Incident Reporting Key to New Cybersecurity Rule
By now, most companies in the Defense Department supply chain know they were to implement a series of cybersecurity safeguards by no later than Dec. 31 in order to protect “covered defense systems” from being stolen by foreign adversaries.
The duty arose from the mandatory clause in the Defense Federal Acquisition Regulation Supplement 252.204-7012 titled, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
The National Institute of Standards and Technology spelled out the measures that must be taken in Special Publication 800-171.
The regulation encompasses Defense Department prime contracts and flows down, without alteration, to all levels. Many companies, especially smaller and medium-size ones, are challenged to address the special publication’s 110 individual requirements.
Naturally, because of the deadline, many focus on the “front half” of the regulation — safeguarding — without much attention to the “other half” — incident reporting.
Defense contractors need to give incident reporting equal attention — and not simply because the obligation is present in the regulation.
The importance of reporting is best understood in the context of experience that led to this regulation. Over a period of many years, and in too many examples to recount, valuable defense-related technical data and contractor intellectual property has been “exfiltrated” from contractor information systems by acts of cyber espionage. The regulation, therefore, aims to improve contractor security and mitigate those risks.
The department defines a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”
Unauthorized access to sensitive but unclassified technical information dilutes national military capability, denies us the advantage of favorable technological asymmetries and enables our adversaries to copy accomplishments and impair missions.
But recent experience also teaches us that no network security is perfect. The new controls will make it harder for adversaries to reach and steal technical information and may limit the information taken. However, the possibility of a breach cannot be denied and will not be eliminated by this regulation.
This brings us to the second set of purposes of the regulation. It is important for the Defense Department to know what has been taken so that it can conduct a “damage assessment.”
The damage assessment has several purposes. It can determine the impact of compromised information on U.S. military capability underpinned by the technology. It can reveal how the compromised information may enable an adversary to counter, defeat or reverse engineer U.S. capabilities. It also focuses on the compromised intellectual property impacted by the cyber incident, not the compromise mechanism.
A special organization with the office of the secretary of defense — the joint acquisition and protection cell — has been created to integrate and coordinate analysis of adversary exploits that compromise covered defense information. The cell is a key recipient of contractor cyber incident reports — and to perform its assignment, it needs incident reports that are timely, complete and, where possible, accompanied by access to compromised materials.
There are four components to the reporting obligation: the cyber incident report, to be furnished within 72 hours of discovery; submission of malicious software, if isolated; cooperation, should the department undertake a forensic investigation; and flowdown, to inform of breaches at any supply chain level.
Companies should review DFARS Procedures, Guidance and Instruction 204.73. It shows that the department expects contractors to cooperate in the damage assessment. The government may assess the sufficiency of a contractor’s cyber measures. It may review the system security plan to evaluate “whether any of the controls were inadequate, or if any controls were not implemented at the time of the incident.”
Subcontractors are required to report directly to the department and to inform their prime of the DoD-supplied report number. The regulation does not require subcontractors to provide the full incident report to their prime.
Companies subject to the regulation should not wait until after an incident has occurred to figure out what to do.
The special publication contains three discrete safeguards for incident response. These require companies to: establish an operational capability for incident response and prepare adequately; track, document and report incidents to appropriate authorities; and test the organizational response capability.
When there is “discovery” of a cyber incident, the affected contractor shall review its network for evidence of compromise, identify covered items that may have been affected, determine whether the incident affects it’s ability to provide “operationally critical support,” and rapidly report the incident directly to the Defense Department.
In addition to a “cyber incident report,” contractors are to submit malicious software, if detected and isolated, to protect affected media, and if requested, to provide the department with access to the affected information systems for forensic analysis.
The report is to be filed within 72 hours of “discovery.” Apart from information about the affected company, the report is to include the numbers of contracts affected or potentially affected, the “impact to covered defense information,” Defense Department programs, platforms or systems involved, the type of compromise — such as unauthorized access, unauthorized release — description of the technique or method used in the attack, and incident outcome.
"The Defense Department must take a ‘holistic’ view to security."
Incident reporting obligation, and department actions that follow, are further examples of the difficult tension between the security objectives and industry capability. National security considerations virtually demand improved protection of controlled technical information on contractor systems. Both contractors and the Defense Department need to know when and how attacks occur, and what information was compromised or put at risk.
In the cyber domain, speed matters as reports made even days after an event may be too late. Yet, considered carefully, the reporting requirements can be very difficult to accomplish, for companies of all sizes, excepting perhaps the most sophisticated defense contractors.
