FED GOV CON - Cybersecurity - Are You Ready?

Jennifer Schaus &
Associates
GOV CON WEBINAR SERIES - 2017
Jennifer Schaus & Associates – GOV CON WEBINAR SERIES - 2017 - WASHINGTON DC www.JenniferSchaus.com
Join Us for A Series of Complimentary Webinars

on various US Federal Government Contracting Topics.
Presenters are industry experts
sharing knowledge
about the competitive government contracting sector.
Find all of our Govt Contracting webinars (free download) at www.JenniferSchaus.com
Contact Us @ 2 0 2 – 3 6 5 – 0 5 9 8
ABOUT JENNIFER SCHAUS & ASSOCIATES:

- Based in downtown Washington, DC;
- A la carte services for Federal Contractors;
- Proposal Writing to GSA Schedules and Contract
Administration, etc.;
- Deep bench of industry experts;
- Educational webinars;
- Networking events and seminars;
WEBSITE: http://www.JenniferSchaus.com
ABOUT JENNIFER SCHAUS:

- Began career with D&B;
- Over 20 years in federal contracting;
- Industry speaker and author;
- Board Member: GovLish; NCMA; and NMIA.
- Volunteer Mentor &/or Instructor: VA PTAP; CBP / VBOC; Capitol
Post; 1776; Eastern Foundry, WIT; WDCEP and the Towson University
Incubator.
ABOUT HOLLAND & KNIGHT

Holland & Knight is a global law firm with more than
1,250 lawyers and other professionals in 27 offices
throughout the world. Our lawyers provide
representation in litigation, business, real estate and
governmental law. Interdisciplinary practice groups
and industry-based teams provide clients with access
to attorneys throughout the firm, regardless of
location.
- WEBSITE: http://www.hklaw.com
MARY BETH BOSCO

Mary Beth Bosco is a partner in Holland & Knight's Washington, D.C.,
office. She has 30 years of experience working with new and
experienced government contractors, and focuses her practice on
advising such organizations in contract compliance, transactional
matters and how to navigate the federal marketplace.
With a substantial background in regulatory matters and litigation, Ms.
Bosco counsels clients on the drafting of procurement manuals and
implementation of compliance and training programs, including
reporting requirements as well as audits and procurement fraud
investigations.
CYBERSECURITY: ARE YOU READY?
Monday, August 14, 2017

I. INTRODUCTION
II. CYBERSECURITY REGULATORY OVERVIEW
III. DOD REGULATIONS
IV. WHAT ELSE IS OUT THERE? CIVILIAN AGENCIES
V. PRACTICE POINTERS
I. Cybersecurity Introduction
What is cybersecurity important?
• New regulations are placing additional burdens on government
contractors and government contracting professionals. Government
contractors unwilling to comply will be forced out of the
marketplace.
• Agencies can lose information that can threaten national security.
• Government contractors can lose valuable proprietary information
that can directly threaten their business.
• Contractors may face lawsuits or contract cancellation and have
substantial reporting requirements.
What is cybersecurity important?
Source: Ponemon Institute 2015 Study

• There were 67,000 cyber incidents on systems supporting federal

government in 2014. 27,624 of those incidents involved PII (Personally
Identifiable Information).
• GAO: Of 24 agencies, 23 stated that information security was a major
management challenge and 19 stated that information security control
deficiencies were a material weakness
• VA failed its cybersecurity audit for the 16th straight year (1.2m malware
attempts in April 2015 alone)
• GAO: Healthcare.gov lacks proper cyber protections
• HBGary provides a cautionary tale (you will be hacked)
II. Cybersecurity Regulatory Overview

• There is a patchwork of statutory, regulatory, and guidance
control cybersecurity requirements:
• Executive Order 13636: Improving Critical Infrastructure
Cybersecurity
• The Federal Information Security Management Act of 2002 and
2014 (FISMA)
• Guidance promulgated by NIST (under FISMA)
• Regulations drafted by DoD (primarily) and other agencies that
impact cybersecurity requirements
FISMA: the Federal Information Security Management Act

