Click to edit Master title style Fourth level
Click The to DFARS edit Master UCTI title Clause style How It Impacts the Subcontract Relationship Breakout Third Session level #F11 Fourth level Phillip R. Seckman Michael J. McGuinn Dentons US LLP Date: Tuesday, July 28, 2015 Time: 4:00pm 5:15pm 1
DFARS UCTI rule Requirements Agenda Cyber threats and risk management Regulatory landscape Supply Chain Fourth Compliance level Recent Developments NARA CUI Plan Cyber Legislation Compliance and breach response takeaways 2
Cyber Attacks: An Ever-Growing Threat GAO: 67,000 computer hacking incidents reported by federal agencies in 2014 (up from 5,500 incidents in 2006) Includes malware installation, improper use of computer resources and unauthorized access to systems Attacks are top concern of FBI and intelligence community Cyber attacks Fourth focused level on IP, critical infrastructure, and personal data Mandiant Report: APT1 in China responsible for estimated 80-90% of cyber incidents involving classified information, trade secrets, IP Office of Personnel Management Hack: Nation-state hackers stole personnel data and Social Security numbers for every federal employee Some organizations will be a target regardless of what they do, but most become a target because of what they do (or don t do). - Verizon 2013 DBIR 3
Regulatory Landscape Contractors faced with patchwork of legal requirements Federal Information Security Management Act of 2002 Primarily applicable to government information systems, but also applicable to contractors Federal Information Security Modernization Act of 2014 passed on 12/10/14, Third level new requirements likely forthcoming Fourth level Industry/agency-specific requirements (e.g., DOD, NASA, GSA, DOE) SEC disclosures for material cyber incidents HIPAA requirements FTC treatment of breaches as unfair trade practices State-specific breach notification laws International requirements Private sector requirements (e.g., PCI DSS) Developments overlay existing requirements, increase compliance obligations 4
DFARS Unclassified Controlled Technical Information ( UCTI ) Clause Issued on Nov. 18, 2013 (78 Fed. Reg. 69,273) Establishes new clause, DFARS 252.204-7012 Clause included in all DOD contracts issued after Nov. 18, Third 2013 level Including small business and commercial item contracts Fourth level DOD also implemented through contract modification in some cases 5
DFARS UCTI Clause: Identifying UCTI Clause applies to any contractor information system that may Click have to UCTI edit resident Master on or transiting text styles through it UCTI: Technical Information Technical data or computer software Controlled Technical Information Fourth level Military or space application Subject to controls on access, use, modification, release Marked with required distribution statement pursuant to DOD Instruction 5230.24, Distribution Statements on Technical Documents UCTI may be furnished by the government or developed by the contractor (DFARS PGI 204.7303-1(a)) DOD generally responsible for identifying whether contractor will be required to develop or handle UCTI Contractor also may develop technical information to be marked 6
DFARS UCTI Clause: IS Security Requirements Compliance with 50+ security controls from NIST SP 800-53: Access control Awareness and training Audit and Fourth accountability level Configuration management Identification and authentication Contingency planning Incident response Maintenance Media protection Physical and environmental protection Program management Risk assessment Systems/ communications protection Systems / information integrity Must otherwise explain: (1) why security control is inapplicable; or (2) an alternative control or protection achieves equivalent protection 7
Click DFARS to edit UCTI Master Clause: title IS Security style Requirements (cont.) Security control command media (the NIST dash-1 controls) not required, but strongly recommended Necessary to explain/defend systems to DOD Helpful to explain system requirements to subcontractors Documentation required in connection with certain controls (e.g., CM-2) Fourth level Number of controls allow for reasonable contractor discretion AC-7: Unsuccessful Logon Attempts: Does not impose a specific number of logon attempts that trigger lockout Certain controls incorporate base control and control enhancement E.g., AC-3(4): requires compliance with the AC-3 base control (access enforcement) and the (4) enhancement (discretionary access controls) 8
Click DFARS to edit UCTI Master Clause: title IS Security style Requirements (cont.) Additional IS security protections required when contractor: Click to edit Master text styles Reasonably determines Business discretion? Other IS security measures may be required to provide adequate Fourth security level in a dynamic environment Adequate» Fifth security: level protection commensurate with probability/consequences of loss, misuse, unauthorized access, or information modification Dynamic: adequacy must be constantly assessed/updated Based on an assessed risk or vulnerability Requires an understanding of known risks Look-back period? Specified NIST 800-53 Controls Set the Baseline 9
