Cybersecurity for Government Contractors Presentation by Covington & Burling LLP Confidential and Proprietary
Apr 21, 2017
Cybersecurity for Government Contractors
Presentation byCovington & Burling LLP
Confidential and Proprietary
The Cyber Paradigm
3
Cybersecurity is the No. 1 Concern of General Counsel and Directors
4
The Cyber Risk Paradigm
Cyber risks present real and present danger to business operations, costs, and, for some, continued viability
Cyber risks are a legal problem, an operational problem, and an a governance problem – not simply a technological one
Corporate leaders have a fiduciary responsibility to understand and manage cyber risks
Leaders must bring together key components of the organization to develop joint ownership of risks and a comprehensive approach to cybersecurity
5
Threat: Actors and Motivations
Nation States – Gain an upper hand, perform low level attacks
Organized Criminals – Steal anything and everything for a profit
Hackers – Anything goes
Activists – Embarrass the target, damage their reputation
Insiders – Disgruntled employees, payments by competitors
6
Multiple Risks…
7
Attack Vectors
8
Impacts of Cyber Events
Loss of Competitiveness• Trade secrets• Patents• Customer records• M&A activities
Damaged Reputation• Estimates from companies that
have been breached have ranged in the several millions of dollars up to $200 million.
Average cost of remediating cyber exploitations is $10 million
Lost Productivity• Forensics • Vulnerability management • Rebuild corrupted systems
• Compliance breaches• PCI DSS• HIPAA• NERC• FISMA• privacy rules
9
Cyber ERM Defined
Cyber risk management : methods and processes used to manage enterprise-wide cyber risks by identifying particular legal and technical vulnerabilities, assessing them in terms of their likelihood and their magnitude of impact, determining an appropriate response strategy, implementing and evaluating that strategy.
10
Cyber ERM Benefits
Effectively measures corporate ability to manage all three types of risks
Links directly to assessment methodologies established by Chief Risk Officers to better inform board members and enable risk management and transfer
Gives corporate leadership confidence in execution of fiduciary responsibilities
Technical Aspects
12
BUSINESS RISK• Risk Description• Use Case• Impact
Map Business Risk to IT Assets
Determine Relevant Vulnerabilities
Determine Threat Vectors
Assess Likelihood of Successful Attack
Evaluate Security Programs
Assess Security Program Effectiveness
THREAT STATEMENT• Vulnerability• Threat Vector• Likelihood• Programs• Program Effectiveness
Threat-to-Business-Risk Linkage
13
Technical Issues
• National Cybersecurity Policy & Strategy development• Integrated Cyberspace Operations• Threat & Vulnerability Assessments• Cyber Threat Intelligence Analysis & Tradecraft• Incident Response• Continuous Diagnostics & Threat Mitigation• Research & Development• Technology Evaluation & Integration• Cyber Leadership and Skills Training
14
Technical Evolution
Threat & Risk Identification &
Assessment
Strategy & Plans
Implementation & Compliance
Evaluation & Review
Threat Monitoring &
Update
Scope
Assessment
Review
Implementation
Evaluation
Continuous Improvement
The Role of Lawyers
16
Key Areas of Legal Issues
• Government Contracts• Cybersecurity Compliance and Policy• Insurance• Labor & Employment• Trade Secrets• Privacy
17
Overview of the Federal Cybersecurity Landscape for Contractors
• No comprehensive federal data security law to date• Numerous federal statutes, executive orders,
regulations, and policies• Hundreds of NIST standards• NIST Framework• Continuing gaps and vagueness regarding
expectations of contractors• Yet USG increasingly allocating risks to contractors• State laws protecting
18
Federal Legal and Policy Framework Governing Contractors
• The Federal Information Security Management Act (“FISMA”)• NDAA FY 2013 Reporting Requirements• Executive Order 13556—“Controlled Unclassified
Information”• E.O. 13636 “Improving Critical Infrastructure Cybersecurity”
and Presidential Policy Directive 21• 300+ NIST Information Security Documents • NIST Cybersecurity Framework• Industrial Security Requirements – NISPOM• DOD’s Defense Industrial Base Cyber Security/Information
Assurance Program• Export Control Laws
19
Compliance Requirements
• GSA and DOD Working Group Report, Improving Cybersecurity and Resilience through Acquisition
• Proposed FAR Rule on Basic Safeguarding of Contractor Information Systems
• DFARS Rule on Safeguarding DOD Unclassified Controlled Technical Information
• DOD’s Counterfeit Prevention Policy and DOD’s Proposed Rule for Electronic Parts
• Inconsistent Agency Cybersecurity Guidance• Flowing Down Cybersecurity Requirements• Safeguarding the Supply Chain• Uneven and Unrecoverable Costs of Compliance
20
What is the NIST Cybersecurity Framework?
20
• E.O. 13636 mandated NIST establish a voluntary, risk-based framework to guide organizations in critical infrastructure sectors in the creation, assessment, and improvement of their cybersecurity programs.
• Framework is not directed at all organizations, mandatory, or prescriptive.
• Framework is a useful methodology for organizing a program to identify, assess and respond to cyber threats, and for referencing other standards from NIST.
21
How is the Framework Structured?
