Why Cybersecurity Matters in Government Contracting. Robert Nichols, Covington & Burling LLP

Transcription

1 Why Cybersecurity Matters in Government Contracting Robert Nichols, Covington & Burling LLP

2 Cybersecurity is the No. 1 Concern of General Counsel and Directors 2

3 Cybersecurity Concerns in the Government The American people deserve to know that companies running our critical infrastructure meet basic, commonsense cybersecurity standards, just as they already meet other security requirements. It would be the height of irresponsibility to leave a digital backdoor wide open to our cyber adversaries. President Obama Rarely has something been so important and so talked about with less clarity and less apparent understanding than this phenomenon. General Michael Hayden 3

4 Cybersecurity Concerns in Contracting Our internal IT security team recently identified an apparent external cyber-attack on USIS corporate network. We immediately informed federal law enforcement, the Office of Personnel Management (OPM) and other relevant federal agencies. We are working closely with federal law enforcement authorities and have retained an independent computer forensics investigations firm to determine the precise nature and extent of any unlawful entry into our network. Experts who have reviewed the facts gathered to-date believe it has all the markings of a state-sponsored attack. Cybercrime and attacks of this nature have become an epidemic that impacts businesses, government agencies, and financial and educational institutions alike. The protection and safeguarding of our networks, our data and the data of our customers is always of the utmost importance, and we have invested heavily in security measures. Our systems and people identified this attack, and, in response, we are working alongside OPM, the Department of Homeland Security (DHS) and federal law enforcement authorities in redoubling our cybersecurity efforts. We are working collaboratively with OPM and DHS to resolve this matter quickly and look forward to resuming service on all our contracts with them as soon as possible. We will support the authorities in the investigation and any prosecution of those determined to be responsible for this criminal attack. - Statement by USIS 4

5 Defining the Concerns Why cyber attacks occur Criminal seeking financial gain through theft of proprietary information Advance social and political agendas Employees to cause harm and embarrass employers Terrorists to harm US national security Economic espionage Foreign intelligence What is cybersecurity? Measures intended to protect information systems including technology Devices, networks and software, information, and associated personnel from various forms of attack 5

6 The U.S. Government s Approach to Cybersecurity and Framework Each government entity has responsibility for governing the infrastructure and people that make up the portion of cyberspace within its jurisdiction. The U.S. government s approach to cybersecurity has developed through a series of laws and policies over the last 30 years, with particular attention over the past decade. Congress has passed numerous statutes addressing different aspects of information security. 6

7 The Federal Information Security Management Act ( FISMA ) FISMA sets forth a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets, including those operated by contractors on behalf of the agency. FISMA requires each agency to develop, document, and implement an information security program that includes the following components: policies and procedures that are based on (1) risk assessments, (2) cost-effectively reducing security risks to an acceptable level, (3) ensuring that information security is addressed throughout the lifecycle of each system, and (4) ensuring compliance with applicable requirements. subordinate plans security awareness training periodic testing and evaluation a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies procedures for detecting, reporting, and responding to security incidents plans and procedures to ensure continuity of operations for information systems 7

8 FISMA Under FISMA, each agency Chief Information Officer has the responsibility to ensure that agency information systems, including those operated by contractors, are being protected under the agency s information security program. FISMA charged the Director of the Office of Management and Budget ( OMB ) with the oversight of agency information security policies and practices. In addition, the OMB annual FISMA reporting instructions require agencies to develop policies and procedures for agency officials to follow when performing oversight of the implementation of security and privacy controls by contractors. OMB guidance specifically requires each agency inspector general, or other independent auditor, to perform the evaluation, including the effectiveness of the agency s contractor oversight. The passing of FISMA in 2002 was the beginning of the creation of a broad framework for federal cybersecurity in the United States. 8

