[co-author: Stacy Hadeka]

While all companies should be concerned with their cybersecurity posture, companies in the aerospace, defense, and government services (ADG) industry are potentially subject to greater risks due to the industry's highly technical and sensitive nature. The constantly evolving threat means that safeguarding measures that may have been reasonable in the recent past are unlikely to meet government regulators’ expectations in the future. Neither the government nor the private sector can protect systems and networks without extensive and close cooperation. It is critically important that ADG companies stay abreast of the latest safeguarding standards, contractual and regulatory requirements (including incident reporting), threat information sharing, and best cybersecurity practices.   

Below we discuss five cybersecurity trends that are likely to affect ADG companies that conduct business with the U.S. Government in 2017.
 
New cyber threat information sharing initiatives

The Cybersecurity Information Sharing Act Of 2015 (CISA)¹  created a voluntary process that encourages the private sector to share cyber threat indicators (CTI) and defensive measures (DM) with any other private entity or a federal entity for a cybersecurity purpose. While there is no requirement for ADG companies to share or receive information under CISA, doing so could become increasingly beneficial in light of the increasing number of information safeguarding and incident reporting requirements imposed on the ADG sector. 

CISA provides a safe harbor from civil liability for private entities that share CTI and DM information in accordance with its provisions. Specifically, CISA provides that “[n]o cause of action shall lie or be maintained in any court against any private entity, and such action shall be promptly dismissed” for the sharing or receipt of a CTI or DM conducted in accordance with CISA procedures.² However, CISA’s safe harbor does not shield entities from potential liability for data breaches or other cybersecurity incidents – it only shields them from liability for their act of sharing or receiving such information.

On 14 October 2016, the Department of Defense (DOD) issued a final rule for the Defense Industrial Base (DIB) Cybersecurity (CS) Activities program.³ The DIB CS program has (1) a mandatory incident reporting component (discussed further below), and (2) a voluntary information sharing component that allows eligible DIB companies to “share cyber threat information and cybersecurity best practices” with other program members. Information sharing participants have access to the DOD Cyber Crime Center (DC3), including analyst-analyst exchanges, best practices, and mitigation and remediation strategies. The final rule states that “through cyber incident reporting and voluntary cyber threat information sharing, both DOD and the DIB have a better understanding of adversary actions and the impact on DOD information and warfighting capabilities.”

New federal cyber incident reporting policies

On 27 July 2016, the White House released Presidential Policy Directive 41 (PPD-41) United States Cyber Incident Coordination, to clarify roles and responsibilities in response to a major cyber incident. PPD-41 effectively codifies agency and industry collaboration and best practices that have evolved in response to recent major cyber-attacks. The PPD’s incident response framework, which will apply “irrespective of whether the targeted entity lies in the public or private sector,” assigns lead response roles as follows: 

• The Department of Justice (DOJ) will lead the investigative component (acting through the FBI and the National Cyber Investigative Joint Task Force); 
• The Department of Homeland Security (DHS) will lead on asset protection (through the National Cybersecurity and Communications Integration Center (NCCIC)); and 
• The Office of the Director of National Intelligence (DNI) will lead intelligence support activities (through its Cyber Threat Intelligence Integration Center). 

In the event of a significant cyber incident, the National Security Council (NSC) Cyber Response Group will drive national policy coordination. In responding to the incident, a Cyber Unified Coordination Group (Cyber UCG), composed at minimum of “federal lead agencies for threat response, asset response, and intelligence support,” will be established to serve as the primary method for coordinating between and among federal agencies as well as for integrating private sector partners into incident response efforts, as appropriate. PPD-41 also requires DOJ and DHS to maintain updated contact information for public use to assist entities affected by cyber incidents in reporting incidents to the proper authorities.

