New Frontier of Cyber Clauses: A Call to Action for Contractors

Breakout Session # D06Mike Cullen, Senior Manager, Baker TillyMichael Wright, Senior Manager, Baker Tilly

December 5, 201711:15AM – 12:30PM

1

2

Agenda

• The different types of federal information contractors are required to protect

• Key guidance and legislation around cybersecurity safeguarding requirements

• Who is impacted by the new legislation and guidance on cybersecurity safeguarding requirements

• How applicable contractors could be impacted by noncompliance

• Ways for contractors to become compliant

• Lessons learned from implementation of cybersecurity safeguarding controls

• Poll Results

3

What is federal information?

Covered Defense Information - Unclassified information provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract (see DFARS 252.204-7012)

Controlled Unclassified Information - Information that law, regulation, or government-wide policy requires to have safeguarding or

disseminating controls, excluding information that is classified (see Executive Order 13556 and CUI Registry at www.archives.gov/cui)

Federal Contract Information - Any information provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided to the public (e.g., publicly accessible website data) or simple transactional data (e.g., billing or payment processing data)

CDI

CUI

FCI

4

Examples of federal information

CDIUnclassified Controlled Technical Information

…or other information as described in the CUI Registry

requiring safeguarding!

CUI

Critical Infrastructure

Financial Proprietary Business Information

FCI

see DFARS 252.204-7012

see CUI Registry

Anyinformation that is NOT provided to the public or

simple transactional

data!

see Federal Register;

Basic Safeguarding ruling

5

Key regulatory requirements

Provides guidance to Federal Defense and Aerospace

contractors around protecting Covered Defense Information

(CDI) and reporting cyber incidents affecting contractor

information systems – or CDI residing within those systems – to

the Federal Government, and requires contractors to do the

following:DFARS 252.204-7012

“Safeguarding Covered

Defense Information and

Cyber Incident Reporting”

– Implement adequate cybersecurity safeguarding

controls on all covered contractor information systems in

accordance with specific frameworks and standards set

forth in the ruling

– Rapidly report cyber incidents affecting contractor

information systems or CDI residing within those systems

to the Federal Government

6

Key regulatory requirements

IMPLEMENTATION OF ADEQUATE CYBERSECURITY SAFEGUARDING

CONTROLS:

DFARS 252.204-7012 “Safeguarding Covered

Defense Information and

Cyber Incident Reporting”

continued

Where contractor is handling CDI on their systems, must

implement safeguarding controls according to NIST SP 800-171

For cloud systems operated on behalf of the government, see

specific contract guidance and/or DFARS 252.239-7010 “Cloud

Computing Services” if applicable

Any other such services or systems (i.e., other than cloud

computing) are subject to the security requirements specified in

those contracts

All contractors, subcontractors, suppliers, and partners must

implement NIST SP 800-171 security requirements by December

31, 2017

7

Key regulatory requirements

REPORTING OF CYBER INCIDENTS

DFARS 252.204-

7012 “Safeguarding Covered

Defense Information and Cyber Incident

Reporting”

continued

A cyber incident is any action taken through computer networks

resulting in the compromise, or an actual or potentially adverse

effect, of an information system and/or the information residing

within those systems

Cyber incidents shall be reported to DoD within 72 hours of

discovery via DoD’s Defense Industrial Base (DIB) Cyber

Incident Reporting & Cyber Threat Information Sharing Portal

Contractors must acquire a DoD-approved medium assurance

certificate from Defense Information Systems Agency (DISA) to

access the DIB portal

Subcontractors who handle CDI under prime contracts with the

Federal Government are required to report cyber incidents

directly to DoD and share the incident report number with their

prime contractor customers (or next higher-tier subcontractor)

8

Key Guidance

Agencies must use NIST SP 800-171 when establishing

security requirements to protect CUI’s confidentiality on non-

Federal information systems (i.e. contractors’ systems)

NIST SP 800-

171“Protecting Controlled

Unclassified Information in

Nonfederal Information Systems and

Organizations”

Revision 1

Intended for use by federal agencies in appropriate

contractual vehicles or other agreements established between

those agencies and nonfederal organizations (i.e. contractors)

NIST SP 800-171 should be used when a contractor receives

CUI incidental to providing a service or product to the

Government (e.g., producing a study, conducting research,

creating training, building an aircraft or ship, etc.)

Describes 110 total controls across 14 control families

Provides mapping to NIST SP 800-53 Revision 4 and ISO

27001 information security controls

9

Key Guidance

NIST SP 800-171 (continued) – summary of control areas covered:

TABLE 1: NIST SP 800-171 Control Families

Access Control Media Protection

Awareness and Training Personnel Security

Audit and Accountability Physical Protection

Configuration Management Risk Assessment

Identification and Authentication Security Assessment

Incident Response System and Communications Protection

Maintenance System and Information Integrity

10

Other key regulatory requirements

FAR Part 52.204-21 “Basic Safeguarding of Contractor Information

Systems”

• Effective June 2016; requires contractors to implement 15 safeguarding controls and procedures, mapping to 17 control requirements in NIST SP 800-171

• Applies to covered contractor information systems owned or operated by contractors that process, store, or transmit FCI

• Establishes “basic, minimal information system safeguarding standards which Federal agencies are already required to follow internally and most prudent businesses already follow as well”

• Rule does not apply to sales of commercially available off-the-shelf (COTS) items

