TO: FROM: Dave Ehrhart Chair, Public Contract Law Section David Z. Bodenheimer Susan B. Cassidy Maureen T. Kelly Co-Chairs, Cybersecurity, Privacy and Data Protection Committee DATE: September 15, 2015 SUBJECT: Annual Committee Plan As we left the annual meeting, the Cybersecurity, Privacy and Data Protection Committee planned on taking a brief hiatus in August from our regular program schedule so we could focus our efforts on preparing for what would no doubt be yet another active year for our committee. What we did not realize is that August would provide no rest for the committee. Rather, our ABA year has started off with a bang (or two really big bangs) with the issuance of OMB s proposed cyber acquisition guidance to federal agencies on August 11 th (OMB proposed cyber acquisition guidance ) and the publication of a new DFARS interim rule on Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) on August 26 th (DFARS interim rule). If August is any indication, this new ABA year certainly will be the busiest one yet for the Cybersecurity, Privacy and Data Protection Committee. I. Committee Meetings We plan to continue the committee s strong record of holding regular (typically monthly) meetings that feature guest speakers and in-depth discussions of the many key legislative, regulatory, and policy developments in the cybersecurity/privacy arena. Our committee does not does not face a shortage of ideas for potential topics or panelists, including many Government representatives, for this coming year s committee meeting schedule. Given the serious and evolving nature of the cyber threats faced by the U.S. Government and the contracting community, the regulatory changes that have already been implemented and proposed, and the additional regulatory, statutory, and policy changes anticipated in the cybersecurity area, we need to remain somewhat agile to deal with emerging developments. Indeed, the committee has already held two (2) unplanned meetings to discuss, and to solicit volunteers to participate in preparing comments on, the OMB proposed cyber acquisition guidance and the DFARS interim rule.
Meetings Already Held or Announced A. August 17, 2015 Special Meeting Previously unscheduled telephonic meeting to discuss OMB proposed cyber acquisition guidance to federal agencies and to solicit ideas and volunteers for ABA PCLS comments. Discussion led by Susan Cassidy and Maureen Kelly. B. September 1, 2015 Special Meeting Previously unscheduled telephonic meeting to provide an overview of the DFARS Interim Rule on Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) and to solicit ideas and volunteers for ABA PCLS comments in response to the Interim Rule. An overview of the Interim Rule was prepared and discussion led by Susan Cassidy and Maureen Kelly. C. September 14, 2015 Meeting Our first regularly scheduled meeting of the year will be held in person at Crowell & Moring s DC office and available telephonically. David Bodenheimer will host a discussion on Information Security, Privacy and the Government Accountability Office: Perspectives on Risks, Requirements, and Emerging Issues in the Public Sector featuring Gregory C. Wilshusen, the GAO Director of Information Security Issues. Seventy-five people have pre-registered for this event. D. September 14, 2015 Vice Chair Meeting The co-chairs will meet with the committee s vice chairs immediately after the our full committee s meeting to (i) discuss this Annual Plan and (ii) firm up each Vice Chair s commitment regarding his/her participation for this ABA year. E. October 14, 2015 Event The Committee, along with the ABA Cybersecurity Legal Task Force and multiple Science & Technology Law (SciTech) Section Committees (Homeland Security Committee, eprivacy Committee, Privacy and Computer Crime Committee, Information Security Committee, Cloud Computing Committee, the Internet of Things Committee), and the Young Lawyers Division are cosponsoring a joint program focusing on legal careers in cybersecurity, privacy, and information law. This second annual evening event, entitled, Legal Careers in Cybersecurity, Privacy, & Information Law: An Evening of Networking and Discussions with the Experts on How They Arrived, is again being hosted by Crowell & Moring and moderated by David Bodenheimer. We have invited DCarea law school students (Georgetown, George Washington, Howard, American, Catholic, George Mason, and Maryland) interested in pursuing a legal career in cybersecurity, privacy and information law. We expect approximately 60 law students to attend, network, and meet with ABA leaders and information law 2
Other Future Meetings: experts at this reception. We will send a separate invitation to PCLS leadership and would welcome any participation. We are currently in various stages of planning of other meetings for the coming year including: o Our second annual meeting featuring ABA Young Leaders on the Frontiers of Cybersecurity, Privacy, and Information Law: Rapid-Fire Retrospectives on 2015 and Predictions for 2016 o Our fourth annual January meeting featuring a roster of in-house corporate counsel providing their perspectives on cybersecurity for the coming year o Our second annual February meeting featuring a roster of Government personnel on the front lines of working cyber issues in the Government We also expect to co-sponsor a program with the ABA SciTech committees on Meet the NIST Experts on Cybersecurity and Privacy with invitations to be made to Ron Ross, Naomi Lefkowitz, and Jon Boyens. The target date will depend upon availability of the speakers and the forum. Kier Bancroft of Venable, one of our active Vice Chairs, has proposed that we conduct a joint meeting with Subcontracting, Teaming, and Strategic Alliances Committee to explore the many issues associated with the flow down of cyber requirements to subcontractors and suppliers, including incident reporting requirements and the applicability to commercial item providers. Kier will lead the efforts to arrange this meeting. Other meeting topics currently under active consideration include: II. Communications DoJ s recent cyber initiatives Impact of DFARS interim rule (and upcoming FAR rule) Cyber Incident Response plans and playbooks Government Chief Privacy Officers Insider Threat Congressional cyber initiatives Intersection of cyber initiatives with HIPAA In anticipation of this year, we evaluated the effectiveness of our two primary methods of communication with committee members, i.e., our email communications, mostly regarding upcoming events, and our committee s website. With respect to our email communications, we have updated our format for meeting announcements from a standard email text to a new, more user-friendly format featuring the PCLS logo and bulleted highlights. We also have reconciled the email list to the latest version of the official ABA committee list received from Patty Stanton. 3
