New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

Transcription

1 New Cyber Rules Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG Issues in Focus Webinar Series 1

2 Speaker Information Robert S. Metzger Rogers Joseph O Donnell PC (202) Rmetzger@rjo.com This presentation reflects Mr. Metzger s personal views and should not be attributed to any client of his firm or organization with which he is involved or affiliated. Dave Drabkin, Director Dixon Hughes Goodman LLP (703) dave.drabkin@dhgllp.com Tom Tollerton, Manager Dixon Hughes Goodman LLP (704) tom.tollerton@dhgllp.com 2

3 The Basic Proposition The Federal Government has valid and important reasons to protect sensitive but unclassified information when shared with non-federal entities. DoD s interests are paramount but not exclusive as other federal agencies share this objective. DoD and civilian agencies are using regulations and acquisition authority to require federal contractors to improve cybersecurity of information systems that host all forms of Controlled Unclassified Information (CUI). What should contractors do to prepare, respond and comply? 3

4 Domains of Contractor Cyber Risk On Premises Information Systems Cloud On or Off Premises Supply Chain Y O U Rogers RogersJoseph JosephO Donnell O Donnell All AllRights RightsReserved Reserved 4

5 Roles & Missions & Vector to Contractors Federal Responsibilities: OMB: sets federal acquisition policy OMB NARA: to define and categorize the varieties of CUI and establish workable guidelines & mechanisms NARA NIST: security controls and practices for adoption DoD: lead agency for contract requirements NIST DHS: key agency for reporting and infrastructure GSA: prominent role in developing general FAR PRIME CONTRACTOR Agency Contracts ACQUISITION METHODS SOLICITATION REQUIREMENTS CONTRACT TERMS & CONDITIONS Contractors become subject to cyber security obligations as these are imposed by solicitation requirement and contract term. F L O W D O W N Supply Chain 5

6 Key Federal Cyber Actions NIST issued cyber safeguards (Special Publication ) in June 2015 to protect CUI in non-federal information systems. DoD issued the Network Penetration DFARS in Aug. and Dec and these were revised on Oct. 21, Federal civilian agencies issued a new FAR Basic Safeguarding clause, effective June 15, 2016, requiring all contractors to protect Federal Contract Information on Information Systems. NARA issued the Final Rule on Controlled Unclassified Information (CUI) on Sep. 14, A General FAR Rule is in development that will obligate all federal agencies to require cyber protection of CUI, per SP , in all contracts and agreements. Expect this Rule to be final in

7 Safeguarding CUI The Basic Policy Policy: All unclassified information throughout the executive branch that requires any safeguarding or dissemination control is CUI. Law, regulation (to include this part), or Government-wide policy must require or permit such controls. Safeguards include physical and cyber protection Cyber includes both information and information systems FISMA (40 U.S.C ) dictates that federal agencies protect confidentiality, availability and integrity of CUI. These standards apply to CUI on federal information systems operated by the or on behalf of the federal government. The Final CUI Rule applies NIST SP to CUI provided to non-executive branch entities, e.g. private organizations. When the Government provides controlled information to a nonexecutive branch entity, sometimes pursuant to a contract or other agreement, it does not make sense for the protection requirements to disappear or lessen just because the Government has shared the information. In fact, the protection requirements do not disappear or lessen. CUI Final Rule, 81 Fed. Reg

8 WHAT INFORMATION MUST BE PROTECTED? CDI and CUI 8

9 Categories of Controlled Unclassified Information NARA Proposed Rule: Controlled Unclassified Information ), 32 CFR Part 2002, 80 Fed. Reg (May 8, 2015) NARA s CUI Registry, tegory-list.html, identified 23 Categories and 82 Subcategories of CUI Who has access to CUI? Federal contractors State & Local governments State & Local contractors Tribal governments Colleges & Universities Interstate Organizations NGOs Foreign governments Agriculture Controlled Technical Information Critical Infrastructure (7 sub) Emergency Management Export Control (1 sub) Financial (8 sub) Foreign Government Information Geodetic Product Information Immigration (7 sub) Information Systems Vulnerability Intelligence (5 sub) Law Enforcement (15 sub) Legal (11 sub) NATO (2 sub) Nuclear (5 sub) Patent (3 sub) Privacy (8 sub) Procurement & Acquisition (2 sub) Proprietary Business (3 sub) SAFETY Act Information Statistical (3 sub) Tax (1 sub) Transportation (2 sub) CUI categories and subcategories are those types of information for which laws, regulations, or Government-wide policies requires safeguarding or dissemination controls. Proposed 32 C.F.R (Definitions) NARA estimates that 300,000 contractors & grantees hold Controlled Unclassified Information Rev. 1 9

