Beruflich Dokumente
Kultur Dokumente
Associates
GOV CON WEBINAR SERIES - 2017
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
Contact Us @ 2 0 2 – 3 6 5 – 0 5 9 8
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
I. INTRODUCTION
II. CYBERSECURITY REGULATORY OVERVIEW
III. DOD REGULATIONS
IV. WHAT ELSE IS OUT THERE? CIVILIAN AGENCIES
V. PRACTICE POINTERS
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
I. Cybersecurity Introduction
What is cybersecurity important?
• New regulations are placing additional burdens on government
contractors and government contracting professionals. Government
contractors unwilling to comply will be forced out of the
marketplace.
• Agencies can lose information that can threaten national security.
• Government contractors can lose valuable proprietary information
that can directly threaten their business.
• Contractors may face lawsuits or contract cancellation and have
substantial reporting requirements.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
3. Framework Profile
Allows an organization to align “the Functions, Categories, and
Subcategories with the business requirements, risk tolerance,
and resources of the organization.” Organizations can create
profiles, using the Framework Profile as a guide, to characterize
one component of their business or their entire business and
consider the current state of their cybersecurity readiness
versus a target or aspirational state.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
NIST Guidance
• Various NIST documents have provided guidance aimed at standardizing
cybersecurity (and information security) best practices.
• NIST Special Publication 800-171 addresses Controlled Unclassified Information
residing with contractors utilizing standards from NIST 800-53.
• NIST Special Publication 800-53 provides best practices in 14 distinct areas (called
families) of information security including access control, incident response,
physical protection, and risk assessment.
• NIST also developed a framework as required to by EO 13636.
• The NIST standards are merely guidance. They are, however, often utilized in
regulations.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
What is covered?
Covered defense information (“CDI”): the information must be controlled
(but unclassified) technical information or other information (as described
in the Controlled Unclassified Information (CUI) Registry) that requires
safeguarding or dissemination controls and is (1) marked or otherwise
identified in the contract, task order, or delivery order, and provided to the
contractor by or on behalf of DoD in connection with the performance of
the contract; or (2) collected, developed, received, transmitted, used, or
stored by or on behalf of the contractor in support of the performance of
the contract.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
What is Covered?
SSPs
Reporting Requirements
• Must report within 72 hours.
• Includes subcontractors “that are providing operationally critical support or
for which subcontract performance will involve a covered contractor
information system.” These subcontractors must report cyber incidents to
any higher-tier subcontractor and to the prime contractor.
• Reports must contain the assessed impact of the cyber incident, a
description of the technique or method used in the incident, a sample of
any malicious software involved in the incident and a summary of the
compromised information. Defense contractors also must provide the DoD
with access to affected information or equipment to enable the DoD to
conduct forensic analysis of the impact on DoD information.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
V. Practice Pointers
• Don’t assume that the Trump Administration’s objective of reducing regulation
will slow down or stop cyber regulation of government contractors.
• The pressure on federal agencies to improve their own information security will
flow down to contractors.
• The distinctions between the standards imposed on contractors operating
federal systems on behalf of the government and contractor systems housing
government information are blurring.
• But, because of the deregulation effort, contractors can expect to see more
standards being set through agency guidance or agency manuals, as
distinguished from formal rulemakings.
• The “one for two” regulation rule contains an exception for regulations relating
to national security. DHS, for example, considers its cybersecurity proposed rule
to be exempt from the one for two rule.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
EDUCATE EMPLOYEES:
• Train employees on applicable requirements. Make sure training is
provided on a regular basis, that participation is meaningful and
tracked, and that you document your efforts.
• Make sure content and methods of delivery are effective and geared
towards the audience.
• Ensure employees are aware of reporting requirements.
• Establish uniform, company-wide standards defining a security breach,
the processes for investigation and reporting, and the responsibility
chain.
• Make cybersecurity a priority: include it in compensation decisions,
where appropriate.
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
QUESTIONS?
CONTACT OUR SPEAKERS
Mary Beth Bosco at MaryBeth.Bosco@hklaw.com AND Eric Crusius at Eric.Crusius@hklaw.com