Cybersecurity Client Alert – August 2015
Safeguarding Unclassified Controlled Technical Information (UCTI) What Federal Government Contractors Need To Know
In November 2013, the Department of Defense (DoD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) with a new clause regarding Information Technology and Cyber Security for government contractors (DFARS final rule at https://www.federalregister.gov/articles/2013/11/18/2013-27313/defense-federal-acquisition-regulation-supplement-safeguarding-unclassified-controlled-technical). The clause must be included in all new DoD prime contracts, including contracts for commercial items. Recently, the new clause has appeared in new task orders (even if it was not in the original Contract), prompting many contractors to frantically address how to ensure compliance with the clause. This update will highlight the requirements of the clause, and address the plethora of unanswered questions regarding how to effectively implement its requirements across the entire DoD supply chain.
DFARS 252.204-7012, Safeguarding Unclassified Controlled Technical Information (UCTI), requires that all DoD contractors at every tier under a government prime contract (1) implement adequate security measures to safeguard UCTI within contractor information systems from unauthorized access and disclosure, and (2) report certain cyber intrusion events (Cyber Incident) that affect the protected information within 72 hours of the event.
“Controlled technical information” is defined as technical data or computer software (as defined in DFARS 252.227-7013) with military or space application that (1) is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination, and (2) is marked with a DoD distribution statement in accordance with DoD instruction 5230.24, Distribution Statements on Technical Documents (found at http://www.dtic.mil/whs/directives/corres/pdf/523024p.pdf). Common examples of UCTI include technical data, computer software including executable source code, engineering data, drawings, specifications, data sets, and studies and analyses.
NIST Security Controls
At a minimum, contractors and subcontractors must implement information security measures that include the 51 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 security controls defined in the DFARS clause (found at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf). If a NIST security control is not implemented the contractor must provide the contracting officer a written explanation stating that the subject security control is either (i) not applicable or (ii) the use of an alternative control is available to achieve an equivalent protection.
The NIST security controls are segregated into 14 families covering the following areas:
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical & Environmental Protection
- Program Management
- Risk Assessment
- Systems & Communications Protection
- Systems & Information Integrity
However, compliance with the NIST security controls constitutes a minimum baseline for compliance with DFARS 252.204-7012, which expressly provides that such compliance “does not relieve the Contractor of the requirements specified by applicable statutes or other Federal and DoD safeguarding requirements for Controlled Unclassified Information (CUI) as established by Executive Order 13556, as well as regulations and guidance established pursuant thereto.” DFARS 252.204-7012(c). Thus, many contractors are left with more questions than answers regarding precisely what constitutes a fully compliant program under the DFARS clause.
In addition to implementation of the NIST Security Controls, contractors are required to report Cyber Incidents to the government within 72 hours of discovery of the event.
Under DFARS 252.204-7012, a Cyber Incident is defined as “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” A Reportable Cyber Incident includes “a cyber incident involving possible exfiltration, manipulation, or other loss or compromise of any unclassified controlled technical information resident on or transiting through Contractor’s, or its subcontractors, unclassified information systems” or “any other activities that allow unauthorized access to the contractor’s unclassified information system on which unclassified controlled technical information is resident on or transiting.” DFARS 252.204-7012(d)(2)(i)-(ii).
However, simply notifying the government of the incident is not enough the clause requires contractors to identify any UCTI impacted by the incident and preserve an image of the affected system for 90 days, so as to permit the government to conduct a damage assessment. The contractor must also include as much of the following information in its report:
- Contract numbers affected unless all contracts by the company are affected
- Facility CAGE code if the location of the event is different that the prime Contractor location
- Point of contact if different than the POC recorded in the System for Award Management (address, position, telephone, email)
- Contracting Officer point of contact (address, position, telephone, email)
Contract clearance level
- Name of subcontractor and CAGE code if this was an incident on a Sub-contractor network
- DoD programs, platforms or systems involved
- Location(s) of compromise
- Date incident discovered
- Type of compromise (e.g., unauthorized access, inadvertent release, other)
- Description of technical information compromised
- Any additional information relevant to the information compromise
Compliance / Implementation
Because the DFARS clause also must be flowed down to all subcontractors regardless of size and to all tiers of the DoD supply chain, prime contractors (in addition to ensuring their own compliance) have begun the process of seeking information from subcontractors indicating the status of their compliance with the clause.
To date, there is no definitive government process for supply chain oversight. Indeed, many questions (and few answers) remain, including:
- Who is responsible for assessment of relevant subcontractor systems to ensure compliance with DFARS 252.204-7012 the government or the prime contractor?
- How to assess subcontractor systems as they relate to safeguarding UCTI? What level of investigation and/or certification is required?
- Does the UTCI rule only apply to contract-specific UCTI? Or, do contractors and subcontractors subject to the UCTI clause have to report all cyber incidents involving UCTI which occur on their system(s)?
- What will be the economic impact on the DoD supply chain as a result of compliance with DFARS 252.204-7012?