9 The Federal Information Security Modernization Act of 2014 ( FISMA 2014 ) The Federal Information Security Modernization Act of 2014 charges the Department of Homeland Security (DHS) with assisting OMB with FISMA implementation by coordinating government-wide efforts for information security. FISMA 2014 also authorizes DHS to develop and oversee the implementation of binding operational directives that direct agencies efforts to safeguard Federal information and information systems from information security threat, vulnerability or risk. The law clarifies and amplifies the notification requirements for major incidents and other breaches. As with the original FISMA, FISMA 2014 requires agencies to apply certain standards to contractors. 9

10 The Role of Federal Agencies DHS is the operational lead for Federal civilian cybersecurity; DOD plays a similar role for the military. both departments execute a number of protection programs on behalf of the Government. NIST issues and updates security standards and guidelines for information systems utilized by Federal agencies. OMB, in partnership with DHS and the National Security Counsel, oversees the successful implementation of agency-specific and government-wide cybersecurity programs. While no single Federal Agency has purview over cybersecurity issues, certain agencies do have defined functions and operate important programs. 10

11 The White House/Office of Management and Budget OMB appointed a Federal Chief Information Officer (Federal CIO) who administers the Office of Electronic Government (OMB E-Gov), which has oversight responsibilities for Federal cybersecurity policy and implementation. In 2009, President Obama named the first Cybersecurity Coordinator to lead the interagency efforts to implement the CNCI goals and initiatives. The Administration has also established an Information and Communications Infrastructure Interagency Policy Committee (ICI-IPC) as the primary policy coordination body for issues related to achieving an assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities. OMB recently created a dedicated unit within OMB E-Gov called the Cyber and National Security Unit (E-Gov Cyber) that will focus on strengthening Federal cybersecurity through targeted oversight and policy issuance. 11

12 The White House/Office of Management and Budget The Federal CIO formally established the Federal Risk and Authorization Management Program ( FedRAMP ) to accelerate the adoption of cloud computing solutions across the Federal Government. In 2011, the Administration released the National Strategy for Trusted Identities in Cyberspace ( NSTIC ), which calls for publicprivate collaboration to create an Identity Ecosystem a marketplace of more secure, convenient, interoperable, and privacy-enhancing solutions for online authentication and identification. OMB has begun to focus on the role of government contractors in the federal government s Cybersecurity landscape. 12

13 The U.S. Department of Defense (DOD) and Intelligence Community The DOD aggressively defends its networks, secures its data, and mitigates risk to DOD missions. In 2010, DOD launched the U.S. Cyber Command ( USCYBERCOM ) USCYBERCOM is a centralized command for assuring the security of military information systems tasked with centralizing command of cyberspace operations, strengthening DOD cyberspace capabilities, and integrating and bolstering DOD s cyber expertise. In 2015, DOD released a new cyber strategy The strategy made clear that DOD s first mission is to defend its own networks, systems, and information. Its second mission is to defend the United States and its interests against cyberattacks of significant consequence. 13

14 DOD s 2015 Cyber Strategy The United States government has a limited and specific role to play in defending the nation against cyberattacks of significant consequence. The private sector owns and operates over ninety percent of all of the networks and infrastructure of cyberspace and is thus the first line of defense. One of the most important steps for improving the United States overall cybersecurity posture is for companies to prioritize the networks and data that they must protect and to invest in improving their own cybersecurity. While the U.S. government must prepare to defend the country against the most dangerous attacks, the majority of intrusions can be stopped through relatively basic cybersecurity investments that companies can and must make themselves. 14

15 The U.S. Department of Homeland Security (DHS) The DHS is responsible for creating and maintaining a common operational picture for cyberspace across the government. Coordinated response to significant cyber incidents is carried out by the National Cybersecurity Division (NCSD) of the DHS. DHS National Protection and Programs Directorate (NPPD) works with partners at all levels of government and form the private and non-profit sectors, to share information and build greater trust to make the cyber and physical infrastructure more secure. The Office of Cyber and Infrastructure Analysis (OCIA) supports efforts to protect the Nation s critical infrastructure through an integrated analytical approach evaluating the potential consequences of disruption from physical or cyber threats and incidents. OCIA identifies critical infrastructure where cyber incidents could have catastrophic impacts to public health and safety, the economy, and national security. OCIA builds on the work of the Department s Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) and manages the National Infrastructure Simulation and Analysis Center (NISAC). 15

