November 20, (Via DFARS Case 2013-D018)

Transcription

1 November 20, 2015 (Via DFARS Case 2013-D018) Mr. Dustin Pitsch Defense Acquisition Regulations System OUSD(AT&L)DPAP/DARS Room 3B Defense Pentagon Washington, DC Subject: Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018); Docket No. DARS Dear Mr. Pitsch: The U.S. Chamber of Commerce, the world s largest business federation representing the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations, and dedicated to promoting, protecting, and defending America s free enterprise system, appreciates the opportunity to comment on the Department of Defense s (DoD s) interim rule tied to implementing portions of recent National Defense Authorization Acts (NDAAs). The interim rule became effective on August 26, 2015, without adequate public input. 1 The NDAAs amend the Defense Federal Acquisition Regulation Supplement (DFARS) in two primary ways. The interim rule requires contractors and subcontractors to report cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information... or on a contractor s ability to provide operationally critical support. In addition, this regulation also implements DoD policies and procedures for use when contracting for cloud computing services (Federal Register (FR) 51739). The Chamber does not attempt to address all roughly nine topics listed in the Discussion and Analysis section of DoD s notice (FR ). However, we try to explain our 1

2 2 concerns with the DFARS changes and ask questions that we urge DoD officials to address. The Chamber s letter emphasizes a half-dozen points, which we believe are crucial for Pentagon officials to consider in their decision making about next steps. Requiring Contractors to Comply Automatically With Dozens of New Security Controls Is Unrealistic and Costly The interim rule states that the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST SP ) are mandatory for contractors to use at the time a solicitation is issued or as determined by a DoD contracting official (FR 51470). The Chamber believes that it is highly unrealistic for DoD to assert that contractors can swiftly implement the approximately 109 requirements referenced in the interim rule. Compliance with 109 new requirements contained in NIST SP must be implemented enterprise-wide by contractors as well as at DoD program levels. This will take substantial time and resources to accomplish. The interim rule specifically clause imposes security controls based on NIST SP , replacing the security requirement in NIST SP , Security and Privacy Controls for Federal Information Systems and Organizations. 2 The Council of Defense and Space Industry Associations (CODSIA s) comment letter captures that contractors will be compliant with some, but not all, of the required security controls in NIST SP Contractors will fully comply with 39 of the NIST SP requirements, will only partially comply with 22 of the NIST SP requirements, and will face 48 entirely new NIST SP requirements. Thus, of the new 109 security controls, contractors will have to grapple with 70 new or partially new requirements nearly two-thirds of the 109 security controls that need interpretation and implementation to meet the terms of Pentagon contracts. 3 The Chamber wants to underscore to DoD the significant resources it will take for industry to rapidly comply with dozens of requirements in the interim rule. Companies cannot 2 On September 10, 2015, the Chamber commented on OMB s proposed guidance memorandum Improving Cybersecurity Protections in Federal Acquisitions (guidance). The guidance focuses on implementing cybersecurity protections in federal acquisitions for products and services that collect, store, and provide access to controlled unclassified information (CUI) on behalf of government agencies. The Chamber s primary recommendation, which is applicable to DoD s interim rule, was that the guidance should be based on a maturity model allowing contractors to progress from one implementation tier to another to protect CUI. Also, OMB guidance needs to be dynamic and not become an ossified checklist of requirements that fails to respond to actual threats to agencies and contractors information networks and systems. Our organization offered critiques of the guidance sections, including stressing that agencies should develop workable means of improving the cybersecurity of federal information held by contractors and subcontractors through clear and mutually agreed upon solutions. The Chamber s letter is available at 3 The Chamber signed the November 13, 2015, CODSIA letter commenting on DoD s proposed rule and supports its recommendations. CODSIA s substantial letter, led by the Information Technology Alliance for Public Sector (ITAPS), is available at