10 The Final CUI Rule Sep. 14, 2016: NARA Final Rule ( Controlled Unclassified Information ) All agencies are obligated to protect CUI, including CUI in non-federal entities) 32 CFR explains that the CUI rule (inc g safeguards) applies through incorporation into agreements 32 CFR (h)(2) provides that agencies may not treat non-federal information systems as though they are agency systems, but agencies must use NIST SP to protect CUI s confidentiality on non-federal information systems (unless there are different legal requirements or higher standards by agreement) The [CUI] rule now says that it applies only to executive branch agencies, but that, in written agreements (including contracts, grants, licenses, certificates, and other agreements) that involve CUI, agencies must include provisions that require the non-executive branch entity to handle the CUI in accordance with this rule, the Order, and the CUI Registry. Controlled Unclassified Information (Final Rule), 81 Fed. Reg (gg) Non-executive branch entity is a person or organization established, operated, and controlled by individual(s) acting outside the scope of any official capacity as officers, employees, or agents of the executive branch of the Federal Government. Such entities may include: Elements of the legislative or judicial branches of the Federal Government; state, interstate, tribal, or local government elements; and private organizations. CUI Final Rule, at (gg) 10

11 The CUI Agreement (5) Agreements. Agencies should enter into agreements with any nonexecutive branch or foreign entity with which the agency shares or intends to share CUI, as follows (except as provided in paragraph (a)(7) of this section): (i) Information-sharing agreements. When agencies intend to share CUI with a non-executive branch entity, they should enter into a formal agreement (see (c) for more information on agreements), whenever feasible. Such an agreement may take any form the agency head approves, but when established, it must include a requirement to comply with Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267) or any successor order (the Order), this part, and the CUI Registry. (6) Agreement content. At a minimum, agreements with nonexecutive branch entities must include provisions that state: (i) Non-executive branch entities must handle CUI in accordance with the Order, this part, and the CUI Registry; (ii) Misuse of CUI is subject to penalties established in applicable laws, regulations, or Governmentwide policies; and (iii) The non-executive branch entity must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency s SAO. When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency. CUI Final Rule, at (a)(5)(i) CUI Final Rule, at (a)(6) Reaction of non-executive branch entities? Not yet known. Very likely, the import of the CUI rule is not widely understood. And today the rule anticipates controls by agreement that as yet are not implemented by many (any?) federal civilian agencies. Consider: the CUI rule seeks to impose on 300,000 or more recipients essentially the same safeguards as DoD does in the Net. Pen. DFARS. 11

12 Categories of Controlled Unclassified Information Covered Defense Information Covered defense information means unclassified controlled technical information or other information as described in the Controlled Unclassified Information (CUI) Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. DFARS Definitions Covered defense information means unclassified information that (1) Is (i) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and (2) Falls in any of the following categories: (i) Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction , Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. (ii) Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process). Revised Oct. 21, 2016 Now superseded Aug definitions of CDI: (iii) Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations, and munitions list; license applications; and sensitive nuclear technology information.. (iv) Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information). 12

13 HOW MUST CUI & CDI BE PROTECTED? NIST SP

14 NIST SP : Introduction SP treats all CUI as having Moderate Impact under FIPS-199. SP uses 14 of the 17 security families of FIPS-200 to focus on the confidentiality of information (and not integrity or availability ). 109 safeguards are stated by SP ; each is 1-sentence long. NARA intends that 171 safeguards apply to any non-federal entity that hosts, uses or transmits any form of CUI. Only DoD now imposes this obligation generally. SP explicitly recognizes commercial use of non-federal methods. The safeguards are performance objectives not prescriptive. Contractors with systems that already satisfy SP should exceed SP requirements. Separation into domains may be problematic. The Oct. 21 DFARS revision requires cloud security equivalent to FedRAMP Moderate (+reporting, preservation, access, etc.). What might be equivalent is unknown. SP does not address commercial cloud as such. 14

15 NIST SP : 14 Families, 109/*110 Controls SP describes 30 basic and 79 derived security requirements. Basic tracks to control families in FIPS-200; derived reflect NIST SP rev4. Access Control (2/20) Awareness & Training (2/1) Audit & Accountability (2/7) Configuration Management (2/7) Identification & Authentication (2/9) Incident Response (2/1) Maintenance (2/4) Media Protection (3/6) Personnel Security (2/0) Physical Protection (2/4) Risk Assessment (1/2) Security Assessment (3[*4]/0) Systems & Comm Protection (2/14) System & Information Integrity (3/4) SP relies on self-assessment and self-attestation. It does not (now) require submission of a System Security Plan (SSP) and has no mechanism for 3d party authorization, accreditation or for government review or approval. The Network Penetration DFARS requires that the DoD CIO adjudicate offeror requests to vary from SP prior to contract award. * NIST has issued proposed Rev. 1 to SP that adds a SSP & Plan of Action/Milestones (POAM). DoD can require. 15

