New Cyber Rules to Safeguard Supply Chain
The Defense Department supply chain is part of the nation’s critical infrastructure providing the DoD and its contractors with key materiel and services.
Ensuring the integrity and safety of that supply chain is an imperative that every government contractor must address. They must comply with their specific contract’s requirements, as well as applicable laws and regulations.
Increasingly, laws, regulations and contracts are incorporating requirements to comply with industry best practices and emerging standards to ensure supply chain integrity. For many years, the task of ensuring cybersecurity was deemed an individual effort by defense government contractors and there was little direction from the government, or even a baseline requirement, as to how defense contractors and their supply chains should ensure cybersecurity.
Times have changed and contractors now must take steps to ensure the cybersecurity of their systems.
In an October 2016 newly revised final rule, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” Defense Federal Acquistion Regulations Supplement 252.204-7012, the government directs defense government prime contractors and subcontractors that handle “covered defense information” generated, stored or transmitted on or through their systems to be fully compliant with 110 security requirements specified in National Institute of Technology Special Publication 800-171, or to affirmatively seek and obtain DoD chief information officer approval of their system if it does not precisely meet these requirements, but is determined to provide comparable system security.
The implementation of the safeguards is only part of the requirements detailed in the newly revised provision. The rule also requires contractors to flow down and flow up reporting requirements in its subcontracts, or “similar contractual instruments,” that provide “operationally critical support,” or that provide “subcontract performance [that] will involve covered defense information, including subcontracts for commercial items, without alteration, except to identify the parties.”
Further, the final rule requires contractors to rapidly report to the Defense Department within 72 hours of a “cyber incident” and to preserve and provide related information and documentation.
Prime contractors and subcontractors bear the responsibility for: determining whether they have any contract or subcontract covered by the rule; identifying the systems and information that must be protected; and determining whether and to what extent their systems comply or need to be worked on to ensure they comply with the 110 security requirements.
They must rapidly report on and preserve appropriate data regarding any actual or suspected cyber incident relating to covered systems or data. They must also ensure that their subcontracts and cloud services employed for covered contracts and systems comply with these requirements as well.
The provision constitutes an unprecedented cybersecurity effort by the department to regulate the entire span of a contract’s supply chain. Precisely what constitutes “covered defense information,” and which contractor systems and services are covered by the new rule, is not clearly explained in the new rule, or in its referenced link to the Controlled Unclassified Information registry to be used to identify covered types of data. There is work that needs to be done to understand the new rule’s requirements and to ensure compliance moving forward.
If the prospect of implementing 110 security requirements may sound daunting, this is especially true for small and mid-size businesses that may lack the personnel or other assets needed for timely compliance. Indeed, even larger contractors have concerns about ensuring the readiness of their supply chains by the end of 2017. However, the government’s response to these concerns has not been sympathetic.
While the government will consider alternatives to the special publication, particularly where the nature of the contract allows for leeway, it has made clear its expectation that contractors and their supply chains will be compliant with the rule by the end of 2017. To date, it is uncertain if the new administration will make any changes to this policy or the implementing regulation. However, supply chain security has long been a concern and, given the history of cybersecurity challenges, it is unlikely the requirement will be eliminated.
Given the clear need for supply chain security, contractors seeking direction for compliance with the provisions should consider four general recommendations.
The first is to conduct a self-assessment. At the recent National Defense Industrial Association Cyber Division summit, a small business executive shared how his company implemented its compliance with the DFARS provision. An initial self-assessment figured prominently in the company’s decisions on what next steps to take toward compliance. Thus, the maxim “Know Thyself” could not be truer when complying with the DFARS provision.
Among various considerations, contractors must know the components of their computer network, the identity of their network users, the government contracts and information that the network serves, determine the relevant use of internet-of-things capable assets and individual devices, and current security protocols. The information gathered may immediately expose gaps in a company’s security, but, at minimum, will lay a foundation for determining how to approach compliance.
To properly address supply chain concerns, contractors should also build into their self-assessment a consideration of sub-contractor and vendor abilities and the kinds of information that they will be generating or otherwise handling. This supply chain assurance may be conducted in cooperation with sub-contractors and vendors and/or through contractual provisions assigning duties as well as risk.
The second recommendation is to consider assistance from third-party experts. The need for ready-made cybersecurity expertise has created a cottage industry of companies whose purpose is to help protect systems from cyber attacks. Many of these companies have promised to make contractors compliant with the regulation by assisting with implementation of the NIST safeguards. With proper due diligence, contractors can use these cybersecurity companies to help assure compliance.
