June 29, 2016
Federal Cyber Security Initiatives: Protection of “Covered Defense Information” – the FAR “Basic Safeguards” Rule – and Beyond
Robert S. Metzger Rogers Joseph O’Donnell, P.C. 875 15th Street, N.W., Ste 725 Washington, D.C. 20005 (202) 777-8951
[email protected] www.rjo.com Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-1-
Introduction •
Focus will be on new federal requirements that require cyber protection of federal government information • • •
•
The ‘Network Penetration’ DFARS – “Covered Defense Information” The ‘Basic Safeguarding’ FAR – “Federal Contract Information” The forthcoming “CUI Rule” – “Controlled Unclassified Information”
We’ll review – • • • • • •
What motivates these cybersecurity initiatives Federal participants and process What is to be protected NIST SP 800-171 Safeguards The ‘Network Penetration’ DFARS and the ‘Basic Safeguarding’ FAR Key Implementation Issues Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-2-
Why the Cybersecurity Initiatives?
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-3-
Federal Goals: Safeguard Information The Executive Agent, in consultation with affected agencies, shall develop and issue such directives as are necessary to implement this order. Such directives shall be made available to the public and shall provide policies and procedures concerning marking, safeguarding, dissemination, and decontrol of CUI that, to the extent practicable and permitted by law, regulation, and Government-wide policies, shall remain consistent across categories and subcategories of CUI and throughout the executive branch.
.
GUIDANCE: A vital aspect of maintaining U.S. technological superiority is ensuring cybersecurity of our networks and systems. Systems today, as well as all of their external interfaces, must be resilient from cyber adversaries. The Department has initiated a series of actions to improve military system cybersecurity …
Executive Order 13556 – “Controlled Unclassified Information” – Nov. 4, 2010
This proposed FAR rule would add a contract clause to address requirements for the basic safeguarding of contractor information systems that contain or process information provided by or generated for the Government (other than public information). DoD, GSA, and NASA concluded that these requirements are an extension of the requirements, under the Federal Information Security Management Act (FISMA) of 2002, for Federal agencies to provide information security for information and information systems that support the operations and assets of the agency, including those managed by contractors. 44 U.S.C. 3544(a)(1)(A)(ii) describes Federal agency security responsibilities as including ‘‘information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.’’ The safeguarding measures would not apply to public information as defined at 44 U.S.C. 3502.
Unclassified controlled technical information (CTI), potentially accessible through commercial interfaces, is particularly vulnerable to traditional and nontraditional foreign intelligence collection. When compromised, this information can significantly degrade U.S. technological superiority by saving an adversary time and effort in developing similar capabilities or countermeasures. In addition to addressing classified system information, this initiative’s objective is to improve CTI protection in both the government and the industrial base, including the supply chain. In FY 2014, the Department amended the Defense Federal Acquisition Regulation Supplement (DFARS) to safeguard unclassified CTI; we must now ensure this provision is effectively applied to all new DoD contracts.
Proposed Rule, “Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems”, 77 Fed. Reg. 51496, Aug. 24, 2012 (emphasis added)
“Better Buying Power 3.0” – Implementation Directive, USD AT&L, Apr. 9, 2015 (emphasis added) Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-4-
DoD’s Perspective on CTI “Losses”
National security considerations explain why DoD has moved first and furthest to impose cyber measures on contractor information systems. Brian D. Hughes, ODASD/SE, “Protecting US Military’s Technical Advantage: Assessing the Impact of Compromised Unclassified Controlled Technical Information,” NDIA Systems Engineering Conf., Oct. 28, 2015 Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-5-
FISMA Drives Federal Data Protection The Federal Information Systems Modernization Act, P.L. 113-283, requires agencies to protect federal information and information systems. Agencies must: “provide information security protections commensurate with the risk and the magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of (A) information collected by or on behalf of an agency; or (B) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency” The FISMA obligation extend outside “federal information system” boundaries.