16 A Comparative Example NIST SP r4 Family: Incident Response NIST SP Incident Response Basic Security Requirement 9 pages of controls & enhancements Establish an operational incidenthandling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. Derived Security Requirements Test the organizational incident response capability. Compare: Basic Safeguarding FAR control: Identify, report and correct information and information system flaws in a timely manner. FAR (b)(xii) 16

17 THE NETWORK PENETRATION DFARS 17

18 -7008 Compliance Clause Security requirements of must be implemented for all covered defense information on all covered contractor information systems that support the performance of this contract. By submission of offer, contractor commits to implement the requirements of SP no later than Dec. 31, If the Offeror proposes to vary from any of the security requirements specified by NIST SP that are in effect at the time the solicitation is issued or as authorized by the Contracting Officer, the Offeror shall submit to the Contracting Officer, for consideration by the DoD Chief Information Officer (CIO), a written explanation of (A) Why a particular security requirement is not applicable; or (B) How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection. (ii) An authorized representative of the DoD CIO will adjudicate offeror requests to vary from NIST SP requirements in writing prior to contract award. Any accepted variance from NIST SP shall be incorporated into the resulting contract. 18

19 -7012 Safeguarding Clause The Clause requires adequate security on all covered contractor information systems and requires prompt (72-hour) cyber incident reporting Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. For contractor systems not operated on behalf of the Government, at a minimum the contractor shall (1) (A) implement the security requirements in NIST SP as soon as practical, but not later than December 31, The Contractor shall notify the DoD CIO within 30 days of contract award, of any security requirements specified by NIST SP not implemented at the time of contract award; or (B) "submit requests to vary from NIST SP in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place (2) Apply other security measures when the Contractor reasonably determines that such measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability. These measures may be addressed in a system security plan. 19

20 -7012 Cyber Incident Reporting (c) Cyber incident reporting requirement. (1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall (i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor s ability to provide operationally critical support; and (ii) Rapidly report cyber incidents to DoD at (2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at ***. (d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer. (e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. (f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. 20

21 How Will Industry React? DoD was surprised at the negative industry reaction to the Network Penetration DFARS. They figured it was a follow-on to the 2013 UCTI Rule and that the substitution of the new NIST SP for SP would be seen as making industry s job easier, notwithstanding the greater number of controls. DoD did not anticipate that contractors would react to the Aug DFARS with alarm that they (and their subcontractors) would be held to new cyber safeguards that many in the defense supply chain did not understand and had not prepared for. As a result, by action on Dec. 30, 2015, DoD blinked and postponed compliance to Dec. 31, Contractor response to the Oct. 21, 2016 DFARS revision is tbd. Very likely, the reaction will be negative among many segments of the defense supply chain, who will not understand requirements or know how to proceed. 21

22 THE BASIC SAFEGUARDING FAR 22

23 Federal Contract Information (FCI) What is Federal contract information? FCI is defined very broadly as nonpublic information that is provided for or generated for the government all agencies under a contract to develop or deliver a product or service to the government, but not including information provided to the public or simple transactional information. It does not include information made available by the Government to the public or simple transactional information, such as necessary to process payments. FAR (a) Information also is defined broadly to include any communication or representation of knowledge such as facts, data, or opinions, in any medium or form. FAR ; (a) What is protected? The new FAR protects information systems rather than carefully defined information types. If a contractor processes, stores or transmits any FCI, its information system becomes covered by the Rule and subject to minimum enumerated safeguards. FAR ; (a), (b) Where a contractor information system hosts FCI and other, non-federal information, the rule applies to the whole system. 81 Fed. Reg Who is subject to the FAR? The Basic Safeguarding rule applies to all acquisitions (including commercial items other than COTS) when a contractor s information system may contain FCI; the FAR contract clause is to be inserted in when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. FAR ,

