![Page 1: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/1.jpg)
Cybersecurity for Government Contractors
Presentation byCovington & Burling LLP
Confidential and Proprietary
![Page 2: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/2.jpg)
The Cyber Paradigm
![Page 3: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/3.jpg)
3
Cybersecurity is the No. 1 Concern of General Counsel and Directors
![Page 4: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/4.jpg)
4
The Cyber Risk Paradigm
Cyber risks present real and present danger to business operations, costs, and, for some, continued viability
Cyber risks are a legal problem, an operational problem, and an a governance problem – not simply a technological one
Corporate leaders have a fiduciary responsibility to understand and manage cyber risks
Leaders must bring together key components of the organization to develop joint ownership of risks and a comprehensive approach to cybersecurity
![Page 5: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/5.jpg)
5
Threat: Actors and Motivations
Nation States – Gain an upper hand, perform low level attacks
Organized Criminals – Steal anything and everything for a profit
Hackers – Anything goes
Activists – Embarrass the target, damage their reputation
Insiders – Disgruntled employees, payments by competitors
![Page 6: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/6.jpg)
6
Multiple Risks…
![Page 7: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/7.jpg)
7
Attack Vectors
![Page 8: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/8.jpg)
8
Impacts of Cyber Events
Loss of Competitiveness• Trade secrets• Patents• Customer records• M&A activities
Damaged Reputation• Estimates from companies that
have been breached have ranged in the several millions of dollars up to $200 million.
Average cost of remediating cyber exploitations is $10 million
Lost Productivity• Forensics • Vulnerability management • Rebuild corrupted systems
• Compliance breaches• PCI DSS• HIPAA• NERC• FISMA• privacy rules
![Page 9: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/9.jpg)
9
Cyber ERM Defined
Cyber risk management : methods and processes used to manage enterprise-wide cyber risks by identifying particular legal and technical vulnerabilities, assessing them in terms of their likelihood and their magnitude of impact, determining an appropriate response strategy, implementing and evaluating that strategy.
![Page 10: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/10.jpg)
10
Cyber ERM Benefits
Effectively measures corporate ability to manage all three types of risks
Links directly to assessment methodologies established by Chief Risk Officers to better inform board members and enable risk management and transfer
Gives corporate leadership confidence in execution of fiduciary responsibilities
![Page 11: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/11.jpg)
Technical Aspects
![Page 12: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/12.jpg)
12
BUSINESS RISK• Risk Description• Use Case• Impact
Map Business Risk to IT Assets
Determine Relevant Vulnerabilities
Determine Threat Vectors
Assess Likelihood of Successful Attack
Evaluate Security Programs
Assess Security Program Effectiveness
THREAT STATEMENT• Vulnerability• Threat Vector• Likelihood• Programs• Program Effectiveness
Threat-to-Business-Risk Linkage
![Page 13: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/13.jpg)
13
Technical Issues
• National Cybersecurity Policy & Strategy development• Integrated Cyberspace Operations• Threat & Vulnerability Assessments• Cyber Threat Intelligence Analysis & Tradecraft• Incident Response• Continuous Diagnostics & Threat Mitigation• Research & Development• Technology Evaluation & Integration• Cyber Leadership and Skills Training
![Page 14: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/14.jpg)
14
Technical Evolution
Threat & Risk Identification &
Assessment
Strategy & Plans
Implementation & Compliance
Evaluation & Review
Threat Monitoring &
Update
Scope
Assessment
Review
Implementation
Evaluation
Continuous Improvement
![Page 15: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/15.jpg)
The Role of Lawyers
![Page 16: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/16.jpg)
16
Key Areas of Legal Issues
• Government Contracts• Cybersecurity Compliance and Policy• Insurance• Labor & Employment• Trade Secrets• Privacy
![Page 17: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/17.jpg)
17
Overview of the Federal Cybersecurity Landscape for Contractors
• No comprehensive federal data security law to date• Numerous federal statutes, executive orders,
