May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph O Donnell, P.C. 875 15 th Street, N.W., Ste 725 Washington, D.C. 20005 (202) 777-8951 rmetzger@rjo.com www.rjo.com 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-1-
What is Controlled Unclassified Information? CUI includes massive amounts of multiple types of sensitive information EO 13556 makes the National Archives & Records Administration (NARA) is responsible as Executive Agent to reconcile many types of CUI NARA issued a proposed rule on May 8, 2015 (80 Fed. Reg. 26501) The CUI Registry identifies 23 categories and 82 subcategories of CUI, e.g., Technical information with military or space application (UCTI) Copyrights & Patents Census data Critical infrastructure data Info subject to export controls Financial information Geospatial Immigration Intelligence (e.g., financial records, FISA) Law enforcement & Legal Personally identifiable information Privacy - including PII & PHI (health information) Proprietary business records SAFETY Act (anti-terrorism related) information 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-2-
CUI Registry: Categories & Subcategories Agriculture Controlled Technical Information Critical Infrastructure (7 sub) Emergency Management Export Control (1 sub) Financial (9 sub) Foreign Government Information Geodetic Product Information Immigration (7 sub) Information Systems Vulnerability Intelligence (5 sub) Law Enforcement (14 sub) Legal (11 sub) NATO (2 sub) Nuclear (5 sub) Patent (3 sub) Privacy (8 sub) Proprietary Business (5 sub) SAFETY Act Information Statistical (3 sub) Tax (1 sub) Transportation (1 sub) CUI categories and subcategories are those types of information for which laws, regulations, or Governmentwide policies requires safeguarding or dissemination controls. Proposed 32 C.F.R. 2002.2 (Definitions) 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-3-
Who has access to CUI? Federal Contractors State and local governments State and local contractors Tribal governments Colleges & Universities Many federal contractors, for example, routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies (e.g., providing credit card and other financial services; providing Web and electronic mail services; conducting background investigations for security clearances; processing healthcare data; providing cloud services; and developing communications, satellite, and weapons systems). Additionally, federal information is frequently provided to or shared with entities such as State and local governments, colleges and universities, and independent research organizations. NIST SP 800-171 (Final Public Draft), at 1. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-4-
The Federal Interest in Protecting CUI Recent well-publicized attacks show both the vulnerability of nonfederal systems and the impact of attacks: Target Sony Pictures JP Morgan Anthem Healthcare US, EU and Ru banks CUI of at least equal sensitivity is routinely processed on or transmitted by nonfederal ICT systems [F]ederal information designated as CUI has the same intrinsic value and potential adverse impact if compromised whether such information resides in a federal or a nonfederal organization. Thus, protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation. NIST SP 800-171 (Final Public Draft), at 5. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-5-
Few Measures in Effect Today No law, general regulation or other requirements apply cybersecurity measures to federal civilian contractors: Narrow mil-specific provisions to protect supply chain against high-risk sources (FY 2011 NDAA 806) Measures restrict country of origin of high impact ICT purchases by Commerce, Justice, NASA, NSF DoD s DFARS to impose basic cyber controls to protect its UCTI Limited Mandatory reporting of cyber events [same] Q: is CUI inherently less important to protect than UCTI? Q: are non-defense systems at less risk? Q: is the civilian side of the government indifferent to the risk? Q: are the potential consequences of vulnerability more tolerable? 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-6-
The Work In Progress JWG NARA NIST Responsibilities: NARA: to define and categorize the varieties of CUI and establish workable guidelines & mechanisms 8(e) JWG: to decide on the mix of acquisition methods and contract tools NIST: to identify required security controls and practices for adoption ACQUISITION METHODS & CONTRACT CONTROLS - TOOLKIT Agencies: to evaluate cost/benefit, to establish applicability or tiers (if avail), to tailor, to specify reporting, to administer and oversee 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-7-
Overview of Initiatives Underway NARA is the Executive Agent to address CUI Proposed rule, 80 Fed. Reg. 26501 (comments 7/7/15). Defines and categorizes CUI (using CUI Registry); Sets safeguarding standards as basic or specified (enhanced, or different); Adopts NIST SP 800-171 safeguards. NIST SP 800-171 (Final Publ. Dr.) (5/12/2015) Protects confidentiality of CUI @ moderate impact level of FIPS 199. States performance or capability-based requirements that elaborate upon FIPS 200 but do not contain the how to rules of 800-53. Intent is to capture intent of 800-53 Moderate baseline without obligating private companies to use specific 800-53 controls. Individual agencies: DoD (UCTI) and DHS ( Sensitive Information ) 8(e) Joint Working Group studying contractual implementation NARA leads drafting of single FAR clause to protect CUI Contractors execute per solicitation, by contract term NIST NARA JWG FAR CONTRACTS mid-july 201? 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-8-
