Click to edit Master title style

Transcription

1 Click to edit Master title style

2 Click The Big to edit Cyber Master Mystery: title What style Contracting Professionals Need to Know Breakout Third Session level # E-10 Eric Crusius, Esq. Counsel Miles & Stockbridge Date: July 28, 2015 Time: 2:30-3:34 1

3 Click The to edit Big Master Cyber Mystery title style Speaker Introduction Eric S. Crusius represents government contractors in bid protests and other litigation matters before the Court of Federal Claims, Government Accountability Office, boards of contract appeals and other Second federal agencies. level He counsels clients on a broad range of government contract issues, including the Service Contract Act (SCA) and Third other level labor issues, trade agreements, export controls, subcontracting Fourth and teaming level agreements, and compliance with the Federal Acquisition Regulation (FAR). Besides representing government contractors, Eric also represents corporations of all sizes in a variety of matters including intellectual property counseling and litigation (limited to trademark, copyright, and trade secret issues) and complex commercial litigation. Eric has lectured to industry groups, government agencies, and the American Bar Association. Eric has appeared on NPR, Fox News and Federal News Radio to comment on topics including labor issues, cybersecurity, sequestration, and strategies the Government employs when it buys products and services. 2

4 Click The to edit Big Master Cyber Mystery title style Agenda Threats: Click to Real edit Master and Constant text styles Another Top 10: The Top 10 Biggest Cybersecurity Myths Getting It» Out Fifth level of the Way: the OPM Breach New Regulations and Challenges: Practical Issues and Solutions Crystal Ball: What s Next? 3

5 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant Keith Alexander: the loss of industrial information Second level and intellectual property through Third cyber level espionage the greatest transfer of wealth in history. Tony Scott (federal gov t CIO): protections instituted by contractors were inconsistent and federal agencies failed to have proper contractual language, policy direction, or awareness as to how they should respond to breaches. 4

6 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant 67K cyber incidents on systems supporting federal Second government level in 2014 Of 24 Third agencies level reviewed by GAO, 23 were not cyber Fourth ready level VA failed its cybersecurity audit for the 16 th straight year (1.2m malware attempts in April) GAO: Healthcare.gov lacks proper cyber protections HBGary provides a cautionary tale (you will be hacked) 5

7 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant Source: Ponemon Institute 2015 Study 6

8 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant Source: Ponemon Institute 2015 Study 7

9 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant Where are companies spending money to respond Second to the level threat? 8

10 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant Phishing is on the rise: 23% of recipients open Second phishing level s and 11% open the attachments. Recent successful phishing episodes include a breach at the White House and a breach at the South Carolina state government. Phishing versus spear phishing 9

11 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant 10

12 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant 11

13 Click to edit Master title style The Big Cyber Mystery Threats: Real and Constant Cyberattacks have increase 48% globally over the Second past year level 99.9% Third of attacks level come more than a year after vulnerabilities Fourth are level known (Common Vulnerabilities» Fifth and level Exposures) Nation-states most frequently target oil and gas (11%), aerospace and defense (9%), technology (9%), and telecommunications (8%). There was a 64% jump in incidents from competitors and a rise from current and former employees. 12

14 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths 13

15 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #10: Congress has to act before there are new cybersecurity regulations or contract requirements Truth: the» Federal Fifth level Information Security Management Act gives the executive branch all the justification it needs for cyber regs and requirements in the government contracting 14

16 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #9: We know about all breaches that occur in real time Truth: Information about breaches may be withheld or even go undetected for a time or for eternity 15

17 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Source: 2015 Verizon Data Breach Report 16

18 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #8: Contractors cannot be suspended or debarred for inadequate cybersecurity controls Truth: Inadequate cybersecurity controls can be a basis for lacking present responsibility. See FAR Part 9. 17

19 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #7: There are no regulations requiring contractors to have cybersecurity controls Truth: As» we Fifth will level cover later, there are regulations and more on the way 18

20 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #6: The bad guys are never caught Truth: The federal government has become more active in prosecuting bad cyber actors phishing scheme mastermind sentenced to three years 19

21 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #5: My company is too small to matter Truth: Hackers usually try to infiltrate smaller businesses because they are seen as weaker links. 20

22 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths 21

23 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths 22

24 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #4: Cybersecurity legislation is imminent. Truth: Cybersecurity legislation has been imminent for at least ten years 23