Click DFARS to edit UCTI Master Clause: title Reporting style reportable Click to edit cyber Master incident text styles Requirements Reporting required within 72 hours of discovery of Possible exfiltration, manipulation, or other loss or Second level compromise of UCTI on prime/sub information system Any unauthorized access to system on which UCTI is present Fourth level Prime contractors must report up to 13 categories of information to DIB CS/IA website, including Affected contracts Description of technical information compromised Name of subcontractor, if incident was on a subcontractor network Threshold triggering reporting is low 10
Click DFARS to edit UCTI Master Clause: title Reporting style Requirements (cont.) More comprehensive contractor review required after Click initial to report edit Master text styles Scope of network compromise (e.g., affected servers, information systems, computers, user accounts) Specific UCTI impacted Preserve Fourth images level and relevant information for at least 90 days DOD (DSS) may elect to conduct damage assessment Contractor required to comply with damage assessment information requests, unless otherwise precluded by law Information protected from further disclosure Be prepared to explain why compromise occurred and company response 11
DFARS UCTI Clause: Compliance Measures Review contracts for clause Assess which systems have or may handle UCTI Review DOD Instruction 5230.24 to identify UCTI UCTI may be identified in CDRL or marked with a distribution statement Conduct gap Fourth analysis level using NIST SP 800-53 standards Identify known» security Fifth level risks and loss probabilities Implement additional controls commensurate with these risks Promptly implement any security control deficiencies Contractors shall implement controls Contractors likely have reasonable discretion to prioritize control implementation Assess possible system compromises immediately, consider reporting obligation 12
DFARS UCTI Clause: Consequences of Noncompliance Consequences of non-compliance include: Click Breach to of contract edit Master text styles Termination for default FCA liability (no express certification currently required) Negative past performance evaluations Declination of options (USIS) Fourth level Suspension and debarment Purchasing system disapproval Government likely to review non-compliances in the context of a breach and with benefit of hindsight Contractor reasonableness likely to be touchstone for penalties Documentation of decision-making crucial DOD likely to have concerns about implementation approach that begins with specific safeguarding controls before the audit/detection controls (evades reporting requirement) 13
DFARS UCTI Clause: Supply Chain Issues UCTI Clause is mandatory flow down in all subcontracts, Click to edit regardless Master of text size styles Subcontractors also required to flow down to lower-tier subcontractors Includes commercial item subcontracts ISPs and Fourth cloud level service providers considered subcontractors Flow down requirement requires both safeguarding controls and mandatory reporting Many subcontractors are unable or unwilling to comply with these requirements 14
DFARS UCTI Clause: Supply Chain Issues (cont.) Prime contractors are responsible for flowing down clause: Clause does not require prime contractor to conduct assessment or verify system adequacy of subcontractors Obligation is on party receiving UCTI to explain why security control is inapplicable or that an alternative control achieves equivalent protection Government likely to argue prime contractors are responsible Fourth for ensuring level adequate protection of UCTI, wherever located Government Furnished Information ( GFI ) under DFARS 252.227-7025 requires contractors to indemnify government and third parties for violations of GFI use and disclosure restrictions Applies to any person/entity to whom contractor has released or disclosed GFI Similar also to government property systems FAR 52.245-1(f) makes contractors responsible for ensuring subcontractors have adequate property management systems in place for GP (including CAP) 15
DFARS UCTI Clause: Supply Chain Issues (cont.) Higher-Tier Contractor Options: Conduct some form of system verification through audit Significant risks associated with approving subcontractor system compliance Require subcontractor representation of compliance Unlikely to get it, then what? Require written explanation from sub consistent with DFARS 252.204-7012(b)(1) Fourth level that (1) security control is inapplicable or (2) an alternative» Fifth control level achieves equivalent protection Establish contract mechanisms for system audit rights, NDA and indemnification for breaches/challenges DFARS 252.227-7025 as guide Educate suppliers Develop checklist or target profile of requirements and provide to subcontractors Make resources available to subcontractors (DHS C Cubed program, SBA training) Emphasize reporting requirements and preservation of data Flow down clause and do nothing more 16