16 DHS and Contractors DHS Office of the Assistant Secretary for Cybersecurity and Communications (CS&C) within NPPD is responsible for enhancing the security, resilience, and reliability of the Nation s cyber and communications infrastructure. CS&C houses the National Cybersecurity and Communications Integration Center (NCCIC), a 24x7 cyber situational awareness, incident response, and management center. The CS&C Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR) division is the DHS primary point of engagement and coordination for national security/emergency preparedness (NS/EP) communications and cybersecurity initiatives for both government and industry partners. Relevant to contractors, the SECIR s include the following: works with government and industry to promote and enhance the security and resilience of NS/EP communications and cyber infrastructure. maintains meaningful lines of communication and engagement. leads the development of strategic risk assessments and the delivery of key mitigation capabilities to owners and operators. leads the development and implementation of education, outreach, and awareness, and cyber workforce and NS/EP communications development initiatives. 16

17 The U.S. Department of Homeland Security (DHS) The Department s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) response to significant privatesector incidents and deploys teams for site assistance visits. It also has established close working relationships with industry through partnerships like the Protected Critical Infrastructure Information (PCII) Program, which enhances voluntary information sharing between infrastructure owners and operators in the government. Perhaps the two most important DHS cybersecurity programs are Continuous Diagnostics & Mitigation ( CDM ) and the National Cybersecurity Protection System ( EINSTEIN ). Under CDM, DHS works with the General Services Administration ( GSA ) to establish and fund government-wide Blanket Purchase Agreements used to provide Federal agencies a basic set of tools to support the continuous monitoring of information systems. The goal of EINSTEIN is to provide the Federal government with an early warning system, improved situational awareness of intrusion threats to Federal Executive Branch civilian networks, near real-time identification of malicious cyber activity, and prevention of that malicious cyber activity. 17

18 The National Institute of Standards and Technology (NIST) National Institute of Standards and Technology (NIST), a technical, nonregulatory agency that provides a unique interface with industry for the development of technical standards. Its Computer Security Division's (CSD) Computer Security Resource Center (CSRC) facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia. NIST s National Cybersecurity Center of Excellence (NCCoE) works with members of industry to identify broad cybersecurity challenges. NIST s National Strategy for Trusted Identities in Cyberspace (NSTIC) individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation. President Obama s E.O directed NIST to establish a technology-neutral, voluntary cybersecurity framework. 18

19 Law Enforcement The U.S. Department of Justice (DOJ) and the Federal Bureau of investigation (FBI) are the principal agencies responsible for investigating and prosecuting cyber crimes. Several agencies have combined efforts to create the Internet Crime Complaint Center (IC3) as a single destination for collecting data on Internet related crimes and referring them to the proper authorities. DOD operates the Defense Cyber Crime Center (DC3) as the operational focal point for the DIB Cyber Security/Information Assurance (CS/IA) Program. DHS operates its Cyber Cop Portal to facilitate information sharing for investigators anywhere in the world working on cybercrime cases. The National Computer Forensic Institute trains local law enforcement officers to conduct network intrusion electronic crimes investigations and friends functions. 19

20 Joint Report, Improving Cybersecurity and Resilience Through Acquisition GSA and DOD released a joint report in 2014 entitled Improving Cybersecurity and Resilience Through Acquisition. The report contained six recommendations aimed at strengthening the cyber resilience of the federal government by improving management of the people, processes, and technology affected by the federal Acquisition System. Specifically, the report recommended the following government actions: instituting baseline cybersecurity requirements as a condition for certain contract awards; training the relevant government workforce in new cybersecurity acquisition practices; developing common cybersecurity definitions and increased clarity of key cybersecurity terms; creating a government-wide cybersecurity risk management strategy that identifies a hierarchy of cyber risk criticality for acquisitions to permit the government to identify acquisitions that present the greatest cyber risk; requiring the government to procure certain items solely from original equipment manufacturers ( OEM ), authorized resellers, or other trusted sources; increasing government accountability by holding key decisionmakers accountable for decisions regarding the threats, vulnerabilities, likelihood, and consequences of cybersecurity risks. 20