Acquisition Methods & Contract Tools Responsible contractor threshold Solicitation & SOW Requirements Source Selection Criteria (evaluation) Contract clauses (prime level) Flowdown clauses Special provisions (higher protection) Data Item Descriptions (CUI marking) Reporting obligations Validation, access and audit? Tailor requirements to criticality, risk, cost Damages Sanctions Breach of Contract Termination Adverse Perform ce Report If willful or reckless Suspension/ Debarment False Claims Act Many issues to address to produce a regime, that is at once fair, workable, practicable & affordable 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-9-
SP 800-171: Extending NIST to the Private Sector NIST SP 800-171 (Fin. Pub. Dr.) seeks to embrace existing private sector measures and accept alternative controls SP 800-171 describes 14 families of requirements; the relevance of 800-53 controls and enhancements may not be well understood, however. The intent is for commercial companies to assess their systems against the narrative 171 requirements rather than the specific controls in 800-53. NIST recognizes that 800-53 was developed for federal systems while 171 is to achieve similar and sufficient goals (to protect confidentiality) in the in-place systems of contractors. NIST is now evaluating comments to the Final Draft. Important Assumptions of SP 8001-171 Additional assumptions also impacting the development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include: Nonfederal organizations have information technology infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI; Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements; Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement. NIST SP 800-171 (Final Public Draft), at 5 (emph. added). 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-10-
SP-171: Relevant Comparisons SP 800-171 sets its own requirements; these are built from FIPS 200 and mapped to show relevant controls from 800-53 and counterparts in ISO/IEC 27001 Comparing controls among the DFARS, -171 and -53 or the DFARS is difficult, but there are distinctions: The DFARS UCTI refers to 51 controls from 800-53 but 61 if you count controls + enhancements. These 61 translate to >275 task statements. SP 800-171 states 109 requirements; the map shows these reflect 122 controls from 800-53 but there are only 109 task statements. Properly understood, industry should find it less demanding (and have more alternatives) to comply with 800-171 than 800-53 (or DFARS). Expect DoD to issue a rule to adopt 800-171 controls in the DFARS and apply them to UCTI. Special Publication 800-171 is intended for use [when] federal agencies are providing CUI to nonfederal organizations (or when CUI is developed for federal agencies) for purposes unrelated to information processing that is, the nonfederal organizations are not operating their information systems to process agency data, including CUI, on behalf of the agency but rather for other purposes. Nonfederal organizations typically employ their internal information system resources to develop the required deliverables associated with specific federal contracts or other agreements with the federal government. The nonfederal organization s information system will also be required to process, store, transmit, or generate any CUI needed to develop those deliverables. In such cases, the requirements in Special Publication 800-171 are applied, recognizing that nonfederal organizations: (i) must meet their internal organizational information processing needs; and (ii) may also be required to support the information processing needs of other organizations. NIST SP 800-171 (Final Public Draft), at viii. The comment period on SP 800-171 closed on May 12. It should be Final by late June. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-11-
Agency Role: Balancing Cost & Risk Agencies best understand threat and the risk of cyber attack to their crucial functions that depend on nonfederal info systems Agencies are in the best position to know which information is CUI. Agencies best informed to categorize sensitivity of their information and impact upon their mission of lost confidentiality. Agencies best can assess supply chain impact upon their missions. E.g., FISMA, FIPS, FedRAMP, NIST Agencies also have specific needs for event reporting, for information security and for restoration/resilience Agencies ultimately are responsible for implementation costs. They also must temper risk perception with recognition of potential costs, affect upon competition, and impacts to their access to the technology base. Agencies will seek role in selection and tailoring of controls, validation and oversight. 3d Annual Cybersecurity Law Institute May 20, 2015 Rev.1-12-