24 Federal Contract Information (FCI) How is protection achieved? The federal government has a surfeit of cyber controls. Those designed for federal information systems, e.g., NIST SP , are too costly and burdensome to impose on contractors to protect FCI. Instead, the new rule calls out 15 safeguards, each derived from the SP (next slide). How will industry respond? The Network Penetration DFARS met with strong industry resistance because of uncertainty over costs and how to comply. The Basic Safeguarding Rule applies to many more contracting actions, contracts and contractors and undoubtedly will surprise (and may alarm) some. The FAR invokes only 15 cyber safeguards and these are stated as performance standards goals. The Rule presumes these safeguards are consistent with prudent business practices. Even so, some companies will object to perceived federal interference and cyber mandates. Are there problems with the Basic Safeguarding Rule? Yes. The Rule seeks to apply simple security propositions to highly complex subject and diverse business circumstances. There are drafting issues that will surface as more and different companies confront compliance obligations that are now imposed. Is this Rule important? While self-described as just one step in a series of coordinated regulatory actions being taken or planned, it reflects a government decision to use its regulatory power and acquisition authority to mandate minimum cyber defenses for all private companies that do government business 24

25 Controls of the Basic Safeguarding FAR (i) (ii) (iii) (iv) (v) (vi) (vii) (viii) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Verify and control/limit connections to and use of external information systems. Control information posted or processed on publicly accessible information systems. Identify information system users, processes acting on behalf of users, or devices. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. Access Controls dominate the Basic Safeguarding Rule ix. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. x. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. xi. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. xii. Identify, report, and correct information and information system flaws in a timely manner. xiii. Provide protection from malicious code at appropriate locations within organizational information systems. xiv. Update malicious code protection mechanisms when new releases are available. xv. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. 25

26 COMPLIANCE WITH THE NEW FEDERAL CYBER REQUIREMENTS 26

27 Cyber Compliance: Overview Special attention is required to address small business compliance. 27

28 Cyber Compliance: Obligations The Network Penetration DFARS applies to 10,000 contractors in the DoD supply chain. Of these, about 1,200 are CAS-covered. Primes who take contracts subject to the DFARS are responsible to flowdown, without variation, and can be accountable should a supplier fail to protect information The DFARS are not accompanied by any means for DoD assessment or authorization. However, the DFARS include an obligation, effective upon receipt of a contract with the 7012 clause, that contractors provide notice of a cyber incident within 72 hours of detection. If there is a major event, accompanied by loss or compromise to Covered Defense Information, DoD must be informed (above) and very likely will at least review if not investigate the loss. Often, the FBI participates in the forensic analysis after a breach. In the course of such an investigation, federal officials can be expected to assess the nature of the vulnerability and the security measures of the affected company. The DFARS does not require full compliance with SP until Dec. 31, However: The obligation to provide adequate security is present, from the clause, immediately upon acceptance of a contract with the clause; and Companies must advise DoD within 30 days of fit/gap against SP requirements NIST has proposed Revision 1 to SP that would add a requirement that companies prepare a System Security Plan (SSP) and Plan of Actions and Milestones (POAM) that may be requested by Contracting Officers 28

29 Cyber Compliance: Scenarios A breach occurs at a company with CDI that has DoD contracts subject to the DFARS National interests may be affected by the loss of confidentiality of CDI Information encompassed within CDI implicates important government interests Some of the information types can be subject to other federal protections, e.g., PII, HIPAA) Investigators will seek an explanation of the company s security practices: They will ask for documentation of security practices at the time of event. They may ask for the fit/gap report against SP requirements. They may find additional cyber requirements in other federal contracts; They may recommend action against a company should they find: No system security measures in place NWS DFARS requirement of adequate security ; Failure to take security measures sufficient to be adequate (post-hoc review); Failed to timely perform and provide the fit/gap analysis as required by the DFARS; Lacked ability to detect a cyber breach and therefore did not notify within 72-hours; Failed to take necessary, timely actions to close vulnerabilities identified in fit/gap analysis; On such facts, the Government could (i) seek damages for identifiable loss caused by the breach; (ii) terminate for default; (iii) exclude the contractor from future awards (non-responsibility); (iv) cite poor cyber hygiene in a performance review; (v) upon a material misrepresentation, bring an action under the False Claims Act for reckless disregard of Net Pen DFARS and SP

