (Volume 1).  Volume 2 is the first in a series of systems security engineering publications supplementing Volume 1, and describes how to apply cyber resiliency concepts, constructs, and engineering practices, as part of systems security engineering.

Volume 1 built upon well-established international standards for systems and software engineering to describe the actions necessary to develop more defensible and survivable systems.  Volume 2 describes cyber resiliency principles that organizations can select and apply to their own systems based on the organization’s threat environment.   These principles help organizations address certain types of advanced cyber-threats that have the capability to breach critical systems, establish a presence within those systems often undetected, and inflict immediate and long-term damage to economic and security interests.  Among other things, developers could look to the draft publication for guidance on how to increase the security of older legacy systems in order to limit potential hackers’ access in the event of a data breach.   NIST is accepting public comments until May 18, 2018.

Photo of Kate M. Growley, CIPP/G, CIPP/US

As defense contractors continue to push towards their end-of-year implementation deadline for NIST SP 800-171 under DFARS 252.204-7012, the National Institute of Standards & Technology (NIST) has given the contracting community some extra time to respond to a draft publication that outlines how they and their customers alike can assess compliance with the security standard.  Initially published on November 28, NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, is now open for comment until January 15, 2018 – several weeks longer than the initial deadline of December 27. 


Photo of Peter J. EyrePhoto of David B. Robbins

Crowell & Moring’s “Fastest 5 Minutes” is a biweekly podcast that provides a brief summary of significant government contracts legal and regulatory developments that no government contracts lawyer or executive should be without. This latest edition is hosted by partners Peter Eyre and David Robbins and includes updates on DoD’s plan to implement the 2017 NDAA, a NIST publication on cybersecurity, and relevant case law.
Listen: | PodBean | SoundCloud | iTunes


Photo of David BodenheimerPhoto of Evan D. WolffPhoto of Kate M. Growley, CIPP/G, CIPP/US

After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in its draft version and provides a blueprint to align cybersecurity efforts, along with the accompanying Roadmap document discussing next steps. Yet many questions remain, including how to further define voluntary adoption and its incentives, the impact on government contracting, and how third parties may use the standards. For a more detailed analysis of the NIST Cybersecurity Framework and its implications, please see our recent Bullet Analysis.

Please also join Crowell & Moring and The Chertoff Group on February 20, as we host panelists from NIST, DHS, the National Security Staff, and the private sector for a lively discussion regarding this and other critical developments, as well as what to expect in the coming year.

Photo of Kate M. Growley, CIPP/G, CIPP/USPhoto of David Bodenheimer

After years of abortive attempts by Congress to enact comprehensive cybersecurity legislation, the President took matters into his own hands on February 12, signing an Executive Order, Improving Critical Infrastructure Cybersecurity.  Identifying the cyber threat as “one of the most serious national security challenges we must confront,” this Order, along with its contemporaneous Presidential Policy Directive, lays out the policy goals for the President’s cybersecurity program, as well as some specific initiatives. 

Overview.  The Order is long on plans for coordinating government cyber efforts, but it is short on concrete details for just how to implement such a unified whole-of-government approach.  The specifics in the eight-page document include two major initiatives relating to information sharing and cybersecurity standards.

Information Sharing.  The Order lays out the goals and requirements for information sharing on cyber threats.  Within 120 days, the Order  provides:  (1) the Secretary of Homeland Security(“the Secretary”), the Director of National Intelligence (“DNI”), and the Attorney General (“AG”) shall issue instructions on producing unclassified reports of cyber threats to specifically targeted entities; (2) the Secretary, the DNI, and the AG shall include in these instructions a process for disseminating classified reports to those entities authorized to receive such information; and (3) the Secretary, in coordination with the Secretary of Defense, shall establish a voluntary information-sharing network called the “Enhanced Cybersecurity Services Program,” which will provide classified threat information to eligible companies.

Cybersecurity Standards.  The Order also requires the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology (“NIST”) to develop a set of standards and processes, incorporating “voluntary consensus standards and industry best practices to the fullest extent possible,” to address cyber risks.  The Order designates this set of standards as the “Baseline Framework.”  In addition, the Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program, using the Baseline Framework as the foundation for entry into the program.  The Order directs the Secretary to establish a set of incentives for private companies to enter into the Program, noting that some of the preferred incentives may require legislation.  Finally, the Order directs the Federal Acquisition Regulatory Council to develop recommendations on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration,” thus signaling a likely push for new cybersecurity acquisition regulations for government contractors and the private sector.

No Safe Harbors.  The Order is almost as notable for what it lacks as for what it includes.  The executive branch lacks the legal authority to indemnify companies that meet certain minimum security standards or to exempt from FOIA any information shared by private entities.  These steps will be vital to ensure private sector cooperation and buy-in to the federal government’s cybersecurity plans.

The Future.  In his State of the Union address, the President underscored the continuing need for cyber legislation, concluding that “Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”  Until Congress acts, questions will remain on just what sort of public-private partnership can exist without protections for participating private entities.  Similarly, government contractors will need to pay close attention to the forthcoming incentives and recommendations on security standards in acquisition planning and government contract administration.

Photo of Kate M. Growley, CIPP/G, CIPP/US

Just before the closing bell for 2012, the federal government gave its first approval for government-wide security authorization to a cloud service provider.  On December 26, the General Services Administration (GSA) certified its first cloud service provider under the Federal Risk and Authorization Management Program, more commonly known as FedRAMP.  The GSA expects last month’s authorization to pave the way for more in early 2013, with some anticipating as many as 10 to 15 authorizations over the course of the year.

In an effort to better implement the government’s “Cloud First” policy, the GSA collaborated with private industry and other executive agencies – including the NIST, DHS, and DOD – to standardize security requirements for federal cloud contractors.  Begun in June 2012, certification under the FedRAMP standards will become mandatory by the same month in 2014.

North Carolina-based Autonomic Resources has been the first cloud service provider to check all of FedRAMP’s boxes, but its journey to complete federal endorsement is not over.  Cloud service providers seeking FedRAMP approval must undergo a four-step application process.  Either a contractor or an agency may initiate a FedRAMP review.  Contractors must then retain a “third party assessor” (3PAO) to perform an independent assessment of whether the contractor’s security systems comply with Federal Information Security Management Act (FISMA) and NIST standards.  With a 3PAO’s security assessment package in hand, the contractor may then apply for provisional authorization from FedRAMP’s Joint Authorization Board (JAB), comprised of the Chief Information Officers (CIOs) from the DOD, DHS, and GSA.  This is the certification that FedRAMP has granted Autonomic Resources, but the key word is “provisional.”  The JAB “authorization to operate” (ATO) is but an initial endorsement of the contractor’s security controls and their acceptable risk.  Specific agencies are to then leverage this threshold approval to streamline their more tailored ATOs.  Although not formally a part of the application process, it is worth noting that, even after agency approval, the contractor must provide FedRAMP with continuous monitoring reports and various updates.

As the former federal CIO stated, the idea behind the FedRAMP process is “approve once, use often.”  This practice seeks to maximize transparency between cloud contractors and the federal agencies, while minimizing duplicative efforts.  The GSA expects the result to be a universal and trustworthy security authorization process that consumes less time and fewer taxpayer dollars.  Current GSA estimates predict that, with the help of the FedRAMP system, agencies will save approximately $200,000 per authorization.  Until the GSA ushers more prospective cloud contractors through the FedRAMP process, however, federal agencies will have to wait for such savings.  In the meantime though, nothing is preventing agencies from relying on FedRAMP guidelines to independently scrutinize the security of their contractors.

For more information about federal cloud computing and acquisitions, see