Many contractors have begun flowing the clause down to all subcontractors and requiring subcontractors to complete representations and certifications crafted to identify the key aspects of compliance with DFARS 252.204-7012. Still others have initiated detailed subcontractor questionnaires aimed at assessing the relative strength of relevant subcontractor systems.
Although the clause does not enumerate specific penalties for noncompliance, failure to meet the requirements could result in negative past performance ratings, reduced profits, return of progress payments, or even termination for default for breach of contract. Non-compliant contractors may also constitute a supply chain risk under DFARS 252.239-7018, Supply Chain Risk. Additionally, for subcontractors, failure to comply (or even a delay in compliance) may effectively remove them from the supply chain, as prime contractors will be more likely to deem such non-compliance as a risk they cannot afford to take. – Chris Page
Do You Know Your Third Party Vendor?
Some of the largest data breaches have a common thread the hackers gained entry through a third party vendor. Target, Goodwill and Home Depot are just a few. In these cases, hackers attacked the third party vendor’s system or used the third party vendor’s password to gain access to the target company’s network.
In many cases, pricing was a probably a primary factor in selecting your third party vendors who may store all of your company’s information in the cloud, handle your payment processing, provide accounting support, or manage your employment benefits. Did you ask about their security policies? How about their security certifications? What about their compliance record?
You first need to understand what type of data is being stored and/or processed, where the data is stored and how the data is used. You should prioritize your contracts by the level of risk contracts that involve the handling protected health information or information that can be used to identify an individual (such as social security numbers) are high risk, whereas a contract for the supply of paper or office supplies is more likely to be low risk.
Once you have done this, you should assess the cyber-readiness of your vendors. Consider asking the vendor about their security policies and procedures. Do you want to require the vendor to be compliant with your security policies and procedures? Is the vendor compliant with application data privacy and security laws, regulations and standards?
After you have conducted your cyber due diligence, you should carefully review, consider and negotiate terms of the contract. For example, will you require the vendor to give any representations or warranties regarding its cyber compliance? Will you have the right to audit the vendor for compliance? If the contract waives all consequential damages and caps the vendor’s liability at x months of fees paid, how (and what) will you recover in the event of a breach?
You may have numerous existing contracts with vendors. If those contracts are several years old, they are not likely to have sufficient provisions covering data privacy and security and you may need to revisit those with the vendor.
At the end of the day, you may need to know your vendor’s cyber-readiness almost as well as you know your own company’s cyber-readiness. Your failure to oversee your vendors is likely to be deemed a failure to take reasonable measures and could be a very costly mistake that is not looked up favorably by regulators or your insurer (if you have cyber insurance). – Nicole Harrell
Federal Financial Institutions Examination Council Releases Cybersecurity Assessment Tool
At the end of June, the Federal Financial Institutions Examination Council (“FFIEC”) released a Cybersecurity Assessment Tool (the “Tool”) to help financial institutions detect cybersecurity risks and assess their preparation. The Tool incorporates cybersecurity principles already put forth by the FFIEC and guidelines from other industry standards including the National Institute of Standards (NIST) Cybersecurity Framework. The Tool is voluntary, use of it is not required by the organizations that comprise the FFIEC, but the Tool can be extremely beneficial in helping financial institutions assess its internal practices and identify its cybersecurity risks in a time where cyber threats continue to increase in quantity and complexity.
The Tool, as explained by the FFIEC, will help financial institutions:
- Identify factors contributing to and determine the institution’s overall cyber risk
- Assess the institution’s cybersecurity preparedness
- Evaluate whether its preparedness is aligned with its risk
Determine risk management practices and controls that are needed or need enhancement
- Guide risk management strategies
The Tool requires an institution to go through a two part assessment. The first part, Inherent Risk Profile, requires the institution to determine its level of risk based on (i) technologies and connection types, (ii) delivery channels, (iii) online and mobile products and services, (iv) organizational characteristics, and (v) external threats. This first step will characterize the institution’s risk into one of five risk levels.
The second part of the assessment, Cybersecurity Maturity, establishes an institution’s maturity level within five domains: (1) Cyber Risk Management and Oversight, (2) Threat Intelligence and Collaboration, (3) Cybersecurity Control, (4) External Dependency Management, (5) Cyber Incident Management and Resilience. Each domain includes assessment factors and contributing components. Going through each domain will enable an institution to determine which maturity level, ranging from baseline to innovative, it falls within for that domain. The Tool is not designed to classify an institution with an overall maturity level.
Once the Inherent Risk Profile and Cybersecurity Maturity results are obtained, management of an institution should then review the two to determine whether they align. Generally speaking, an institution with higher inherent risk should have a higher maturity level. This final assessment should identify any gaps between the two and the institution would then develop a course of action to reduce risk or increase maturity levels.
The FFIEC designed the Tool for institutions to have a measurable and repeatable process to assess risk and preparedness. Technology and the sophistication of cyber criminals are constantly evolving, so the Tool provides a routine practice to periodically monitor the institution’s cybersecurity management. The NCUA has already announced it will integrate the Tool into its exam process to assess a credit union’s preparedness. All financial institutions should consider utilizing the Tool as part of its cybersecurity management. – Erin Deal Johnson
The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2020.