DFARS UCTI Clause: Supply Chain Issues (cont.) Higher-Tier Contractor Options: If contractor learns that subcontractor cannot/will not comply with clause requirements, prime should: Find a compliant subcontractor Preclude Third level subcontractor from handling UCTI Identify/document Fourth level the subcontractor s security capabilities and ask supplier to attest to the adequacy of those capabilities Any other factors showing trustworthiness Confirm prompt reporting is in place Avoid integrating subcontractor cyber compliance into procurement system unless you are prepared to be audited to it Touchstone will be reasonableness 17
DFARS UCTI Clause: Supply Chain Issues (cont.) Subcontractor Options: Determine whether you are in fact a subcontractor Potentially difficult to support: ISPs and other external service providers are subcontractors according to preamble of the clause Almost certainly correct Assess whether you need UCTI for performance of your subcontract Fourth level Attempt to» resist Fifth inclusion level of clause or reach agreement that it is inapplicable if UCTI will not be provided/created Clarify existence of UCTI Does this subcontract require me to receive or generate UCTI? Don t assume, ask, and get specificity before award Limit/control UCTI locations Centralize UCTI in network with controls, no copies elsewhere Hard copies Possible to use higher-tier contractors networks directly? 18
DFARS UCTI Clause: Supply Chain Issues (cont.) Subcontractor Options: Click Self-assess to edit compliance Master with UCTI text controls styles If not in compliance, do you have adequate controls in place to address your company s cyber risks? Are these controls tied to UCTI requirements? Can Third you reasonably level and accurate represent that controls are inapplicable or that you have equivalent controls? Fourth level Avoid broad representations or over-promises of system compliance Ensure disclosures are controlled Limit prime contractor s ability to access systems for purposes of reporting cyber incident (government only) Consider NDA with enforceable provisions to ensure information disclosed to the prime is protected from further disclosure outside of the UCTI context Cyber Compliance Likely to be Significant Competitive Advantage for Suppliers 19
National Archives and Records Administration Controlled Unclassified Information EO 13556, Controlled Unclassified Information, designated NARA Click to develop to edit regulations Master for text consistent styles marking and safeguarding of CUI NARA issued proposed rule on May 11, 2015 that would establish Third uniform level marking requirements and require agencies to protect CUI using FIPS/NIST standards Fourth level NARA anticipates establishing single FAR clause incorporating CUI rule NARA rule likely to incorporate requirements from new NIST SP 800-171 (draft issued April 2, 2015) NIST 800-171 security controls drawn from NIST 800-53, broader than DFARS UCTI rule controls Unclear how NARA CUI program will be reconciled with FAR and DFARS rules and GAO/DOD Joint Working Group Report 20
Cyber Legislation Federal Information Security Modernization Act of 2014 Click (Dec. to edit 10, 2014) Master text styles Re-established OMB as oversight authority for agency information security policies Establishes DHS as authority for implementation of OMB standards Fourth level Requires agencies to provide congressional notification for major cyber incidents Protecting Cyber Networks Act (passed House on April 22, 2015) Would provide liability protections to companies sharing cyber threat data with government civilian agencies (except in cases of willful misconduct) 21
Cyber Legislation (cont.) FY15 NDAA 1632: Would require timely reporting on cyber incidents for operationally critical contractors Operationally critical contractor contractor designated as a critical source of supply for airlift, sealift, intermodal transportation, or logistical support that is essential to a contingency operation Cyber Third incident level action that results in actual or potentially adverse effect on an information system or the information residing therein Fourth level DFARS rule required within 90 days after NDAA is enacted, case pending FY13 NDAA 941: requires reporting of successful penetration of networks of cleared defense contractors Private entities with clearance to access, receive or store classified information in support of DOD programs Requires rapid reporting and DOD access to systems upon request DFARS case (No. 2013-D018) pending to implement both sections 2016 NDAA provides for liability protections for contractors reporting under either 1632 or 941 22
Click Company to edit Master Compliance: title Final style requirements Click to edit Master text styles Considerations Know what data/information you have and applicable Need management buy-in, proactive approach Have a plan in place providing guidance if crisis develops Supply chain considerations: Fourth level Symantec report: small businesses are path of least resistance Required security profile vs. supplier s current profile? Are you protected from liability/indemnified for subcontractor issues? Are supplier obligations to notify, respond, cooperate/share information properly defined? Commercial companies and small businesses likely not exempt Document risk management decisions and compliance efforts Read your contracts! 23
Questions? Phillip R. Seckman (303) Second 634-4338 level phil.seckman@dentons.com Fourth level Michael J. McGuinn (303) 634-4333 michael.mcguinn@dentons.com 24