This option may be less onerous than cultivating the expertise internally, which can take a long time to obtain or develop and exposes companies to market competition for those employees. However, it’s important to note that taking steps to ensure compliance with the NIST safeguards is not all that is needed to address the provision. Contractors should also develop standard operating procedures for breach response and notification.
The procedures should take into consideration supply chain communication and adherence to cybersecurity norms to ensure awareness and best business practices. Contractors should also establish the composition and framework for a cyber response team to address the business, information technology, human resources, financial, contractual, and other legal aspects of requirements, and to link to government for reporting purposes.
The cyber response team will enable contractors to formulate standard operating procedures and be in a position to quickly work to identify, analyze and take the required immediate action to address an actual or suspected problem. Procedures and the cyber response team will be critical components for responding in a crisis when, aside from DFARS requirements, a contractor must also worry about the proper handling of confidential information and potential legal repercussions.
Next, consider the cloud. When the final provision was issued in October, cloud service providers remarked that the DFARS presented a simple solution to the compliance problem faced by contractors: use their cloud services.
The provision allows the use of cloud services in two instances: First, for covered contractor systems that are part of an information technology service or system operated on behalf of the government where the cloud service is approved in accordance with DFARS 252.239-7010, Cloud Computing Services. Second, where the covered contractor system is not part of an IT service or system operated on behalf of the government, the contractor may use a cloud service to “store, process, or transmit any covered defense information” in performance of its contract.
However, the contractor must “require and ensure that the cloud service provider meets security requirements equivalent to those established by the government for the Federal Risk and Authorization Management Program” as well as the DFARS’ provisions for “cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.”
It’s important to note that using an approved cloud service provider will not be a panacea. For example, controls for accessing cloud information must be considered. It is particularly important to address how controls will be handled for company personnel activities, supply chain, vendor and customer access, as these areas pose the risk that a bad actor might seek and obtain a backdoor to access covered defense information.
Also, as long as a contractor retains the individual capacity to store the information, that ability creates a vulnerability that must be identified and adequately protected. Indeed, the establishment of standard operating procedures and a cyber security response team, mentioned above, are important regardless of whether or how a company uses a cloud service provider.
Thus, if the company chooses to engage in a relationship with a cloud service provider, that relationship must be well defined and in compliance with the DFARS provisions, corporate procedures and a cybersecurity response team to ensure immediate responsiveness and proper handling of an actual or suspected breach event.
The final piece of advice is to form relationships. The importance of forming relationships with government entities and third parties before a breach occurs, to prevent the breach or better react to it, cannot be overstated. These relationships serve the crucial purpose of protecting contractors and/or providing stand-by support when needed.
Sharing threat information with supply chains can be crucial in this regard, but it must be done wisely. Several tools exist for implementing such sharing; they can stretch beyond supply chains.
Recently, the government facilitated the cultivation of relationships through the Cybersecurity Information Sharing Act of 2015, which provides incentives for private entities that share information — with each other or with the government — by creating safe harbors from liability, such as antitrust prosecution.
Other modes of government-facilitated sharing, such as information sharing analysis centers, which are critical infrastructure industry-based organizations, have existed for years. Although these modes of sharing may eventually become part of best business practices, requirements between contractors and their vetted supply chain might be considered to ensure that these types of important relationships are forged as a matter of course.
These are sophisticated relationships and can benefit government and industry, as well as the contractor. However, the contractor also can address relationships in a simpler fashion, such as knowing which cybersecurity company to call for a forensic analysis and how to protect the confidentiality of such analysis, or knowing a proper law enforcement unit to call when a breach occurs or an employee is suspected of stealing covered defense information.
The Defense Department’s implementation of the new DFARS provision will cause contractors to develop a heightened sense of awareness, both internally and throughout their supply chain, of potential weaknesses that may result in devastating breaches.
However, the road to compliance with the provision will not be easy, particularly as contractors go through the growing pains of implementing all 110 safeguards. Therefore, contractors should put together their plans now, and methodically engage in implementing them, so that when the end of the year arrives their companies are properly and competitively poised for performance under this tougher cybersecurity regime.
Susan Warshaw Ebner is a government contracts attorney and shareholder at Fortney Scott in Washington, D.C., firstname.lastname@example.org. Rolando R. Sanchez is a government contracts and white collar crime attorney in Washington, D.C., email@example.com.