• Many other statutes (e.g., HIPAA) mandate federal information security • FISMA implementation includes FIPS-199 and FIPS-200. •
FIPS-199: agencies to assess impact of breach on Confidentiality, Integrity & Availability
•
FIPS-200: articulates 17 security “families” based upon C|I|A impact assessment
• Outside federal information systems, the chief concern is confidentiality. Threats to federal information include exfiltration (theft), malicious exploitation, unauthorized use, improper access, data corruption and function denial.
OFPP
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
Rev. -6-1
Federal Participants & Process
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-7-
Federal Initiatives: Roles & Missions Responsibilities: OMB: to decide on the policies to use acquisition methods and contract tools
DHS
OMB NARA
NARA: to define and categorize the varieties of “CUI” and establish workable guidelines & mechanisms NIST: to identify required security controls and practices for adoption
NIST
DoD: lead agency for contractually-imposed cyber requirements
ACQUISITION METHODS & CONTRACT CONTROLS - TOOLKIT
FAR & DFARS
Contractors who receive CUI will become subject to federal cyber obligations as these are imposed by contract or agreement term.
DHS: to coordinate cyber incident response (USCERT), for protection of critical infrastructure, and (new) to assist in contractor self-assessment and control implementation Agencies: to evaluate cost/benefit, tailor, specify reporting, require monitoring, administer and oversee Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-8-
The 3-Part Federal Initiative to Safeguard CUI There are three elements to the federal CUI initiative: ① NARA’s CUI Rule, establishing categories of CUI, responsibilities for designation, dissemination controls and required cyber security measures (NIST SP 800-171 for CUI on non-federal information systems) Final Rule: Expected Soon ② NIST’s SP 800-171, establishing cyber safeguards expected of commercial companies and other non-federal actors who host, use or transmit CUI Done ③ Acquisition Measures, effected by regulation, implemented through solicitation requirements and contract clauses, to obligate recipients to protect CUI, e.g., • DoD’s “Unclassified Controlled Technical Information” DFARS (Nov. 2013) Superseded
• DoD’s Interim DFARS, “Network Penetration Reporting and Contracting for Cloud Services” (Aug. 2015, revised Dec. 2015) – protects four categories of CUI termed “Covered Defense Information” (CDI) Applies now to DoD contracts • DoD, GSA & NASA Final FAR, “Basic Safeguarding of Contractor Information Now Out Systems” (May 2016) Coming from NARA: the General FAR Rule to protect all forms of CUI Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
Rev. -9-1
What is to be Protected:
‘Unclassified Controlled Technical Information” (UCTI) ‘Covered Defense Information’ (CDI) ‘Controlled Unclassified Information’ (CUI) ‘Federal Contract Information’ (FCI)
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-10-
Three Information System Domains Adapted from DoD, “Navigating Unclassified Cyber/Information Security Protections, Network Penetration Reporting and Contracting for Cloud Services,” Dec. 17, 2015, available at http://www.cogr.edu/COGR/file s/ccLibraryFiles/Filename/0000 00000292/Navigating%20Uncl assified%20Information%20Sy stem%20Security%20Protectio ns%20(slides%20for%20COG R)Thursafternoon.pdf
Applicable controls: 15 from FAR 52.204-21(b)
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-11-
Covered Defense Information (CDI) Covered defense information means unclassified information that— (1) Is— (i) Provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; and (2) Falls in any of the following categories: (i) Controlled technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions. (ii) Critical information (operations security). Specific facts identified through the Operations Security process about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment (part of Operations Security process).
