The rules governing the security of the information technology systems of contractors and the private sector are in a continual state of flux as the federal government struggles to get its arms around an ever-changing landscape.
The government has approached this challenge from myriad angles with rulemaking and reporting by multiple agencies, particularly those having a greater stake in ensuring and enforcing an effective cyber security regime. It is important to stay abreast of the recent developments coming from various quarters.
In February, the White House issued a voluntary cyber security framework to serve as a how-to guide for organizations that run the country’s critical infrastructure including those in the energy, oil and gas, telecommunications, drinking water, food production, public health, transportation and financial services sectors.
The framework is essentially a digestible distillation of existing National Institute of Standards and Technology cyber security standards with three basic parts: the framework core, which provides a set of activities and guidelines to achieve specific outcomes; the framework implementation tiers, which is a set of four, each one describing an organization’s level of cyber security risk and level of rigor and sophistication needed to mitigate that risk; and the framework profile, which enables organizations to establish a roadmap for reducing cyber security risk in alignment with organizational and sector goals.
The core describes five functions that an organization should perform to achieve the specific cyber security outcomes: identify, protect, detect, respond and recover.
Each function is further divided into categories and subcategories with informative resources for guiding activities within each function. An organization can compare its current cyber security practices with those outlined in the framework core to create its profile and examine the extent to which it meets desired outcomes based on the organization’s risk profile.
The framework is voluntary, and it is too early to tell whether organizations will find it useful and adopt it. Many large or sophisticated organizations will likely find that the maturity of their existing practices outpaces it. However, small to medium size organizations will likely find the framework a suitable starting point for developing best practices.
A key deliverable mandated by the administration is a study and report conducted jointly by the Defense Department and the General Services Administration on aligning federal cyber security risk management with acquisition processes. The report, issued in January, found that when making purchasing decisions, federal agencies often de-prioritized cyber security vis-à-vis the many other sometimes conflicting procurement policy goals, most notably, price considerations.
The report urges agencies not to be penny-wise, pound-foolish when buying products and services because adequate cyber security will reduce the overall cost of ownership in the long run. In other words, spending more money upfront on a product or service that incorporates greater protections will often save the agency from an even more costly data breach. Hence, the report advises that agencies incorporate specific practices in their acquisition procedures to ensure that cyber security receives sufficient consideration in procurement decisions.
To this end, the report made several recommendations.
First, organizations should institute baseline cyber security requirements as a condition of contract award for appropriate acquisitions. The report suggests that meeting the baseline would be an element of responsibility for a contractor and that the federal government simply should not do business with a company that does not meet the baseline. The report also recommends expressing the baseline in terms of technical requirements — in contrast with the “processes” defined in the framework — and performance measures to ensure the baseline is maintained.
Secondly, companies should include cyber security in acquisition training. The report urges this training for both government procurement personnel and relevant contractor personnel, with well-defined training standards in the Federal Acquisition Regulation.
They should develop common cyber security definitions for federal acquisitions. The report recognizes the growing problems caused by inconsistent FAR definitions.
It recommends instituting a federal acquisition risk management strategy. That identifies a hierarchy of risks for different acquisitions and to develop a common application of cyber security procurement rules for similar types of acquisitions.
There should be a requirement to buy from original equipment manufacturers, their authorized resellers or other trusted sources. The report acknowledges counterfeit parts increase risk.
Lastly, there should be increased government accountability for cyber risk management. The report recommends incorporating it into acquisition planning and contract administration.
The prudent contractor will see this report as a harbinger of greatly increased scrutiny of a contractor’s cyber security initiatives and will seek to stay ahead of any pending requirements.
The Defense Department adopted a new rule in November, which mandates certain cyber security standards and reporting requirements for defense contractors. The rule itself is old news, but one element of the rule has caused some consternation among contractors that merits discussion.
The rule requires the reporting of any “cyber incident” within 72 hours of detection. “Cyber incident” is defined as “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the technical information residing therein,” which suggests a consummated external intrusion or “hack” into a company’s network.
However, the actual reporting requirements suggest that inadvertent release, which does not seem to be encompassed in the express definition of “cyber incident,” may also require a report. The reporting requirement also describes possible cyber incidents and includes “possible exfiltration, manipulation or other loss or compromise” of relevant information.
The tension between sections covering definitions and reporting requirements has caused some confusion as to whether a reporting obligation has been triggered. The best practice is to report any incident that could reasonably be construed as falling under the definition in the rule. Indeed, the rule is clear that a properly reported cyber incident shall not by itself be construed as evidence that the contractor has failed to establish adequate cyber security safeguards.Joe Reeder practices in Greenberg Traurig LLP’s contracts and litigation practice groups; Ryan Bradel practices in the firm’s government contracts practice group. The views expressed are solely theirs.