- For example, contractors who are resellers of COTS items (e.g., printers, copiers) may not be impacted

11

Other key regulatory requirements

32 CFR 2002 “Controlled Unclassified Information”

• Effective November 2016; resulting from Executive Order 13556, establishes policy for designating, handling, and decontrolling information that qualifies as CUI

• Describes, defines, and provides guidance on the minimum protections (derived from existing agency practices) for CUI:

- Physical and Electronic Environments

- Marking

- Sharing

- Destruction

- Decontrol

• Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities)

12

Other key regulatory requirements

32 CFR 2002 “Controlled Unclassified Information” (continued)

• The National Archives, as the Executive Agent (EA) of CUI, has developed the “CUI Registry” (www.archives.gov/cui), which is the authoritative source for guidance regarding CUI policies and practices

• CUI is currently organized into 23 categories and 84 sub-categories

• Plans for future regulatory requirements:

- To promote standardization, NARA (the CUI EA) announced plans to sponsor a Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the 32 CFR Part 2002 and NIST SP 800-171 to industry (i.e., beyond defense contractors)

- NOTE: Targeting 1 year from release of 32 CFR 2002 (Fall 2017)

13

Recent Guidance

Guidance for Selected Elements of DFARS Clause 252.204-7012,

“Safeguarding Covered Defense Information and Cyber Incident Reporting”

– Implementing the Security Requirements of NIST SP 800-171

• The DoD released a memo on September 21, 2017 containing guidance intended for DoD acquisition personnel around the implementation of NIST SP 800-171 security requirements in anticipation of the December 31, 2017 deadline; key points addressed within the memo include:

- Contractor implementation of NIST SP 800-171

- Documenting a contractor’s implementation or planned implementation of NIST SP 800-171

- Role of the System Security Plan (SSP) and Plans of Action (POA&M) in contract formulation, administration, and source selection

- Additional references and resources with supporting information

14

Who will be impacted?

ALL contractors who handle CDI, CUI, and FCI are impacted by

recent guidance and legislation (or soon will be):

• Per DoD guidance, the government and contractors are responsible for identification of CDI in contracts or marking as such

• Failure of clearly identifying or marking CDI does not preclude contractors handling CDI from these requirements

• Contractors should contact their government or next higher tier contractor customer procurement or contract representatives

15

Who will be impacted?

For subcontractors and suppliers, flow-down requirements apply!

• Subcontractors are ultimately responsible for implementing cybersecurity safeguarding controls to be in compliance

• Subcontractors will be held accountable for breaches if they have not implemented required controls

• Prime contractors may be impacted by breaches involving their subcontractors

- Prime contractors may proactively engage key subcontractors to understand their current security posture and assess risk to their contracts

- Collaborative solutions are being implemented to capture information on subcontractors’ cybersecurity safeguarding practices (e.g., Exostar)

16

Cybersecurity business risks

Negative

publicity

Regulatory

sanctions

Consumer refusal

to share personal

information

Damage

to brand

Regulator

scrutiny

Legal

liability

Lost

business

Damaged

customer

relationships

Damaged

employee

relationships

Deceptive or

unfair trade

charges

!

Loss of

innovation

Intellectual

property

loss

Damaged supplier &

partner relationships

17

How you can become compliant

18

How you can become compliant

Identify and inventory all contracts and

CUI

• Focus on contracts where CUI may be

potentially involved

• Identify “high risk” contracts, including

current bid and proposal efforts (i.e.,

potential new awards)

• Consider prime-sub relationships

• Identify system boundaries for handling

CUI

19

How you can become compliant

Understand cybersecurity requirements

• Focus on language around protection of

information and reporting requirements

• Identify specific guidance references

• Do not be afraid to engage your CO and/or

CISO

20

How you can become compliant

Assess current state of cybersecurity

controls

• Use appropriate security control guidance

(NIST SP 800-53 or NIST SP 800-171)

• Where is your federal information stored,

processed, and/or transmitted?

• What controls do you have in place?

• Conduct gap analysis and determine

necessary corrective actions

21

How you can become compliant

Develop cybersecurity action plan

• Develop detailed list of prioritized corrective

actions with assigned owners and target

completion dates

• Define roles and responsibilities for oversight

• Redefine system boundaries for handling CUI

as necessary

22

How you can become compliant

Execute cybersecurity action plan

• Respond to agency and/or prime contract

officers with results of your assessment

• Implement security controls

• Establish monitoring and reporting practices

23

How you can become compliant

Monitor cybersecurity compliance

practices

• Monitor progress of ongoing

implementation efforts

• Regularly evaluate effectiveness of

cybersecurity controls via ongoing testing

and third-party assessments

• Monitor regulatory environment for new

developments (e.g., laws, standards, and

policies)

24

Lessons learned and common themes

• Compliance does NOT mean security

• Read your contracts!

• Engage your contracting officers or other representatives!

• Get involved in knowledge sharing opportunities

• Engage third parties for assistance with compliance efforts

• Minimize exposure to covered contractor information systems

• Conduct a gap assessment to identify compliance gaps

• Regularly assess and monitor progress towards remediation of

known gaps

• Monitor regulatory landscape for changes and new developments

25

Poll Results

Results

26

Questions?

Q & A

Contact Information

27

Michael Wright

michael.wright@bakertilly.com

703-923-8623

Mike Cullen

mike.cullen@bakertilly.com

703-923-8339