DFARS 204.7301 Definitions
(iii) Export control. Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations, and munitions list; license applications; and sensitive nuclear technology information.. (iv) Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies (e.g., privacy, proprietary business information). Corresponds to NARA “Controlled Unclassified Information”
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-12-
Categories of Controlled Unclassified Information ● NARA Proposed Rule: “Controlled Unclassified Information”), 32 CFR Part 2002, 80 Fed. Reg. 26501 (May 8, 2015)
Agriculture
Controlled Technical Information
Critical Infrastructure (7 sub)
Emergency Management
Export Control (1 sub)
Financial (8 sub)
Foreign Government Information
Geodetic Product Information
Immigration (7 sub)
Information Systems Vulnerability
Intelligence (5 sub)
Law Enforcement (15 sub)
Legal (11 sub)
NATO (2 sub)
Nuclear (5 sub)
Patent (3 sub)
Privacy (8 sub)
Procurement & Acquisition (2 sub)
Proprietary Business (3 sub)
SAFETY Act Information
Statistical (3 sub)
Tax (1 sub)
Transportation (2 sub)
● NARA’s CUI “Registry,” https://www.archives.gov/cui/registr y/category-list.html, identified
23 Categories and 82 Subcategories of CUI
Who has access to CUI? Federal contractors State & Local governments State & Local contractors Tribal governments Colleges & Universities Interstate Organizations NGOs Foreign governments
“CUI categories and subcategories are those types of information for which laws, regulations, or Government-wide policies requires safeguarding or dissemination controls”. Proposed 32 C.F.R. § 2002.2 (Definitions)
NARA estimates that 300,000 contractors & grantees hold Controlled Unclassified Information Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
Rev. 1 -13-
The CUI Safeguarding Standard: NIST SP 800-171
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-14-
NIST SP 800-171: Introduction • SP 800-171 takes 14 of the 17 security “families” of FIPS-200 and extends these principles to contractors and others who host, use or transmit CUI. (Not self-executing: must be imposed by contract). • The security “requirements” of SP 800-171 are in the nature of “performance objectives” – not instructions, and not “prescriptive. • Guidance is provided on “mapping” from other regimes to -171. • Contractors with systems that already satisfy SP 800-53 should exceed SP 800-171 requirements. Separation into separate domains may be problematic, however. • NIST (and NARA) specifically recognize that there are multiple sources and standards other than “federal” (NIST-driven). • Protection of CUI by use of cloud service providers is expected but applicable safeguards (outside FedRAMP) are a “work in progress.” Reconciliation of SP 800-171 requirements to commercial cyber strategies and methods is challenging. Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-15-
NIST SP 800-171: 14 “Families,” 109 Controls SP 800-171 describes 30 “basic” and 79 “derived” security requirements. “Basic” tracks to control families in FIPS-200; “derived” reflect NIST SP 800-53 rev4.
Access Control (2/20)
Awareness & Training (2/1)
Audit & Accountability (2/7)
Configuration Management (2/7)
Identification & Authentication (2/9)
Incident Response (2/1)
Maintenance (2/4)
Media Protection (3/6)
Personnel Security (2/0)
Physical Protection (2/4)
Risk Assessment (1/2)
Security Assessment (3/0)
Systems & Comm Protection (2/14)
System & Information Integrity (3/4)
SP 800-171 does not require submission of a Security Plan and has no mechanism for authorization, accreditation or for government review or approval. Instead, SP 800-171 relies on self-assessment and self-attestation. Cyber breaches will require reporting and federal inquiry could follow events. CUI used to produce a product, provide a service, or perform a function, will be subject to SP 800-171. Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
Rev. 1 -16-
A Comparative Example NIST SP 800-53r4 Family: Incident Response
NIST SP 800-171 3.6 Incident Response Basic Security Requirement
9 pages of controls & enhancements
3.6.1 Establish an operational incidenthandling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities. 3.6.2. Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization. Derived Security Requirements 3.6.3 Test the organizational incident response capability. Basic Safeguarding FAR control: “Identify, report and correct information and information system flaws in a timely manner.” FAR 52.204-21(b)(xii) ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
June 29, 2016
Rev. 1 -17-
DoD’s Expectations – and Surprise DoD was surprised at the negative industry reaction to the ‘Network Penetration’ DFARS. They figured it was a follow-on to the 2013 UCTI Rule and that the substitution of the new NIST SP 800-171 for SP 800-53 would be seen as making industry’s job easier, notwithstanding the greater number of controls. DoD did not anticipate that contractors would react to the Aug. 2015 DFARS with alarm that they (and their subcontractors) would be held to new cyber safeguards that many in the defense supply chain did not understand and had not prepared for. As a result, by action on Dec. 30, 2015, DoD “blinked” and postponed compliance to Dec. 31, 2017.