30 Cyber Compliance: 10 Responsive Measures In light of new requirements and risks, prudent defense contractors should promptly: ① identify where they host, transmit or use CDI subject to Net Pen DFARS obligations; ② act as necessary to isolate CDI into domains configured for required NIST safeguards; ③ conduct fit/gap assessment to compare existing security to SP requirements; ④ report to DoD CIO within 30 days of subject contract award of fit/gap results; ⑤ document system security assessment, prepare and document SSP and POAM; ⑥ provide notification or seek instruction where appropriate from PA, COs and/or CIO ⑦ establish means to monitor system security, test for and respond to vulnerability ⑧ confirm ability to detect and give timely notice of any cyber breach and exercise same; ⑨ review supply chain distribution of CDI and act to flowdown CDI safeguard requirements; and ⑩ consider independent 3d party review for compliance and security. Companies should consider a risk-based analysis of their vulnerability to attack and compliance exposure. It may be appropriate to engage third party resources to evaluate alternative enterprise strategies, e.g., cloud-based security, or to implement technical methods to enhance security such as advanced Identity Access Management (IAM) and Information Rights Management (IRM). Counsel and consultants can advise requirements, identify compliance risks, assess solutions, help with supply chain compliance and represent the company in dealings with the Government. 30

31 Taxonomy CUI: Controlled Unclassified Information CDI: Covered Defense Information DFARS: Defense Federal Acquisition Regulation Supplement FAR: Federal Acquisition Regulation FCI: Federal Contract Information FIPS: Federal Information Processing Standards FISMA: Federal Information Systems Modernization Act GSA: General Services Administration NARA: National Archives & Records Administration NIST: National Institute of Standards & Technology OMB: Office of Management and Budget OPM: Office of Personnel Management 31

32 Chronology of Cyber/Supply Chain Initiatives March 3, 2010 Advanced Notice of Proposed Rulemaking: Basic Safeguarding of Contractor Information Systems November 4, 2010 Executive Order 13556: Controlled Unclassified Information August 24, 2012 Proposed Rule, Basic Safeguarding of Contractor Information Systems February 2013 November 18, 2013 Executive Order 13636: Improving Critical Infrastructure Cybersecurity Interim Rule: DFARS Supply Chain Risk (Sec. 806 NDAA FY 2011) November 18, 2013 Final Rule: Safeguarding Unclassified Controlled Technical Information February 12, 2014 Framework for Improving Critical Infrastructure Cybersecurity May 6, 2014 Final Rule: Detection and Avoidance of Counterfeit Electronic Parts May 8, 2015 NARA Proposed Rule: Controlled Unclassified Information June 19, 2015 NIST SP : Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Final) August 11, 2015 OMB draft Guidance: Improving Cybersecurity Protections in Federal Acquisitions August 26, 2015 September 21, 2015 Interim Rule: DFARS Network Penetration Reporting and Contracting for Cloud Services Proposed Rule: Detection and Avoidance of Counterfeit Electronic Parts Further Implementation (deletes embedded software from definition) October 8, 2015 DoD Class Deviation Multifactor authentication (local/network access) 9 mos. October 30, 2015 Final Rule: Requirements Relating to Supply Chain Risk (Sec. 806 NDAA FY 2011) October 30, 2015 OMB Memorandum: Cybersecurity Strategy and Implementation Plan (CSIP) November 2015 President Obama signs NDAA FY 2016 (includes cyber risk assessment) December 18, 2015 Cybersecurity Information Sharing Act (CISA) signed into law December 30, 2015 May 16, 2016 Amended Interim Rule: Network Penetration (defers cyber obligation to 12/31/2017) Final Rule, Basic Safeguarding of Contractor Information Systems (81 Fed. Reg ) Aug. 16, 2016 Proposed Rev. 1 to NIST SP Sep. 14, 2016 Final Rule, Controlled Unclassified Information (81 Fed. Reg ) Oct. 21, 2016 Final Rule, Network Penetration Reporting and Contracting for Cloud Services (81 Fed. Reg ) 32

33 Links to Key Federal Actions o EO 13636: (Feb. 2013) o DoD UCTI Rule: (Nov. 2013) o NARA Proposed Rule: Controlled Unclassified Information: (May 2015) o NIST SP : (June 2015) o OMB Draft Acquisition Guidance: (Sep. 2015) o Cybersecurity Information Sharing Act of 2015 (CISA) (Dec. 18, 2015), ( p.694) o DoD Network Penetration Rule: (Aug. 26, 2015), (Dec. 30, 2015) o FAR Basic Safeguarding Rule: (May 2016) o OMB Circular A-130: (July 2016) o Rev. 1 to NIST SP : (Aug. 2016) o Final Rule, Network Penetration Reporting and Contracting for Cloud Services, (Oct. 21, 2016) o Proposed Rule, Withholding of Unclassified Technical Data and Technology from Public Disclosure, (Oct. 31, 2016) 33

34 Questions... 34

35 Join Us Next Time December 14 th - Issues in Focus 35