Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017 March 23, 2017 By Keir Bancroft By Louverture Jones Partner Senior Manager, Deloitte Advisory Venable LLP Deloitte & Touche LLP KXBancroft@Venable.com loujones@deloitte.com 202.344.4826 305.808.2548
Keir X. Bancroft Keir Bancroft provides a range of services to government contractors, including litigation, transactional, and compliance matters. Mr. Bancroft works with large, mid-sized and small business, and often handles small business-related issues Within the broad rubric of cybersecurity, Mr. Bancroft specializes in information security and privacy compliance for government contractors. He helps clients address information safeguarding and incident response requirements under the Federal Information Security Act (FISMA) and subsequent amendments, the Risk Management Framework, the Privacy Act, and similar requirements. Mr. Bancroft also focuses on national security and industrial security issues arising under the National Industrial Security Program Operating Manual (NISPOM). 2
Louverture Jones Louverture Jones is an executive level leader in cyber risk and security services; having 17 years of capturing and delivering transformative security strategy, governance/risk compliance and technical integration for clients within the public and private sectors. His portfolio of industry exposure includes Energy, Financial Services, Healthcare, and DoD customers working as the President of a Cyber Security Services Company and as the Cyber Security Director for a large technical services company. Mr. Jones past successes include the integration of cyber governance and risk management programs, enterprise security technology investment planning, computer forensics, data breach investigations, secure application design, penetration and compliance testing, vulnerability assessments, security incident and event monitoring system (SIEM) deployments and Network Admission Control (NAC). 3
Contents Cybersecurity for Government Contractors: Tips to Prepare to Cyber Incidents in 2017 1. Understanding the Rules 2. Learning About Incident Response 3. Demonstrating Safeguarding 4. Managing Compliance Throughout the Supply Chain 5. Consider Cloud Computing 4
Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI A Brief History: 2013 NDAA Sec. 941: Cleared contractors; network cyber penetration 2013: DoD Rule on Safeguarding Unclassified Controlled Technical Information 2015 NDAA Sec. 1632: Operationally critical contractors; rapid reporting August December 2015: Interim rule, class deviation, and second interim rule issued applying to reporting and cloud October 2016: Final rule issued 5
Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI What Is The Importance of the Rules? Information Security Consequences Prescribes safeguarding controls One reporting obligation, but it may be one of many reporting obligations Contract Compliance Issues Termination for Default Suspension and Debarment False Claims Act or Qui Tam actions Adds to the mix of non-federal contracting implications. 6
Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Provisions and Clauses Subpart 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting Subpart 239.76 Cloud Computing 252.204-7008 Compliance With Safeguarding Covered Defense Information Controls (Oct 2016) 252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information (Oct 2016) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016) 252.239-7009 Representation of Use of Cloud Computing (Sep 2015) 252.239-7010 Cloud Computing Services (Oct 2016) 7
Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Covered Defense Information ( CDI ) Unclassified controlled technical information or Other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is 1. Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of the DoD in support of the performance of the contract; or 2. Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. 8
Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI NARA CUI Registry Per E.O. 13566, establishes a common taxonomy of CUI across federal agencies, DoD and civilian. Gives contractors greater insight into CUI across federal agencies. Agencies may apply limited dissemination controls. 9
Understanding the Rules DoD Rule on Network Penetration Reporting: A Model for Safeguarding CUI Implementation Resources DoD FAQs. Last Updated January 2017. Part of DoD outreach efforts to clarify implementation of the rule. Available at: http://www.acq.osd.mil/dpap/pdi/network_penetration_reporting_and_contra cting.html 10
Understanding the Rules Multiple Approaches to CUI: DFARs Network Penetration Reporting and FAR Basic Safeguarding Clause Covered Contractor Information System Definition under FAR 252.204-7012 amended to clarify it is an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. FAR Basic Safeguarding Clause FAR 52.204-21 (JUN 2016) defines a covered contractor information system as an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. 11
Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements Requirements under FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems: 1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems); 2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute; 3. Verify and control/limit connections to and use of external information systems; 4. Control information posted or processed on publicly accessible information systems; 5. Identify information system users, processes acting on behalf of users, or devices; 12
Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements (Continued) 6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems; 7. Sanitize or destroy information system media containing Federal contract Information before disposal or release for reuse; 8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals; 9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices; 10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; 13
Understanding the Rules Multiple Approaches to CUI: DFARS Network Penetration Reporting and FAR Basic Safeguarding Clause Basic Safeguarding Requirements (Continued) 11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks; 12. Identify, report, and correct information and information system flaws in a timely manner; 13. Provide protection from malicious code at appropriate locations within organizational information systems; 14. Update malicious code protection mechanisms when new releases are available; 15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed. 14
Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window 72 Hour Cyber Incident Reporting Obligations Cyber Incident: Action taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Investigate any cyber incident that affects: A covered contractor information system or CDI residing on that system; or The contractor s ability to perform any parts of a contract designated as operationally critical support. Operationally Critical Support is defined as: supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. 15
Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Notes on Operationally Critical Support Note there are additional, non-dod considerations. E.g., definition of a contractor s capabilities may define a cause of action by FTC. DoD clarification: Operationally critical support is an activity, not an information type, performed by the contractor or subcontractor. Requires reporting of cyber incidents that affect the contractor s ability to perform contract requirements designated as operationally critical support. Operationally critical support requirements must be marked or otherwise identified in the contract, task order, or delivery order. 16
Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Cyber Incident Reviews Seek evidence of a compromise of CDI. A compromise includes: Disclosure of information to unauthorized persons; Violation of system security policy; Unauthorized (either intentional or unintentional) disclosure, modification, destruction or loss of an object ; Copying of information to unauthorized media. 17
Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Scope of a Review Identify compromised computers, servers, specific data, user accounts; Analyzing covered contractor information systems that were part of the cyber incident; Analyzing other information systems that may have been accessed as a result of the incident; Identifying all compromised CDI, and any details that may affect contractor ability to provide operationally critical support. 18
Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Nuts and Bolts of Reporting Obtain a DoD-Approved Medium Assurance Certificate Take time to obtain this NOW; do not wait until you experience a cyber incident. http://iase.disa.mil/pki/eca/pages/index.aspx Report through the DoD-DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal http://dibnet.dod.mil/ Subcontractor Reporting Remember, subcontractors report directly to DoD 19
Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Sample: IASE Certification Authority Website 20
Learning About Incident Response Considerations Before and During Your 72-Hour Reporting Window Sample: Incident Reporting Portal 21
Learning About Incident Response Post-Reporting Considerations (to think about NOW) Post-Reporting Obligations 90-Day Image Protection: preserve images of affected systems. Forensic Analysis: give DoD access to affected systems and equipment. DoD contractors performing forensic analysis are restricted from disclosing information. Information Requests: provide relevant information at DoD request. Report Malicious Software: isolate any malicious software identified in a review. 22
Learning About Incident Response Post-Reporting Considerations (to think about NOW) Protect Attributional or Proprietary Information! Defined as information identifying: the contractor, its trade secrets, its commercially sensitive information. DoD will try to reduce attributional/proprietary information when it shares cyber incident information with: Affected entities; Forensic analysts; Law enforcement/counterintelligence agencies; Defense Industrial Base ( DIB ) participants. Make it easy for DoD to identify and withhold attributional or proprietary information; mark the information clearly. 23
Learning About Incident Response Post-Reporting Considerations (to think about NOW) Protect Attributional or Proprietary Information DoD Support Service Contractors, beware! DoD contracts with support service providers ( Recipient Contractors ) to assist in handling cyber incidents. Recipient Contractors must ensure employees are subject to nondisclosure obligations. Breach of nondisclosure obligations may subject Recipient Contractor to: Criminal, civil, administrative, contractual actions by the Government; Civil actions from the contractor reporting the cyber incident. 24