3 3 simply flip a switch and automatically adhere to the new controls, as the interim rule apparently presumes. At a time of sequestration and additional public pressure to lower federal acquisition costs, the way in which the interim rule is written will likely serve to heighten the costs of Pentagon contracting programs. Deviating From Prescribed Controls: Allowing Alternative Security Measures Within a Certain Interval Would Be a Prudent Approach Subsections (c) and (d) of DFARS Compliance With Safeguarding Covered Defense Information Controls of the interim rule grant contractors the ability to request a deviation(s) from the security requirements in NIST SP The subsections also allow DoD s chief information officer (CIO) to approve or disapprove such requests or alternatives but equally effective security measures prior to contract award (FR ). Enabling the CIO to issue a decision at any time before awarding a contract could complicate procurements. For instance, an otherwise capable offeror may be deemed nonresponsive at the final moments of contract negotiations after neither the company nor DoD has time to address deviation-related issues through discussions or an amended proposal. Relatively hasty decision making could impact DoD s ability to obtain the best value in the acquisition market, especially when the offeror requesting a deviation could have fully implemented the NIST SP requirements with adequate time and resources. The Chamber recommends that DoD policy should be clarified. The interim rule should feature a time limit for the CIO or his or her authorized representative to approve or disapprove offerors deviation requests. Under the interim rule, determinations about whether deviations will be granted are seemingly arbitrary, so requests could go unaddressed for any length of time. The Chamber s impression is that many companies could end up seeking deviations from NIST SP controls in order to be responsive to acquisition requirements. A surge of deviation requests could become overwhelming for DoD to manage, thus undercutting officials intentions to complete contracts in short order. The Chamber believes that a certain period be made for the DoD CIO to consider a contractor s (1) deviation(s) from a particular security control or (2) alternative security measures. Deviation requests that go unanswered after a reasonable, established period should be presumed to be approved by the DoD CIO. The interim rule is vague about how a deviation request could impact the evaluation of offerors proposals. It is also unclear from the interim rule if subcontractors should request deviations directly through DoD or through the prime contractor and what, if any, role the process includes for the prime contractor in requesting deviations. The interim rule seemingly requires contractors to request a deviation every time a proposal is submitted. This transactionspecific requirement would place an inordinate strain and burden on both the DoD CIO and contractors. It would be more efficient and economical to allow contractors to receive a single blanket approval of their systems that would apply across many contracts with DoD for a specified period of time.

4 4 Such an approval process would lighten the regulatory burden on the DoD CIO and afford contractors insight into whether their request for deviation would be granted in advance of proposal submission. It would similarly provide some predictability to contractors investing bid and proposal funds into federal competitions. DoD should consider creating a preapproval designation or a certification of compliance for vendors that voluntarily seek approval in advance of looking for DoD contract work. Such a mechanism would reduce the burden on DoD and companies in the defense industrial base (DIB), which are likely to search for and receive approval prior to implementing an alternative security measure. DoD should clarify what factors it will take into account when processing deviation requests. The DoD CIO should issue guidance on how the department would approve or disapprove deviations and alternative security measures. The interim rule should say that agencies and departments shall not downgrade companies proposals or basically penalize offerors for requesting and being granted deviation authority. Guidance would be helpful to ensure consistency across offerors deviation requests and DoD s decision making. Providing such guidance would enable offerors to better prepare their requests and would establish reasonable criteria for contractors, subcontractors, and the DoD CIO to leverage. Establishing a safe harbor to help contractors comply with the DFARS requirements and mitigate cyber risks would help ensure that the interim rule does not create an undue burden or liability exposure for industry. The Chamber seeks clarity on why DFARS and are separate clauses. DFARS requires compliance with DFARS , except to the extent that an authorized representative of the DoD CIO approves a deviation. Any deviation from the requirements set forth in DFARS should occur in DFARS to ensure that they apply to the requirements in that clause. A Widespread Incident Reporting Regime Will Prove Unwieldy The interim rule mandates new reporting procedures by contractors. The new regulations increase both the scope of information networks and systems that contractors must apply security controls as well as the circumstances in which contractors must report incidents. The interim rule will create conflicts and confusion regarding other reporting requirements that need to be reconciled prior to the rule becoming final. Under the interim rule, a covered contractor information system is an information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information (CDI). The interim rule requires reporting of any cyber incident that affects a covered contractor information system or covered defense information residing therein, or that affects the contractor s ability to perform the requirements of the contract that are designated as operationally critical support. A cyber incident that affects the contractor s ability to perform operationally critical support could also include incidents on systems beyond covered information systems, and the interim rule requires that these incidents be reported too.