25 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #3: There will be no government-wide cybersecurity certification. Truth: We» Fifth may level see a similar Fed Ramp-like certification. 24

26 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #2: My employees are sufficiently educated about cybersecurity. Truth: Past» Fifth history level dictates that employees need constant reminders about cyber-risks.. 25

27 Click to edit Master title style The Big Cyber Mystery Top 10 Cybersecurity Myths Myth #1: Cybersecurity is just a fad. Truth: Cybersecurity is the new normal. 26

28 Click The to edit Big Master Cyber Mystery title style The OPM Breach The OPM Breach 27

29 Click The to edit Big Master Cyber Mystery title style The OPM Breach The OPM Breach Who is impacted? Third level 22.1 million people including government employees and contractor employees and their families. Included was James Comey FBI Director. What was stolen? Highly sensitive information including social security numbers, health records, criminal records and 1.1 million fingerprints. What are the consequences? Individuals information can be sold and there is a fear that the information can be used to out spies. Army blocked OPM 28

30 Click The to edit Big Master Cyber Mystery title style New Regulations The dizzying array of regulations Click to edit Master text styles Commerce DHS Second level Education Energy GSA HHS HUD NASA State Transportation VA and of course DoD 29

31 Click The to edit Big Master Cyber Mystery title style New Regulations DFARS and clause : Highlights: Applies to Unclassified Controlled Technical Information; Must be inserted into every DoD contract: no exemption for small businesses and commercial buys; Establishes minimum security controls for safeguarding Unclassified Controlled Technical Information; and Requires disclosure to DoD within 72 hours of breach no safe harbor. 30

32 Click The to edit Big Master Cyber Mystery title style New Regulations What is Unclassified Controlled Technical Information? Controlled Third Technical level Information is: Controlled technical information means technical information with military or space application that is subject to controls on the access, use,» Fifth reproduction, level modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B- through-f, in accordance with DoD Instruction , Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. Let s go down the wormhole... 31

33 Click The to edit Big Master Cyber Mystery title style New Regulations What is DoD Instruction ? Gives Click instruction to edit on how Master classified text and unclassified styles technical information is marked and disseminated. Term documents is encompassing. What are the Third instructions? level B: Distribution Fourth authorized level to U.S. Government agencies only (fill in reason[/date])... Reasons include export controlled & critical technology. C: Distribution authorized to U.S. Government agencies and their contractors (fill in reason[/date])... Can include classified or unclassified tech docs. D: Distribution authorized to the Department of Defense and U.S. DoD contractors only (fill in reason[/date])... Can include classified or unclassified tech docs. E: Distribution authorized to DoD Components only (fill in reason[/date])... F: Further dissemination only as directed by [insert DoD 32 office and date] or higher DoD authority.

34 Click The to edit Big Master Cyber Mystery title style New Regulations 33

35 Click The to edit Big Master Cyber Mystery title style New Regulations What is technical information? Technical information means technical data or computer Third software, level as those terms are defined in the clause at Fourth DFARS level , Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer 34 software executable code and source code.

36 Click The to edit Big Master Cyber Mystery title style New Regulations Requirement #1: Safeguarding of Unclassified Controlled Click to Technical edit Master Information: text styles Utilizes NIST for minimum security controls Third and points level out more than 50 separate requirements Fourth in the level following areas: Access control,» Fifth awareness level and training, Audit & Accountability, Configuration Management, Contingency Planning, Identification and Authorization, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Program Management, Risk Assessment, System & Comm Protection, System & Information Integrity. 35

37 Click The to edit Big Master Cyber Mystery title style New Regulations Requirement #1: Safeguarding of Unclassified Controlled Click to Technical edit Master Information: text styles Utilizes NIST for minimum security controls Third and points level out more than 50 separate requirements Fourth in the level following areas: Access control,» Fifth awareness level and training, Audit & Accountability, Configuration Management, Contingency Planning, Identification and Authorization, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Program Management, Risk Assessment, System & Comm Protection, System & Information Integrity. 36