There are many tough questions that every contractor has to answer to comply with the incident reporting obligations. Such as: How is it determined whether there has been an “incident” that has an effect upon an information system and/or the information residing therein?
What constitutes “discovery” of a cyber incident and, in the course of event detection, assessment and response, when does “discovery” occur?
When is there a “compromise” to information or an information system, and can this occur where there is no evidence of exfiltration or unauthorized access?
How do contractors decide which of their “information systems” has been affected?
How is “malicious software” to be “detected and isolated” and is this a capability companies must have ready before an adverse event, and what tools are needed and who bears the expense of isolating “malicious software” and preserving computing “media?”
Does the Defense Department decide unilaterally what is “necessary” access to additional information or equipment for forensic analysis, and will it pay the extraordinary costs?
What measures are contractors to use to make a “damage assessment” if required to deliver one to the contracting officer, and what documentation should companies have in-hand of incident reporting processes and plans in advance of an event?
How are companies to determine which of multiple contracts have been or may have been impacted?
And finally, what methods are available to determine whether information that has been compromised is “covered defense information” and, if so, which of their categories were affected?
These and related questions may have already been well understood — and answered — by the top tier of defense contractors. For the great majority of the defense supply chain, however, there is no reason to assume the questions now are understood or resolved.
Similar observations may be made about Special Publication 800-171 as the basis of cyber safeguards which must be implemented by all defense contractors. Each of the 110 requirements is expressed in a single sentence. Read in isolation, most would agree that conceptually every one makes sense and describes measures that any prudent business would implement independent of regulations or contract requirements.
The “generality” of the requirements contributes to their “flexibility,” but also is the source of uncertainty. Many interpretations are possible and many approaches are plausible for each requirement. A range of security outcomes will result, even for companies similarly situated in the supply chain.
In the absence of any established reference for self-assessment, and without government resources to evaluate or approve contractor measures, requiring activities will doubt their most critical information receives the protection it deserves. And contractors will worry that the department’s reviewers will find their security measures “inadequate” when an assessment follows a breach and cyber incident report.
Ostensibly, the regulation offers assurance to companies. It states that “a cyber incident that is reported by a contractor or subcontractor shall not, by itself, be interpreted as evidence that the contractor or subcontractor has failed to provide adequate security on their covered contractor information systems, or has otherwise failed to meet the requirements of the [-7012 Safeguarding] clause…”
The department needs to clarify that companies who make a timely report, in good faith, with as much information as is reasonably available, receive a “safe harbor” so that the cyber incident does not become the first in a series of steps leading to contract liability or other sanction.
Without such a policy, unfortunately, companies will delay making decisions to report, decide not to report events in the “gray area,” and limit what they report — all consequences contrary to the prime objective of informed damage assessment following loss of information compromise.
More generally, the department needs to confront a fundamental problem. The universe of contractors subject to the regulations includes many companies — perhaps thousands — for whom compliance with security requirements will be costly and burdensome. And for some, if not many companies, preparation for incident reporting may be deferred as an expense necessary only if — not “when” — a breach occurs.
Still other companies will decide not to take the compliance risk or absorb the implementation costs necessary to satisfy the regulation. They will exit the defense industrial base — damaging supply chains and denying the department’s access to innovation.
On July 21, President Donald Trump issued Executive Order 13806, to promote U.S. sources and strengthen the U.S. manufacturing and defense industrial base. Care is needed to reconcile cyber defense and reporting obligations with near-term program performance objectives and important long-term industrial base goals.
The Defense Department must take a “holistic” view to security, because unreasonable or unaffordable demands in one area may have unacceptable results elsewhere.
Moreover, in the pursuit of cyber, supply chain and industrial security, it should embrace new strategies and methods. Specifically, it should promote greater use by its suppliers of the cloud for managed security services and treat commercial cloud as protected “enclaves” where necessary investment and specialized resources can be leveraged at scale.
The cloud is not a panacea. The department correctly has concerns about on-site security at the cloud client, and about the method of connection to the cloud. But, as more companies move from attempts to elevate “premises security” to place greater trust in qualified cloud providers, it is likely they will achieve superior security and possess better means to detect, report, respond and recover from adverse cyber events.
Goals common to the Defense Department and industry are affordable, practicable, expedient and effective improvements in enterprise security — and enhanced response and resilience when attacks do occur. Promoting greater use of the cloud may produce better results on “all counts” for all stakeholders — mitigating both breach risk and consequence.
Robert S. Metzger is a shareholder at the Rogers Joseph O’Donnell law corporation.