• Originally enacted in 2002 and re-enacted in 2014.
• FISMA requires federal agency to develop and implement information
security plans for government information no matter whether such
information resides on contractor or government servers.
• FISMA emphasizes that there should be periodic review of risk assessments
and such assessments should be risk-based.
• The 2014 version places additional shared responsibility on DHS to
implement directives (instead of the sole responsibility laying with OMB).
The 2014 version will also require some common terms to be defined in
regulations.
NIST Framework: Three Sections

1. The Framework Core
Is designed to help organizations identify, at a 30,000 foot level,
the management of cybersecurity risk. It does so by identifying
five “concurrent and continuous Functions – Identify, Protect,
Detect, Respond, Recover.” The Framework Core next pinpoints
Categories and Subcategories for of the identified Functions and
matches them with existing standards.
2. Framework Implementation Tiers

Is essentially an exercise that allows an organization to
characterize its cybersecurity risk management practices. There
are four Tiers: Partial, Risk Informed, Repeatable, and Adaptive.
Organizations that find themselves in the “Partial” tier generally
do not have formalized or written cybersecurity policies and
have little understanding of the cybersecurity risks facing them.
On the other hand, organizations in the “Adaptive” tier have
robust and organization-wide risk management practices.
3. Framework Profile
Allows an organization to align “the Functions, Categories, and
Subcategories with the business requirements, risk tolerance,
and resources of the organization.” Organizations can create
profiles, using the Framework Profile as a guide, to characterize
one component of their business or their entire business and
consider the current state of their cybersecurity readiness
versus a target or aspirational state.
NIST Guidance
• Various NIST documents have provided guidance aimed at standardizing
cybersecurity (and information security) best practices.
• NIST Special Publication 800-171 addresses Controlled Unclassified Information
residing with contractors utilizing standards from NIST 800-53.
• NIST Special Publication 800-53 provides best practices in 14 distinct areas (called
families) of information security including access control, incident response,
physical protection, and risk assessment.
• NIST also developed a framework as required to by EO 13636.
• The NIST standards are merely guidance. They are, however, often utilized in
regulations.
III. DoD Regulations

Basic Requirements
• Establishes minimum security controls for safeguarding CDI:
Contractors storing or using “covered defense information” must
provide “adequate security” for that information. (DFARS Clause
252.204-7012.) Mandatory 72-hour reporting requirement.
• No exceptions for small business; COTS items are excepted.
• Compliance deadline is 12/31/2017.
• Clauses must be flowed down to subcontractors when covered
defense information is necessary for performance of the
subcontract.
What is covered?
Covered defense information (“CDI”): the information must be controlled
(but unclassified) technical information or other information (as described
in the Controlled Unclassified Information (CUI) Registry) that requires
safeguarding or dissemination controls and is (1) marked or otherwise
identified in the contract, task order, or delivery order, and provided to the
contractor by or on behalf of DoD in connection with the performance of
the contract; or (2) collected, developed, received, transmitted, used, or
stored by or on behalf of the contractor in support of the performance of
the contract.
What is Covered?
• CUI definition has generated many questions.

• DoD issuing a set of FAQS to help clarify what is covered.
• Marking requirements: DoD is to mark CUI in solicitations, but
implementation has been inconsistent.
• What about existing CUI information already in possession of a
contractor?
DoD Cybersecurity Rules: Two Protection Levels

• If the contractor is operating a system or service on behalf of the government, then
IT services and systems must meet specific requirements that will be set forth in the
contract.
• Other contractor information systems supporting DoD contracts must meet the
standards contained in National Institute of Standards and Technology (NIST)
Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations.
• If the NIST security controls are not used, contractor must provide a written
explanation how it is not applicable or an alternate control achieves equivalent
protection
DoD Cybersecurity Rules: Two Protection Levels