21
Framework Core
Implementation Tiers
Framework Profile
22
Framework Core
Identifies five high-level cybersecurity functions organizations should be able to perform:
22
23
Framework Profile
23
Target Profile
Current Profile
pinpoint gaps in existing
cybersecurity posture, develop action plan, and
reduce overall risk
24
DFARS: Safeguarding UCTI – Quick Look
• Requirements Overview: a DoD contractor must (1) safeguard UCTI “resident on or transiting through” its information system; (2) report cyber incidents; and (3) assist DoD with damage assessments.
• Effective: November 18, 2013• Applicability:
– Clause at DFARS 252.704-7012 included in all DoD solicitations/contracts.– Clause only operable when UCTI “may be” present on a contractor’s
information system.– Clause’s substance must be flowed down to all subcontractors, (even for
commercial items).• Source: DFARS 204.7300 et seq.; DFARS 252.704-7012; 78 Fed. Reg.
69,273.
24
25
What is UCTI?
• Controlled Technical Information - “technical information with military or space application . . . subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”
• Marked with a Distribution Statement in accordance with DoD Instruction 5230.24.
25
26
DFARS: Safeguarding UCTI – Safeguarding Requirements
• Must provide “adequate security” by either:– implementing 51 specified security controls from NIST SP 800-53
OR
– written explanation to CO why controls are not required or specifying alternative
• Plus any other security measures that are reasonably necessary to provide adequate security. – Addresses “willful blindness”
26
27
DFARS: Safeguarding UCTI – Reporting Requirements
• A cyber incident is “reportable” when it:– involves unauthorized access to and possible exfiltration,
manipulation, or other loss or compromise of any UCTI resident on or transiting through a Contractor’s, or its subcontractors’, unclassified information systems; and
– affects UCTI.• Must report specific information via
http://dibnet.dod.mil/ within 72 hours of discovery of any cyber incident that affects UCTI on contractor’s own or its subcontractors’ systems.
• “Inadvertent release” of data triggers the rule
27
28
DFARS: Safeguarding UCTI – Damage Assessment Assistance
28
review network
review data accessed
preserve and protect
• ID compromised computers, servers, specific data, and user accounts
• ID specific UCTI associated with DoD programs, systems, or contracts
• For at least 90 days preserve images of known affected IT systems and relevant capture/package data
• Obligation to share files exists, unless legally prohibited
29
Impact of Non-Compliance
• No specified penalties for non-compliance
• But also no safe harbor– The CO must consider the cyber incident in the context of an “overall
assessment” of the contractor’s compliance with the rule’s security requirements (Comment 30)
• DoD allowed to share information received from contractors with other agencies for law enforcement, counterintelligence, and national security purposes– an exception that swallows the rule
30
Supply Chain Risks
• IT systems especially vulnerable to attack
• Congress has granted DoD, IC, and DOE “enhanced authority” to exclude contractors from procurements of National Security Systems when a contractor is deemed a supply chain risk
• Implemented through DFARS interim rule (Nov. 2013) IC Directive (Dec. 2013), and DOE regulations still to be promulgated
30
31
Scope of Authority
• Certain agencies have the power to:– Exclude a source that fails to meet qualification standards for the
purpose of reducing supply chain risk in the acquisition of covered systems;
– Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor in a solicitation; and
– Withhold consent for a contractor to subcontract with a particular source.
• Limited ability for contractors to challenge or even know the basis for exclusion
31
32
DoD/GSA Joint Report Recommendations
1. Institute baseline cybersecurity requirements as a condition for certain contract awards
4. Instituting a Government-wide cybersecurity risk management strategy
2. Training and industry outreach 5. Procure certain items solely from original equipment manufacturers (“OEM”), authorized resellers, or other trusted sources
3. Developing common cybersecurity definitions
6. Increase Government accountability
32
33
DoD/GSA Draft Implementation Plan
• On March 12, 2014, GSA issued an RFI seeking stakeholder input on implementing the Joint Report’s fourth recommendation, “instituting a Government-wide cybersecurity risk management strategy”
33
34
DoD/GSA Draft Implementation Plan Proposed Process
(1) create categories
encompassing similar items
purchased by the Government
(2) determine which categories present a cyber
risk
(3) prioritize those categories based on their
perceived cyber risk
(4) apply overlays to each category, which
set the minimum security controls
applicable to acquisition of items
in that category
34
35
DoD/GSA Joint Working Group
35
36
Legal Risks from Non-Compliance
• Whether the Framework Constitutes a Standard of Care• Directors’ Obligations to Shareholders• Obligations Regarding Security Breach Reporting• Default Terminations• Past Performance Evaluations and Responsibility
Determinations• Administrative Suspensions and Debarments• False Claims Act
37
Business Risks Beyond Compliance
• Loss of Intellectual Property• Litigation Risk
– Threat of action by consumers and shareholders– Range of potential theories of liability – e.g., breach of
contract, common law torts (although obstacles to applying elements and proving damages)
• Contractual– Data security requirements in business partner
agreements, customer contracts
• Breach of Privacy• Business/PR Risk
– Motivation for protection information also is non-legal
38
Limited Backstops for Risk
• Untested Applicability of Government Contractor Defense
• No Limitation on Liability or Safe Harbors• Indemnification for Contractor Losses• Standard Insurance vs. Cyber Insurance
Questions