DoD Presentation - Dec. 17, 2015
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-18-
The ‘Network Penetration’ DFARS
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-19-
Overview of the ‘Network Penetration’ DFARS • History: – Final Rule, Nov. 18, 2013, “Safeguarding Unclassified Controlled Technical Information” – Interim ‘Network Penetration’ Rule, Aug. 26, 2015. 80 Fed. Reg. 51739. – Amended by further Interim Rule on Dec. 30, 2015. 80 Fed. Reg. 81472.
• Structure – 204.7302. Policy: DoD contractors to provide “adequate security” and to report cyber incidents directly to DoD. New measures to protect contractor disclosures. – 204.7304. Solicitation and Contract Clauses. “Compliance” clause (252.204-7008) and “Safeguarding” clause (252.204-7012) to be included “in all solicitations and contracts,” including FAR Pt. 12 for commercial items. Flowdown of -7012 is “without alteration.” • Compliance Clause (-7008). As revised, includes representation that contractor “will implement” requirements of SP 800-171 “not later than December 31, 2017.” • Safeguarding Clause (-7012). Obligation to provide “adequate security” (discussed below) and includes reporting requirement with 72 hours of discovery of any cyber incident.
– Subpart 239.76 Cloud Computing. For DoD use, CSP must have “provisional authorization” per DISA’s “Security Requirements Guide” (FedRAMP+) (≠ SP 800-171). – Cloud Computing Clause (252.239-7009). Includes incident reporting and media preservation obligations, and obligates contractor to provide DoD with forensic access. Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-20-
“Adequate Security” DFARS 252.204–7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” (a) Definitions Adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. (b) Adequate security. The Contractor shall provide adequate security for all [CDI] on all covered contractor information systems that support the performance of work under this contract. For contractor systems not operated “on behalf of” the Government, “at a minimum” the contractor shall (1) (A) implement the security requirements in NIST SP 800–171 “as soon as practical, but not later than December 31, 2017.” The Contractor shall notify the DoD CIO … “within 30 days of contract award, of any security requirements specified by NIST SP 800-171 not implemented at the time of contract award; or (B) "alternative but equally effective security measures used to compensate for the inability to satisfy a particular requirement and achieve equivalent protection approved in writing by an authorized representative of the DoD CIO prior to contract award; and (2) Apply other security measures when the Contractor reasonably determines that such measures, in addition to those identified in paragraph (b)(1) of this clause, may be required to provide adequate security in a dynamic environment based on an assessed risk or vulnerability.” Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-21-
Interim DFARS (Network Penetration) • • • • • • • • •
Key Objections The Rule is a surprise The regulatory target is moving Acts of different federal agencies are not sufficiently coordinated Changing to NIST SP 800-171 will be very difficult and expensive Contractors can’t be certain what is “covered defense information” Conflict with export controls Transition problems include risk of non-compliance Uncertainty as to exceptions, deviation or approval process Concerns about suppliers
ROGERS JOSEPH O’DONNELL
• • • • • • • • • •
Implementation Strategy Self-assessment to identify sources and nature of CDI Evaluation of existing, domainspecific security Inventory specific solicitation and contract requirements “Fit/Gap” analysis against -171 Risk-based assessment (R= ∫ T x V x C) if necessary (“adequate security”) Document CDI System Security Plan Identify Changes & Improvements Determine if Deviation Necessary Submission to Purchasing Activity Active engagementRogers with suppliers Joseph O’Donnell © 2015 2016 All Rights Reserved
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-22-
The ‘Basic Safeguarding’ FAR
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-23-
“Federal Contract Information” (FCI) What is “Federal contract information”? • FCI is defined very broadly as nonpublic information that is “provided for or generated for the government” under a contract to “develop or deliver a product or service to the government, but not including information provided to the public or simple transactional information. It does not include information made available by the Government to the public or “simple transactional information, such as necessary to process payments.” FAR 52.204-21(a) • “Information” also is defined broadly – to include “any communication or representation of knowledge such as facts, data, or opinions, in any medium or form”. FAR 4.1901; 52.204-21(a) What is protected? • The new FAR protects “information systems” rather than carefully defined information types. If a contractor “processes stores or transmits” any FCI, its information system becomes “covered” by the Rule and subject to minimum enumerated safeguards. FAR 4.1901; 52.204-21(a), (b) • Where a contractor information system hosts FCI and other, non-federal information, the rule applies to the whole system. 81 Fed. Reg. 30433. Who is subject to the FAR? • The “Basic Safeguarding” rule applies to “all acquisitions” (including commercial items other than COTS) when a contractor’s information system “may contain” FCI; the FAR contract clause is to be inserted in “when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.” FAR 4.1902, 4.1903 Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-24-