regulations, and policies• Hundreds of NIST standards• NIST Framework• Continuing gaps and vagueness regarding
expectations of contractors• Yet USG increasingly allocating risks to contractors• State laws protecting
![Page 18: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/18.jpg)
18
Federal Legal and Policy Framework Governing Contractors
• The Federal Information Security Management Act (“FISMA”)• NDAA FY 2013 Reporting Requirements• Executive Order 13556—“Controlled Unclassified
Information”• E.O. 13636 “Improving Critical Infrastructure Cybersecurity”
and Presidential Policy Directive 21• 300+ NIST Information Security Documents • NIST Cybersecurity Framework• Industrial Security Requirements – NISPOM• DOD’s Defense Industrial Base Cyber Security/Information
Assurance Program• Export Control Laws
![Page 19: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/19.jpg)
19
Compliance Requirements
• GSA and DOD Working Group Report, Improving Cybersecurity and Resilience through Acquisition
• Proposed FAR Rule on Basic Safeguarding of Contractor Information Systems
• DFARS Rule on Safeguarding DOD Unclassified Controlled Technical Information
• DOD’s Counterfeit Prevention Policy and DOD’s Proposed Rule for Electronic Parts
• Inconsistent Agency Cybersecurity Guidance• Flowing Down Cybersecurity Requirements• Safeguarding the Supply Chain• Uneven and Unrecoverable Costs of Compliance
![Page 20: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/20.jpg)
20
What is the NIST Cybersecurity Framework?
20
• E.O. 13636 mandated NIST establish a voluntary, risk-based framework to guide organizations in critical infrastructure sectors in the creation, assessment, and improvement of their cybersecurity programs.
• Framework is not directed at all organizations, mandatory, or prescriptive.
• Framework is a useful methodology for organizing a program to identify, assess and respond to cyber threats, and for referencing other standards from NIST.
![Page 21: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/21.jpg)
21
How is the Framework Structured?
21
Framework Core
Implementation Tiers
Framework Profile
![Page 22: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/22.jpg)
22
Framework Core
Identifies five high-level cybersecurity functions organizations should be able to perform:
22
![Page 23: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/23.jpg)
23
Framework Profile
23
Target Profile
Current Profile
pinpoint gaps in existing
cybersecurity posture, develop action plan, and
reduce overall risk
![Page 24: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/24.jpg)
24
DFARS: Safeguarding UCTI – Quick Look
• Requirements Overview: a DoD contractor must (1) safeguard UCTI “resident on or transiting through” its information system; (2) report cyber incidents; and (3) assist DoD with damage assessments.
• Effective: November 18, 2013• Applicability:
– Clause at DFARS 252.704-7012 included in all DoD solicitations/contracts.– Clause only operable when UCTI “may be” present on a contractor’s
information system.– Clause’s substance must be flowed down to all subcontractors, (even for
commercial items).• Source: DFARS 204.7300 et seq.; DFARS 252.704-7012; 78 Fed. Reg.
69,273.
24
![Page 25: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/25.jpg)
25
What is UCTI?
• Controlled Technical Information - “technical information with military or space application . . . subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.”
• Marked with a Distribution Statement in accordance with DoD Instruction 5230.24.
25
![Page 26: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/26.jpg)
26
DFARS: Safeguarding UCTI – Safeguarding Requirements
• Must provide “adequate security” by either:– implementing 51 specified security controls from NIST SP 800-53
OR
– written explanation to CO why controls are not required or specifying alternative
• Plus any other security measures that are reasonably necessary to provide adequate security. – Addresses “willful blindness”
26
![Page 27: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/27.jpg)
27
DFARS: Safeguarding UCTI – Reporting Requirements
• A cyber incident is “reportable” when it:– involves unauthorized access to and possible exfiltration,
manipulation, or other loss or compromise of any UCTI resident on or transiting through a Contractor’s, or its subcontractors’, unclassified information systems; and
– affects UCTI.• Must report specific information via
http://dibnet.dod.mil/ within 72 hours of discovery of any cyber incident that affects UCTI on contractor’s own or its subcontractors’ systems.