Demonstrating Safeguarding Complying with NIST SP 800-171 Part of an IT service or system operated on behalf of the Government Cloud Computing Services: apply new DFARS 252.239-7010, Cloud Computing Services Non-Cloud: Look to other contract requirements NOT part of an IT service or system operated on behalf of the Government Apply NIST Special Publication 800-171 security controls 25
Demonstrating Safeguarding Complying with NIST SP 800-171 SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Replaces SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations in safeguarding rules Focuses on nonfederal systems 14 Security Objectives, addressing safeguarding of controlled unclassified information ( CUI ) December 30, 2017 deadline for contractors to implement 800-171. 26
Demonstrating Safeguarding Complying with NIST SP 800-171 NIST 800-171 Families of Security Requirements Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity 27
Demonstrating Safeguarding Complying with NIST SP 800-171 DoD Class Deviations, October 2015 Deviations implemented to grant contractors 9 additional months to comply with 800-171 Security Requirement 3.5.3, Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Requires notification to the contracting officer if additional time is necessary. A key indicator of the DoD s focus on some of the higher-profile security requirements under NIST SP 800-171. 28
Demonstrating Safeguarding Complying with NIST SP 800-171 30-Day Notification Requirement All contracts awarded prior to October 1, 2017 Within 30 days of contract award, The contractor must provide DoD CIO with a list of security requirements the contractor is not implementing at the time of award. Notification via e-mail to osd.dibcsia@mail.mil. 29
Demonstrating Safeguarding Complying with NIST SP 800-171 252.204-7008, Compliance With Safeguarding Covered Defense Information Controls (OCT 2016) Directs that security requirements covered under 252.204-7012 shall be implemented for all CDI on all covered contractor information systems supporting the contract performance. Provides the process for seeking a variance from the DoD CIO before award. If the Offeror proposes to vary from any of the security requirements specified by NIST 800-171 that are in effect at the time the solicitation is issued...... An authorized representative of the DoD CI will adjudicate offeror requests to vary from NIST SP 800-171 requirements in writing prior to contract award. Any accepted variance from NIST SP 800-171 shall be incorporated into the resulting contract. 30
Demonstrating Safeguarding Complying with NIST SP 800-171 Post-Award Variances 252.204-7012(b)(2)(ii)(B), (C) has been updated to provide for post-award variance requests. The Contractor shall submit requests to vary from NIST SP 800-171 in writing to the Contracting Officer, for consideration by the DoD CIO. The Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable or to have an alternative, but equally effective, security measure that may be implemented in its place. If the DoD CIO has previously adjudicated the contractor's requests indicating that a requirement is not applicable or that an alternative security measure is equally effective, a copy of that approval shall be provided to the Contracting Officer when requesting its recognition under this contract. 31
Demonstrating Safeguarding Complying with NIST SP 800-171 Seeking Variance from application of SP 800-171 Alternative, equally effective, security measures to protect CDI. Propose in order to compensate for an inability to satisfy a requirement under a clause. Propose why a particular safeguarding requirement in some cases is not applicable. Why do this? You as the prime contractor may not be able/have a reason to protect certain information. Your subcontractor(s) may push back on 800-171 safeguarding requirements. 32
Demonstrating Safeguarding Complying with NIST SP 800-171 DoD Obligations Clarified Under Final Rule Variance requests submitted to the contracting officer, who refers to the DoD CIO for adjudication. Contracting officer will act as liaison if DoD CIO requests more information in support of contractor s request for variance. 5-Business-Day response time is the typical response time for DoD CIO. 33
Demonstrating Safeguarding Complying with NIST SP 800-171 DoD Basis for Variance Determination Basis for determining if an alternative is acceptable: whether the alternative is equally effective. Basis for determining if a security requirement is not applicable: whether the basis or condition for the requirement is absent. DoD CIO is responsible for ensuring consistent adjudication of proposed non-applicable or alternative security measures. Evaluation may impact the award decision. Not a requirement of the rule, but a solicitation may be drafted to provide for an evaluation to impact an award decision. 34
Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Obligations flow down to certain subcontractors: Subcontractors whose efforts will involve CDI; or Subcontractors that will provide operationally critical support. The contracting officer may be consulted to determine if the subcontractor is handling CID, or providing operationally critical support. Obligations must be flowed down without alteration (except to identify the parties). No tailoring. 35
Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Considerations for Prime Contractors Be mindful of whether subcontractor efforts will involve CDI, or if the subcontractor will provide operationally critical support. Consider subcontractor ability to comply with 800-171 requirements. Ascertain if the subcontractor needs to request a variance from any 800-171 security requirements. Negotiate reporting obligations. Arrange for subcontractor to furnish prime contractor a redacted copy of cyber incident report. Seek confirmation from subcontractor that the prime contractor s attributional information will not be disclosed. 36
Managing Compliance Throughout the Supply Chain Negotiating Obligations With Subcontractors Considerations for Subcontractors Seek confirmation from the Agency of whether the scope of the subcontract involves CID, or if the subcontractor is obligated to provide operationally critical support. Do the clauses have to be flowed down to second-tier subcontractors? Negotiate with the prime to provide redacted copies of its cyber incident reports. Obtain confirmation that the prime contractor will protect attributional information. 37
Consider Cloud Computing Cloud Computing Requirements Under DoD Rules DFARS 252.239-7009 Representation of Use of Cloud Computing Allows contractors to represent whether they intend to use cloud computing services in performance of the contract. DFARS 252.239-7010, Cloud Computing Services Addresses access, security, reporting requirements Applies to all solicitations for information technology services (including commercial items solicitations) 38
Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Applying Controls Contractor using cloud computing services must implement and maintain administrative, technical, and physical safeguards and controls. Requirements established in the Cloud Computing Security Requirements Guide ( SRG) (http://iase.disa.mil/cloud_security/pages/index.aspx) Physical Location Maintain within the U.S. or outlying areas all government data not located on DoD premises. Contracting Officer may provide written instructions to use another location. 39
Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Access and Disclosure Limitations on Government Data and Government-Related Data, including: Government Data - defined as information, document, media, or machine readable material regardless of physical form or characteristics, that is created or obtained by the Government in the course of official Government business. Government-Related Data defined as information, document, media, or machine readable material regardless of physical form or characteristics that is created or obtained by a contractor through the storage, processing, or communication of Government data. Excludes contractor's business records e.g. financial records, legal records etc. or data such as operating procedures, software coding or algorithms that are not uniquely applied to the Government data. Contractor must impose access, use, and disclosure obligations on employees. Contractor may not access, use, or disclose Government data unless specifically authorized by the terms of this contract or a task order or delivery order issued hereunder. 40
Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Compared to DFARS 252.204-7012 Obligations Reporting obligations, but not on a 72-Hour timeline; Specifies that contractors must submit malicious software per contracting officer instructions; Requirement to preserve and maintain images of affected systems, and relevant monitoring/packet capture data for at least 90 days from submission of cyber incident report; Granting DoD access for forensic analysis; Providing damage assessment information. 41
Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Spillage In addition to cyber incidents Defined as an incident that results in the transfer of classified or controlled unclassified information onto an information system not accredited for the appropriate security level. May be detected by the contractor or the government. Contractor must cooperate with the contracting officer to address the spillage. 42
Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Records Management and Facility Access Contractor is subject to transmission and disposal obligations with respect to government data and government-related data Access to data, personnel, and facilities must be granted for purposes of audits, investigations, inspections, or other similar activities as authorized by law or regulation. Third-Party access: Government must be informed of warrants, seizures, or subpoenas for government data or government-related data. Contractor must protect against unauthorized disclosure. 43
Consider Cloud Computing Cloud Computing Requirements Under DoD Rules Subcontract Flowdown Obligations Prime must flow down requirements under DFARS 252.239-7010 to all subcontracts that involve, or may involve cloud services. Includes subcontracts for commercial items. 44
Take-Aways Key Tips for Consideration 1. Understand the Rules Understand CUI and Covered System; register for Medium Assurance Certificate. 2. Incident Response Prepare an incident response plan, identify all Attributional/Proprietary Information. 3. Demonstrate Safeguarding Assess 800-171 compliance; prepare request for variance from safeguarding standards. 4. Manage Compliance Negotiate flowdown terms with subcontractors; obtain buy in on subcontract applicability. 5. Consider Cloud Computing Assess appropriate locations for cloud storage; understand concepts of spillage and prepare for reporting. 45
Questions? Keir Bancroft Partner Venable LLP KXBancroft@Venable.com 202.344.4826 Louverture Jones Senior Manager, Deloitte Advisory Deloitte & Touche LLP loujones@deloitte.com 305.808.2548 46