“Federal Contract Information” (FCI) How is protection achieved? • The federal government has a surfeit of cyber controls. Those designed for federal information systems, e.g., NIST SP 800-53, are too costly and burdensome to impose on contractors to protect FCI. Instead, the new rule calls out 15 safeguards, each derived from the SP 800-171 (next slide). How will industry respond? • The ‘Network Penetration’ DFARS met with strong industry resistance because of uncertainty over costs and how to comply. The ‘Basic Safeguarding’ Rule applies to many more contracting actions, contracts and contractors – and undoubtedly will surprise (and may alarm) some. • The FAR invokes only 15 cyber safeguards and these are stated as performance standards – goals. The Rule presumes these safeguards are consistent with “prudent business practices.” • Even so, some companies will object to perceived “federal interference” and cyber mandates. Are there problems with the ‘Basic Safeguarding’ Rule? • Yes. The Rule seeks to apply simple security propositions to highly complex subject and diverse business circumstances. There are drafting issues that will surface as more and different companies confront compliance obligations that are now imposed. Is this Rule important? • While self-described as “just one step in a series of coordinated regulatory actions being taken or planned”, it reflects a government decision to use its regulatory power and acquisition authority to mandate minimum cyber defenses for all private companies that do government business
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-25-
“Controls” of the ‘Basic Safeguarding’ FAR (i)
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (iii) Verify and control/limit connections to and use of external information systems. (iv) Control information posted or processed on publicly accessible information systems. (v) Identify information system users, processes acting on behalf of users, or devices. (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized Access Controls “dominate” the individuals. ‘Basic Safeguarding’ Rule
ix.
Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. x. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. xi. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. xii. Identify, report, and correct information and information system flaws in a timely manner. xiii. Provide protection from malicious code at appropriate locations within organizational information systems. xiv. Update malicious code protection mechanisms when new releases are available. xv. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-26-
Concluding Observations
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-27-
Cyber Compliance Risks
Special attention is required to address small business compliance.
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-28-
What Lies Ahead: CUI, FAR & Agency Rules • NARA will issue the Final FAR Rule on designation and safeguarding “Controlled Unclassified Information” (CUI) is expected soon. • OMB then will issue “final” Cyber Acquisition Guidance. • DoD will issue further PGI and FAQs and likely will again revise the ‘Network Penetration’ DFARS. • NIST and/or DoD may develop “overlays” to SP 800-171 • OMB may clarify use of commercial cloud for CDI security. • NARA will issue for public comment the “General FAR Rule” to obligate all federal agencies to require cyber protection of CUI. • DoD and other federal agencies – including GSA – will act to protect sensitive federal information even before the “General FAR Rule.”
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
Rev. 1 -29-
About the Presenter Robert S. Metzger Rogers Joseph O’Donnell PC 202-777-8951
[email protected] Robert S. Metzger heads the Washington, D.C. office of Rogers Joseph O’Donnell, P.C., a boutique law firm that specializes in public procurement matters. He advises leading U.S. and international companies on key public contract compliance challenges and in strategic business pursuits. Bob is recognized for work on supply chain and cyber security. On these subjects, he has published extensively and has made presentations to many academic, government, industry, legal and technical groups, among them ABA, AIA, ASIS, CALCE, CHASE, CFAM, DoD, DIB SCC, DoJ, DSB, ERAI, Georgetown Law Cyber Institute, Harvard Kennedy School, IPC, NASCIO, National IPR Center, NCMA, NDIA, SAE, SMTA and SSCA. Recently named a 2016 "Federal 100" awardee, Federal Computer Week said of Bob: “In 2015, he was at the forefront of the convergence of the supply chain and cybersecurity, and his work continues to influence the strategies of federal entities and companies alike.” This presentation reflects Mr. Metzger’s personal views and should not be attributed to any client of his firm or organization with which he is involved or affiliated.