5 5 DFARS clauses (b) and (m)(2) require subcontractors to rapidly report cyber incidents to the government and the prime contractor (FR and FR 51747, respectively). The clauses require the subcontractor to provide the prime contractor with the incident report number, automatically assigned by DoD. But the clauses do not say what information must be provided to the prime contractor. Without guidance regarding what information must be disclosed, it is unclear whether the subcontractor may be required to reveal proprietary information as part of the disclosure and the extent to which the prime contractor is required to maintain the confidentiality of information tied to an incident. Moreover, the requirement that this information be rapidly reported may not allow private parties time to negotiate a nondisclosure agreement with respect to such information. It would be prudent for the clause to limit the subcontractor s disclosure responsibility so that it is only required to disclose that the event occurred and the incident report number. Alternatively, the clause should limit the prime contractor s use of any disclosed information as the rule does with respect to third-party contractors under DFARS (FR 51745). As currently drafted, the interim rule s provision regarding access to additional information or equipment necessary for forensic analysis in subsection (f) of clause requires contractors to provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis (FR 51746). Instead of this wording, the Chamber recommends modifying it to state that contractors provide DoD additional information as necessary to conduct a forensic analysis upon the request of DoD. The parties shall discuss in good faith whether additional information or equipment is necessary to conduct a forensic analysis. Subsection (g) of clause allows DoD to conduct an exhaustive cyber incident damage assessment. In the course of the review, DoD may request a complete copy of images of the accessed information systems for analysis (FR 51746). These images may contain third-party data that the DoD contractor may not be lawfully authorized to disclose. The Chamber requests that an exception be provided allowing contractors to refrain from disclosing complete images if there are legal or contractual reasons that preclude such sharing. Contractors should be permitted to use various means of providing DoD with the data it needs to conduct a damage assessment without running afoul of potential restrictions associated with handling the data. Mandating Security Requirements Throughout the Supply Chain Will Have Unwanted Consequences The interim rule creates a number of requirements that DoD intends to flow down throughout the defense industry supply chain, from prime contractors to thousands of subcontractors. Such a sweeping initiative will generate unintended consequences, not all of which are constructive. Virtually all contractors and subcontractors will need to significantly enhance their cyber capabilities because the security mandates in NIST SP will flow down throughout their respective supply chains. On the surface, this outcome is a good one. However, high-quality cybersecurity the type needed to counter nation-state adversaries and their proxies does not come cheaply.