• “Inadvertent release” of data triggers the rule
27
![Page 28: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/28.jpg)
28
DFARS: Safeguarding UCTI – Damage Assessment Assistance
28
review network
review data accessed
preserve and protect
• ID compromised computers, servers, specific data, and user accounts
• ID specific UCTI associated with DoD programs, systems, or contracts
• For at least 90 days preserve images of known affected IT systems and relevant capture/package data
• Obligation to share files exists, unless legally prohibited
![Page 29: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/29.jpg)
29
Impact of Non-Compliance
• No specified penalties for non-compliance
• But also no safe harbor– The CO must consider the cyber incident in the context of an “overall
assessment” of the contractor’s compliance with the rule’s security requirements (Comment 30)
• DoD allowed to share information received from contractors with other agencies for law enforcement, counterintelligence, and national security purposes– an exception that swallows the rule
![Page 30: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/30.jpg)
30
Supply Chain Risks
• IT systems especially vulnerable to attack
• Congress has granted DoD, IC, and DOE “enhanced authority” to exclude contractors from procurements of National Security Systems when a contractor is deemed a supply chain risk
• Implemented through DFARS interim rule (Nov. 2013) IC Directive (Dec. 2013), and DOE regulations still to be promulgated
30
![Page 31: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/31.jpg)
31
Scope of Authority
• Certain agencies have the power to:– Exclude a source that fails to meet qualification standards for the
purpose of reducing supply chain risk in the acquisition of covered systems;
– Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor in a solicitation; and
– Withhold consent for a contractor to subcontract with a particular source.
• Limited ability for contractors to challenge or even know the basis for exclusion
31
![Page 32: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/32.jpg)
32
DoD/GSA Joint Report Recommendations
1. Institute baseline cybersecurity requirements as a condition for certain contract awards
4. Instituting a Government-wide cybersecurity risk management strategy
2. Training and industry outreach 5. Procure certain items solely from original equipment manufacturers (“OEM”), authorized resellers, or other trusted sources
3. Developing common cybersecurity definitions
6. Increase Government accountability
32
![Page 33: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/33.jpg)
33
DoD/GSA Draft Implementation Plan
• On March 12, 2014, GSA issued an RFI seeking stakeholder input on implementing the Joint Report’s fourth recommendation, “instituting a Government-wide cybersecurity risk management strategy”
33
![Page 34: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/34.jpg)
34
DoD/GSA Draft Implementation Plan Proposed Process
(1) create categories
encompassing similar items
purchased by the Government
(2) determine which categories present a cyber
risk
(3) prioritize those categories based on their
perceived cyber risk
(4) apply overlays to each category, which
set the minimum security controls
applicable to acquisition of items
in that category
34
![Page 35: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/35.jpg)
35
DoD/GSA Joint Working Group
35
![Page 36: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/36.jpg)
36
Legal Risks from Non-Compliance
• Whether the Framework Constitutes a Standard of Care• Directors’ Obligations to Shareholders• Obligations Regarding Security Breach Reporting• Default Terminations• Past Performance Evaluations and Responsibility
Determinations• Administrative Suspensions and Debarments• False Claims Act
![Page 37: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/37.jpg)
37
Business Risks Beyond Compliance
• Loss of Intellectual Property• Litigation Risk
– Threat of action by consumers and shareholders– Range of potential theories of liability – e.g., breach of
contract, common law torts (although obstacles to applying elements and proving damages)
• Contractual– Data security requirements in business partner
agreements, customer contracts
• Breach of Privacy• Business/PR Risk
– Motivation for protection information also is non-legal
![Page 38: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/38.jpg)
38
Limited Backstops for Risk
• Untested Applicability of Government Contractor Defense
• No Limitation on Liability or Safe Harbors• Indemnification for Contractor Losses• Standard Insurance vs. Cyber Insurance
![Page 39: Robert Nichols: Cybersecurity for Government Contractors](https://reader036.vdocuments.us/reader036/viewer/2022081517/58f9b0e4760da3da068bbbae/html5/thumbnails/39.jpg)
Questions