Bob is a member of the Defense Science Board Cyber/Supply Chain Task Force. He also is Vice-Chair of the Cyber/Supply Chain Assurance Committee of the IT Alliance for Public Sector (ITAPS), a unit of the Information Technology Industry Council (ITIC), a prominent trade association. Bob received his B.A. from Middlebury College and his J.D. from Georgetown University Law Center, where he was an Editor of the Georgetown Law Journal. He was a Research Fellow, Center for Science & International Affairs (now “Belfer Center”), Harvard Kennedy School of Government. Bob is a member of the International Institute for Strategic Studies (IISS), London. Academic publications on national security topics include articles in International Security and the Journal of Strategic Studies. Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-30-
Taxonomy • • • • • • • • • • • •
CUI: Controlled Unclassified Information CDI: Covered Defense Information DFARS: Defense Federal Acquisition Regulation Supplement FAR: Federal Acquisition Regulation FCI: Federal Contract Information FIPS: Federal Information Processing Standards FISMA: Federal Information Systems Modernization Act GSA: General Services Administration NARA: National Archives & Records Administration NIST: National Institute of Standards & Technology OMB: Office of Management and Budget OPM: Office of Personnel Management
ROGERS JOSEPH O’DONNELL
Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-31-
Chronology of Cyber/Supply Chain Initiatives November 4, 2010
Executive Order 13556: “Controlled Unclassified Information”
August 24, 2012
Proposed Rule, “Basic Safeguarding of Contractor Information Systems”
February 2013
Executive Order 13636: “Improving Critical Infrastructure Cybersecurity”
November 18, 2013
Interim Rule: DFARS Supply Chain Risk (Sec. 806 NDAA FY 2011)
November 18, 2013
Final Rule: “Safeguarding Unclassified Controlled Technical Information”
February 12, 2014
Framework for Improving Critical Infrastructure Cybersecurity
May 6, 2014
Final Rule: “Detection and Avoidance of Counterfeit Electronic Parts”
May 8, 2015
NARA Proposed Rule: “Controlled Unclassified Information”
June 19, 2015
NIST SP 800-171: “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (Final)
August 11, 2015
OMB draft Guidance: “Improving Cybersecurity Protections in Federal Acquisitions”
August 26, 2015
Interim Rule: DFARS “Network Penetration Reporting and Contracting for Cloud Services”
September 21, 2015
Proposed Rule: Detection and Avoidance of Counterfeit Electronic Parts – Further Implementation (deletes “embedded software” from definition)
October 8, 2015
DoD Class Deviation – Multifactor authentication (local/network access) – 9 mos.
October 30, 2015
Final Rule: “Requirements Relating to Supply Chain Risk” (Sec. 806 NDAA FY 2011)
October 30, 2015
OMB Memorandum: “Cybersecurity Strategy and Implementation Plan” (CSIP)
November 2015
President Obama signs NDAA FY 2016 (includes cyber risk assessment)
December 18, 2015
Cybersecurity Information Sharing Act (CISA) signed into law
December 30, 2015
Amended Interim Rule: “Network Penetration …” (defers cyber obligation to 12/31/2017)
May 16, 2016
Final Rule, “Basic Safeguarding of Contractor Information Systems” (81 Fed. Reg. 30439) Rogers Joseph O’Donnell © 2015 2016 All Rights Reserved
ROGERS JOSEPH O’DONNELL
CGP Pricing Regulatory & Oversight Committee |
June 29, 2016
-32-