21 The Relationship Between the Federal Government and Its Contractors The past few years have seen a dramatic increase in the amount that the Federal government is exercising its regulatory and contracting powers to govern the cyber activities of contractors. E.O recognized the need to integrate cybersecurity into the federal acquisition process. It directed the GSA and DOD to prepare recommendations for the President on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. 21

22 Key Areas of Legal Issues Government Contracts Cybersecurity Compliance and Policy Insurance Labor & Employment Trade Secrets Privacy 22

23 Overview of the Federal Cybersecurity Landscape for Contractors No comprehensive federal data security law to date Numerous federal statutes, executive orders, regulations, and policies Hundreds of NIST standards NIST Framework Continuing gaps and vagueness regarding expectations of contractors Yet USG increasingly allocating risks to contractors State laws protecting 23

24 Federal Legal and Policy Framework Governing Contractors The Federal Information Security Management Act ( FISMA ) NDAA FY 2013 Reporting Requirements Executive Order Controlled Unclassified Information E.O Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive NIST Information Security Documents NIST Cybersecurity Framework Industrial Security Requirements NISPOM DOD s Defense Industrial Base Cyber Security/Information Assurance Program GSA and DOD Working Group Report, Improving Cybersecurity and Resilience through Acquisition 24

25 What is the NIST Cybersecurity Framework? E.O mandated NIST establish a voluntary, risk-based framework to guide organizations in critical infrastructure sectors in the creation, assessment, and improvement of their cybersecurity programs. Framework is not directed at all organizations, mandatory, or prescriptive. Framework is a useful methodology for organizing a program to identify, assess and respond to cyber threats, and for referencing other standards from NIST. 25

26 Compliance Requirements Proposed FAR Rule on Basic Safeguarding of Contractor Information Systems DFARS Rule on Safeguarding DOD Unclassified Controlled Technical Information DOD s Counterfeit Prevention Policy and DOD s Proposed Rule for Electronic Parts Inconsistent Agency Cybersecurity Guidance Flowing Down Cybersecurity Requirements Safeguarding the Supply Chain Uneven and Unrecoverable Costs of Compliance 26

27 Legal Risks to Government Contractors Federal contractors that fail to implement adequate cybersecurity measures face greater legal risk than their commercial counterparts. These risks include a lack of and inconsistent Government rules, regulations, and standards. Although agencies such as the DOD, the GSA, and NIST have been particularly engaged on the topic, the Government lacks even a unified set of cybersecurity-related definitions. Furthermore, while some agencies address cybersecurity by assigning risks to contractors through regulations and guidance, others do so through individually negotiated contract terms. No comprehensive, considered balance of risk allocation that applies across the Government. 27

28 Impact of Cybersecurity Requirements On Traditional Government Contractor Risk Noncompliance with the terms of a Government contract may result in the Government s termination of that contract for default. Federal agencies also use contractor performance to make both responsibility determinations yes/no assessments on a contractor s capabilities, systems, and resources to perform a solicited contract. Past performance evaluations, which consider a contractor s prior performance as an indicator of results on future contracts. Companies that fail to comply with applicable cybersecurity rules or that otherwise do not take a responsible approach to cyber threats, also may face administrative suspension and debarment. Suspension and debarment also have collateral impacts on business with state and local governments and in some commercial areas. 28

29 False Claims Act (FCA) The False Claims Act (FCA)196 imposes civil liability on any person who knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. 29

30 The Cyber Risk Paradigm Cyber risks present real and present danger to business operations, costs and, for some, continued viability. Cyber risks are a legal problem, an operational problem, and a governance problem not simply a technological one. Corporate leaders have a fiduciary responsibility to understand and manage cyber risks. Leaders must bring together key components of the organization to develop joint ownership of risks and a comprehensive approach to cybersecurity. 30