38 Click The to edit Big Master Cyber Mystery title style New Regulations 37

39 Click The to edit Big Master Cyber Mystery title style New Regulations Some of the 50+ Requirements: AT-2: Contractor must provide security awareness training. CM-7: Configuration of the system provides only essential Second capabilities. level IA-5(1): Requirement regarding passwords encryption, type, etc. IR-2: The organization provides incident response training. PE-2: Maintains list of individuals with physical access to facility where information systems resides. PE-3: Maintains physical access logs, escorts visitors and monitors visitor activity. RA-5: Scans for vulnerabilities. SC-4: Prevents unauthorized transfer of information using shared system resources. SC-28 (and others): Requires encryption of information. SI-4: Monitor system to detect attacks and potential attacks. 38

40 Click The to edit Big Master Cyber Mystery title style New Regulations If the NIST security controls are not used, contractor must provide a written explanation how it is not applicable or an alternate control achieves equivalent Second protection. level Must report Third cyber level incidents to within 72 hours Fourth and level include 13 pieces of information in» Fifth any level report including: DoD programs, platforms or systems involved; Location and type of compromise; Description of technical information compromised. Cyber incidents include unauthorized access or loss of information. Contractor must support DoD investigative efforts and keep information for 90 days (affected information systems). 39

41 Click The to edit Big Master Cyber Mystery title style New Regulations Important notes from the comments: 40

42 Click The to edit Big Master Cyber Mystery title style New Regulations NIST Click Releases to edit the Master Framework text (3 parts): styles The Framework Core is designed to help organizations identify, at a 30,000 foot level, the management Fourth of cybersecurity level risk. It does so by identifying five» Fifth concurrent level and continuous Functions Identify, Protect, Detect, Respond, Recover. The Framework Core next pinpoints Categories and Subcategories for of the identified Functions and matches them with existing standards. 41

43 Click The to edit Big Master Cyber Mystery title style New Regulations NIST Click Releases to edit the Master Framework text (3 parts): styles Framework Implementation Tiers, is essentially an exercise Third that allows level an organization to characterize its cybersecurity Fourth risk level management practices. There are four» Tiers: Fifth level Partial, Risk Informed, Repeatable, and Adaptive. Organizations that find themselves in the Partial tier generally do not have formalized or written cybersecurity policies and have little understanding of the cybersecurity risks facing them. On the other hand, organizations in the Adaptive tier have robust and organization-wide risk management practices. 42

44 Click The to edit Big Master Cyber Mystery title style New Regulations NIST Click Releases to edit the Master Framework text (3 parts): styles Framework Profile allows an organization to align the Functions, Categories, and Subcategories with the business Fourth requirements, level risk tolerance, and resources of the» Fifth organization. level Organizations can create profiles, using the Framework Profile as a guide, to characterize one component of their business or their entire business and consider the current state of their cybersecurity readiness versus a target or aspirational state. 43

45 Click The to edit Big Master Cyber Mystery title style New Regulations FITARA The Federal IT Acquisition Reform Act Requires CIOs to be involved in IT acquisition, budgeting, Third and level hiring Final regulations issued June 10 Self assessment and implementation plan due August 15 Baseline requirements must be met by December 31 44

46 Click The to edit Big Master Cyber Mystery title style New Regulations 45

47 Click The to edit Big Master Cyber Mystery title style New Regulations FITARA The Federal IT Acquisition Reform Act How is cybersecurity impacted? Federal CIO Tony Scott said: Third While level there's nothing specific in FITARA about cybersecurity, this is going to be one of the great benefits of FITARA: a greatly improved cybersecurity posture [t]he very first thing in cybersecurity is understanding what's of value and being very clear about that Once you understand what's of value and you figure out a management strategy of how to protect it, that's the beginning step in having an effective cyber strategy. Source: Federal Times 46

48 Click The to edit Big Master Cyber Mystery title style New Regulations DOJ Creates Best Practices Outlines steps to be taken pre-attack and postattack. Includes a checklist. May be used as basis for liability. 47

49 Click The to edit Big Master Cyber Mystery title style New Regulations DOD and GSA Release Joint Guidance Institute cybersecurity requirements as condition of contract Third award level Conduct cybersecurity training Develop common cybersecurity definitions Institute a cyber risk management strategy Require purchases from OEM, authorized resellers or trusted sources Increase government accountability 48

50 Click The to edit Big Master Cyber Mystery title style Crystal Ball Crystal Ball-What s Next??? Contractors will have to pay close attention to cybersecurity compliance (see USIS) Agencies will come under closer scrutiny Legislation is rushing to the forefront and more regulations are coming. 49

51 Click Contact to edit Information Master title style Eric Crusius Miles & Stockbridge Second level 50