6 6 The expense of complying with multiple new rules will be difficult for large firms and especially for small and midsize businesses. Small enterprises can find complying with NIST SP insurmountable because of the connected personnel (e.g., cybersecurity consultants) and capital (e.g., hardware and software) expenses. What is more, given the nature of business sales practices, commercial companies often will not know who or what the ultimate customer is and, among other things, commercial entities will have challenges complying with the interim rule. The flow-down requirements apply not only to subcontractors at any tier but even to those subcontractors that sell commercial parts and services. Applying DoD-specific regulatory burdens on commercial vendors will generate much uncertainty and added expense, creating a disincentive for affected vendors to remain in the defense market. DoD-unique requirements will also act as de facto barriers to potential market competitors. Cloud Computing Provisions Should Be Handled In a Separate, Proposed Rulemaking The Chamber recommends removing sections (Representation of Use of Cloud Computing) and (Cloud Computing Services) from the interim rule and publishing them as a proposed rule separately. Publishing the clauses on implementing cloud contracting policies with sections on network penetration reporting adds unnecessary complexity and confusion. In the absence of a separate rule, the Chamber recommends the following actions: First, based on the rule, certification should be waived if a contractor does not provide cloud computing services to the government. But if the contractor is using cloud computing services that cover protected information as defined in the interim rule, the contractor must meet NIST SP security requirements, with added resources and costs. Second, the Chamber recommends clarifying the definition of cloud services. The interim rule is replacing DFARS for unclassified controlled technical information (UCTI), which applied to any unclassified technical information. We understand that DFRAS is applicable only to cloud services provided by the enterprise (a nondeliverable). Deliverables are handled under separate acquisition documents (e.g., statements of work) raising questions for contractors about the certification requirement. Definitions Need to Be Workable for Industry and Government The interim rule defines covered defense information broadly to incorporate four categories of information (e.g., FR 51742, FR 51745). While, in some cases, it is clear that information would fall within one of the four categories, such as information specifically marked or delineated in the contract, in other instances, it is not clear. For example, where a contractor receives or generates information in the course of contract performance, it may be unclear whether it falls within a given category (e.g., information vitally needed by adversaries for them to plan and act effectively... ). Similarly, one of the four categories of CDI is critical information (operations security) (FR 51742). The Chamber understands that specific facts linked to the operations security process can differ among DoD commands and related entities. It is not clear from the

7 7 interim rule which standards would apply in determining whether an item is CDI/critical information. The Chamber urges DoD to clarify what constitutes critical information generally, including under the operations security process. Any process should be appropriately centralized to ensure that information is treated consistently across DoD contracts and Pentagon bodies. Further, the Chamber requests DoD to clarify what methodology is applied when it determines whether a contractor reasonably complies with the interim rule, and when it determines whether specific information falls within a certain definition, such as CDI/critical information. The interim rule s definition of compromise in subsection (a) of DFARS includes the loss of an object, which may require contractors to investigate, preserve, report, and possibly produce laptops, mobile devices, and other media that store CDI. The Chamber requests that DoD consider adding a provision that eliminates any reporting requirements for objects where CDI was stored on the device using embedded encryption (e.g., whole disk encryption). Presumably, industry can argue that there is a higher level of confidence about the security of encrypted data. The interim rule defines cyber incident at DFARS as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein [italics added] (FR51742). However, the cyber incident reporting requirement at DFARS (c)(1) only requires the reporting where a cyber incident affects a covered contractor information system or the covered defense information residing therein... [italics added] (FR 51746). There is a discrepancy between a potential incident and an actual incident. Thus, it is not entirely clear if cyber incidents with potentially (i.e., not actually) adverse effects must be reported. Requiring contractors to report potentially adverse effects a massive undertaking, given the number of incidents and the time it takes to adequately assess their severity would place a significant burden on both government and contractors. If contractors are required to report all potentially adverse effects they may incur significant expenses to report hundreds of innocuous incidents. Without further clarification, there is potential to create a substantial burden for contractors with no commensurate benefit to the government. Accordingly, the interim rule should address: (1) what is meant by the term potentially adverse effect, and what elements contractors should evaluate when determining whether an incident falls within this definition; and (2) whether contractors must report cyber incidents with a potentially adverse effect or just those cyber incidents that have an actual adverse effect. Given the difficulty in making such a determination, the Chamber requests that DoD consider either removing the word potentially or include language stating that an incident only includes actions that are likely to result in the exfiltration of CDI or the installation of unauthorized command-and-control capabilities. ***

8 8 The Chamber welcomes the chance to provide feedback to DoD on the interim rule on cyber incident reporting and contracting for cloud computing services. If you have any questions or need more information, please do not hesitate to contact me ) or my colleague Matthew Eggers ). Sincerely, Ann M. Beauchesne