We also decided to stop creating a monthly listing of key cyber/privacy articles, which was underutilized. Instead, Patrick Stanton of Covington Burling, the primary author of that feature for the last couple of years, now leads a team of some of our younger members who will issue short, timely alerts of new developments. Patrick and the new alert team members Erin Sheppard of Dentons, Kate Growley of Crowell & Moring and Oliya Zamaray of Rogers, Joseph, O Donnell developed a schedule where one of them is responsible each month for preparing alerts about important breaking developments. Just after this new team was formed (and before the monthly schedule was finalized), Kate Growley became the author of the first alert announcing that the DFARS interim rule would be published the next day after she uncovered that fact. One other area we will take another fresh look at this year is our website. While we updated the site approximately 18 months ago and do add materials to it regularly, the site s format remains awkward. We also believe the site is underutilized. Catlin Meade of Covington Burling, who has been responsible for the site in the recent past, is also our liaison to the technical committee, will engage with that committee to see how we can improve the site. III. Liaisons The Committee has been active the past couple of years in pursuing a diverse leadership, including by hosting events that feature some of younger members and Government lawyers. Early in 2015, we held our first meeting featuring the perspective of some of the key Government lawyers and other cyber experts, which directly led to greater collaboration as evidenced by our subsequent meeting featuring DHS initiatives. We intend to hold a similar meeting this year and also feature panels focusing on at least two different agencies initiatives. This year we are again co-hosting an event that invites tops students from Washington-DC area law schools to hear how leading lawyers in cyber, privacy and information law started in this area. Our events tend to be very well attended and attract a wide array of interested parties. We hope to leverage our expanding audience to diversify our leadership and membership. Our Committee s liaisons for this year will be: IV. A. Membership and Diversity Outreach Committee: Kier Bancroft B. Young Lawyers Committee: Oliya Zamaray C. Technology and Electronic Committee: Catlin Meade D. Publications Board:- TBD E. Federal, State and Local Attorneys Committee: -- TBD Committee Reports Each co-chair will take the lead in preparing the Committee Reports for the three Council Meetings and ensuring timely submission. The co-chair responsible for each report is designated below. November 2015 (due October 1, 2015) -- David Bodenheimer March 2016 FPI (due January 30, 2015) Susan Cassidy August 2016 Annual Meeting (due June 24) Maureen Kelly 4
V. Comment Letters Multiple new cyber and privacy-related regulations and policies are anticipated this year. As a result, the committee will be extremely busy preparing comments on these regulatory and policy developments, as evident by the two efforts already kicked off: A. OMB Proposed Guidance: The committee prepared comments on OMB s proposed cyber acquisition guidance to federal agencies, which was released on line on August 11 th. The comments were posted online on September 10 th. B. DFARS Interim Rule: The committee has started the process of preparing comments on the DFARS interim rule published on August 26, 2015. There is significant interest in the rule as evidenced by the fact that over 30 individuals attended the quickly arranged meeting on this topic and approximately 13 have expressed an interest in participating in the preparation of the comments. Our goal is to have an initial outline of the comments completed by September 21 st. The comments are due by October 26, 2015. Of particular note, a new FAR cyber rule is expected after finalization of the OMB guidance this fall and a final rule on CUI is also expected this Fall. VI. Succession Planning It is our intent to begin implementing succession planning that will follow the Section s guidelines that Co-Chairs move on after approximately three years. Because this Committee is so active, we believe it is critical that this Committee have three active Co-Chairs, with two of them having at least one-year of experience. Susan Cassidy joined us this year to replace Annejanette Pickens. David Bodenheimer intends to step down this coming year he becomes Chair-Elect for the SciTech Section. Maureen Kelly plans to step down the following year. We have announced this intent to our current Vice-Chairs and intend to be transparent about our succession planning with all active members. We believe that it is crucial that we re-fresh our current list of Vice Chairs to find and develop new potential leads for the Committee to avoid having to look for candidates outside of our current Vice Chairs for our succession plan to succeed. We currently have 19 Vice Chairs, a number of whom are not currently active in the Committee. We concur that the selection of future Co-Chairs and Vice Chairs should be based on such factors as who among Committee members is contributing regularly and meaningfully, who demonstrates commitment to the position and ability to organize Committee activities and written product, logistics (including the ability to host meetings), diversity, and issues of balanced constituency (government, in-house, private bar). To this end, emphasizing our focus on succession planning, we have asked each current Vice Chairs to specify his/her firm commitment to lead at least one specific activity or initiative for the Committee this year. We have advised the current Vice Chairs if they are unable to make such a commitment we will asking them to step down to make room for new leaders that are currently more active in the Committee. We will be contacting Section Leadership to make changes in the roster once we have completed this process. 5