• NIST 800-171 is organized around 14 “security families:” Access Control,
Awareness and Training, Audit & Accountability, Configuration Management,
Identification and Authorization, Incident Response, Maintenance, Media
Protection, Personnel Security, Physical Protection, Risk Assessment, Security
Assessment, System & Communications Protection, System & Information
Integrity.
• Each family is assigned "Basic Security Requirements" and "Derived Security
Requirements." Basic Requirements are high-level standards; Derived
Requirements supplement Basic Requirements, and are based on the
moderate baseline measures in NIST Pub. 800-53 (standards for federal
information systems) as tailored to contractor information systems.
SSPs
• In addition to establishing standards for information system

protections, DoD is requiring companies to have a System Security
Plan (SSP) by the end of the year.
• Covers: system description, system architecture, interfaces and
external connections, personnel security, acquisition practices, and
information security controls.
Reporting Requirements
• Must report within 72 hours.
• Includes subcontractors “that are providing operationally critical support or
for which subcontract performance will involve a covered contractor
information system.” These subcontractors must report cyber incidents to
any higher-tier subcontractor and to the prime contractor.
• Reports must contain the assessed impact of the cyber incident, a
description of the technique or method used in the incident, a sample of
any malicious software involved in the incident and a summary of the
compromised information. Defense contractors also must provide the DoD
with access to affected information or equipment to enable the DoD to
conduct forensic analysis of the impact on DoD information.
IV. What Else is Out There? Cybersecurity Regulation: Civilian

Agencies
• How has FISMA been translated to the civilian agencies?
• FAR: Final Rule: Basic Safeguarding of Contractor
Information Systems (May 16, 2016).
• Other Agency Rules.
• DHS: Proposed Rule: “Safeguarding of Controlled
Unclassified Information” (January 19, 2017).
FAR Basic Safeguarding of Contractor Information Systems

Final Rule
• Adds new FAR Part 4.19.
• Rules effective: July 15, 2016.
• FAR Council will adopt OMB and NARA Guidance for CUI when it publishes
CUI standards – expected this year ?.
• Focuses on protection of systems, rather than the information in the systems.
• Applicable to contracts below the simplified acquisition threshold.
• Applicable to small businesses.
• Not applicable to COTS procurements.
Beware FAR Clause 52.239-1

• FAR 52.239-1 states:
• If new or unanticipated threats or hazards are discovered by either the Government
or the Contractor, or if existing safeguards have ceased to function, the discoverer
shall immediately bring the situation to the attention of the other party.
• FAR 39.001 states:
• This part applies to the acquisition of information technology by or for the use of
agencies except for acquisitions of information technology for national security
systems. However, acquisitions of information technology for national security
systems shall be conducted in accordance with 40 U.S.C. 11302 with regard to
requirements for performance and results-based management; the role of the
agency Chief Information Officer in acquisitions; and accountability. These
requirements are addressed in OMB Circular No. A-130.
• How broad is the requirement in FAR 52.239-1?
Other Agencies Offer More Specifics Than The FAR

• Departments of State, Transportation, Commerce, NASA: Contractors
must have IT Security Plan, approved by agency.
• Department of Commerce: Contractor shall certify in writing to the COR
that its employees have completed initial IT security orientation training in
accordance with DOC IT Security Program Policy, chapter 15, section 15.3.
• HUD: “Immediate” breach notification.
• IRS: Contract may incorporate IRS IRM 10.5, which references IRS
Publication 4812, which in turn requires a one-hour turn around for breach
reporting.
• DHS Proposed Regulations: Contractors must have Authority to Operate,
including a Security Assessment Package approved by a third-party.
V. Practice Pointers
• Don’t assume that the Trump Administration’s objective of reducing regulation
will slow down or stop cyber regulation of government contractors.
• The pressure on federal agencies to improve their own information security will
flow down to contractors.
• The distinctions between the standards imposed on contractors operating
federal systems on behalf of the government and contractor systems housing
government information are blurring.
• But, because of the deregulation effort, contractors can expect to see more
standards being set through agency guidance or agency manuals, as
distinguished from formal rulemakings.
• The “one for two” regulation rule contains an exception for regulations relating
to national security. DHS, for example, considers its cybersecurity proposed rule
to be exempt from the one for two rule.
Practice Pointers: Be Prepared for a Breach

KNOW WHAT YOU HAVE.
• Maintain a current inventory of what CUI is in your systems, where it is,
who is the source, and what are the specific agency/contract
requirements. Everything else flows from the inventory.
• Maintain an up-to-dated description of your network: The December
2016 revision to NIST 800-171 requires a System Security Plan, which
must “describe the boundary of [a contractor’s] information system; the
operational environment for the system; how the security requirements
are implemented; and the relationships with or connections to other
systems.”
UPDATE POLICIES AND OTHER DOCUMENTS:

• Review your existing policies and keep up with changing
requirements.
• If no specific standards are required by your contracts, aim for
compliance with NIST 800-171.
• Ensure any existing privacy or data management policies or
protocols are consistent with the cybersecurity requirements.
• Review third-party agreements, such as consulting
agreements. Do they require cyber compliance if the
consultant accesses your systems?
EDUCATE EMPLOYEES:
• Train employees on applicable requirements. Make sure training is
provided on a regular basis, that participation is meaningful and
tracked, and that you document your efforts.
• Make sure content and methods of delivery are effective and geared
towards the audience.
• Ensure employees are aware of reporting requirements.
• Establish uniform, company-wide standards defining a security breach,
the processes for investigation and reporting, and the responsibility
chain.
• Make cybersecurity a priority: include it in compensation decisions,
where appropriate.
Cloud Computing and Third-Party Agreements

REPORTING:
• Similar reporting requirements as the other cybersecurity provisions:
• Rapid reporting;
• Submission of malicious software;
• Media preservation and protection for at least 90 days;
• Allow DoD access for purposes of forensic investigation; and
• Support for damage assessment activities.
• Notification of all third-party requests to access information.
Contractors and CSPs must have a clear understanding of what must

happen in the event of a data spill. For example, if the data is stored in a
shared facility, the CSP must be able to take the affected resource offline in
order to investigate the spill and preserve data. Do you have a common
understanding of what constitutes a breach and when you are to be
notified? What procedures will be followed to investigate and preserve
data?
Do you ask your CSP to self-certify compliance, or should you perform an
audit?
Obligations Relating to Subcontractors

• Flow Downs
• Reporting Chain and Timing
• Indemnity
• Due Diligence
• Certification
Jennifer Schaus & Associates
GOV CON WEBINAR SERIES – 2017
QUESTIONS?
CONTACT OUR SPEAKERS
Mary Beth Bosco at MaryBeth.Bosco@hklaw.com AND Eric Crusius at Eric.Crusius@hklaw.com
THANK YOU FOR ATTENDING!! WWW.JENNIFERSCHAUS.COM

FED GOV CON - Cybersecurity - Are You Ready?

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FED GOV CON - Cybersecurity - Are You Ready?

Hochgeladen von

Copyright:

Verfügbare Formate

Jennifer Schaus &

Join Us for A Series of Complimentary Webinars

Find all of our Govt Contracting webinars (free download) at www.JenniferSchaus.com

ABOUT JENNIFER SCHAUS & ASSOCIATES:

ABOUT JENNIFER SCHAUS:

ABOUT HOLLAND & KNIGHT

MARY BETH BOSCO

CYBERSECURITY: ARE YOU READY?

Monday, August 14, 2017

What is cybersecurity important?

Source: Ponemon Institute 2015 Study

• There were 67,000 cyber incidents on systems supporting federal

II. Cybersecurity Regulatory Overview

FISMA: the Federal Information Security Management Act

NIST Framework: Three Sections

2. Framework Implementation Tiers

III. DoD Regulations

• CUI definition has generated many questions.

DoD Cybersecurity Rules: Two Protection Levels

DoD Cybersecurity Rules: Two Protection Levels

• In addition to establishing standards for information system

IV. What Else is Out There? Cybersecurity Regulation: Civilian

FAR Basic Safeguarding of Contractor Information Systems

Beware FAR Clause 52.239-1

Other Agencies Offer More Specifics Than The FAR

Practice Pointers: Be Prepared for a Breach

UPDATE POLICIES AND OTHER DOCUMENTS:

Cloud Computing and Third-Party Agreements

Contractors and CSPs must have a clear understanding of what must

Obligations Relating to Subcontractors

THANK YOU FOR ATTENDING!! WWW.JENNIFERSCHAUS.COM

Das könnte Ihnen auch gefallen