In 2014, the Federal Information Security Management Act of 2002 (FISMA 2002)⁴ was significantly amended by the Federal Information Security Modernization Act of 2014 (FISMA 2014).⁵ The Office of Management and Budget (OMB) has historically issued annual FISMA guidance updates to agencies. This year’s  FY 2016-2017 Guidance On Federal Information Security And Privacy Management Requirements, OMB Memorandum M-17-05 (4 November, 2016), now defines a “major incident” as “any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Agencies should determine incident impact level by using the existing incident management process in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Computer Security Incident Handling Guide. Notably, an unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ personally identifiable information (PII) is by definition automatically considered a “major incident.”

The new OMB guidance reiterates that, although agencies may consult with the DHS United States Computer Emergency Readiness Team (US-CERT) on whether an incident is a “major incident,” ultimately it is the responsibility of the affected agency to make the determination, and agencies must report to US-CERT within one hour of determining an incident to be “major.” After an agency notifies US-CERT, DHS must notify OMB within one hour. An affected agency must also notify Congress within seven days after the date on which the agency determined that it has a reasonable basis to conclude that a “major incident” has occurred. Contractors should expect to find themselves playing a major role in incident response when federal information or information systems are involved.  

New and updated federal cybersecurity guidelines and standards

Over the past year the government has continued to release federal-specific information security standards that often differ from industry standards and pose challenges to companies contracting with the government. The approach to protecting information and the responsibilities imposed on contractors is further bifurcated between:

• Systems operated “on behalf of the Government” under FISMA; or
• Contractor internal systems that simply process federal information incidental to developing a product or service for the government. 

Systems operated on behalf of the government are generally required by FISMA to implement NIST 800-53 Security and Privacy Controls for Federal Information Systems security controls, and conform to the same information security processes as government systems, including undergoing a detailed security authorization process. As mandated by FISMA 2014, OMB released just this past year the first update since 2000 to OMB Circular A-130, Managing Information as a Strategic Resource (28 July 2016). The new A-130 gathers in one resource a wide range of policy updates for federal agencies regarding cybersecurity, information governance, privacy, records management, open data, and IT acquisitions. One of the key changes to the authorization process requires that agencies now perform ongoing reauthorization of systems (in lieu of the previous reauthorization process every three years).

For cloud service providers, the federal authorization process is conducted via the FedRAMP program. Until recently, the FedRAMP program only authorized cloud solutions at the FISMA “Low” or “Moderate” impact levels. This year, FedRAMP released its FedRAMP High Baseline Requirements - these security requirements will be used to protect some of the government’s most sensitive, unclassified data in cloud computing environments. DOD also updated its Cloud Computing Security Requirements Guide (SRG) that provides additional DOD specific requirements (layered on top of FedRAMP standards) for cloud solutions procured by the DOD. 

The federal government has also updated policies for contractors’ internal systems that incidentally contain government information. A new Federal Acquisition Regulation (FAR) contract clause (discussed in detail below) requires that such systems meet 15 specific security requirements. Separately, as part of the national Controlled Unclassified Information (CUI) program, contractor information systems that contain CUI will be expected to apply at a minimum the safeguards in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. SP 800-171. Revision 1 was released on 20 December 2016 and includes, among other changes, a new requirement for contractors to develop and implement a System Security Plan (SSP). Currently the only agency that specifically mandates compliance with 800-171 by contractors is the DOD. However, the publication of a FAR clause that applies 800-171 standards to all other federal contracts involving federal CUI is expected later in 2017.  

New contractual and regulatory requirements for safeguarding information

On 21 October 2016, the DOD issued its final rule on Network Penetration Reporting and Contracting for Cloud Services.⁶ This followed multiple interim rules over the previous year amending Defense Federal Acquisition Regulation Supplement (DFARS) clauses on safeguarding DOD information. The DFARS final rule applies to all DOD contractors and subcontractors, including small business and commercial item contractors, except contracts for the acquisition of COTS items. Covered contractors are required to safeguard Covered Defense Information (CDI)⁷ and “rapidly report” cyber incidents on contractor systems with CDI. Contractors are required to provide “adequate security” on all covered contractor information systems which means at a minimum, implementing all of the security requirements in NIST SP 800-171 by no later than 31 December 2017. Rapidly reporting is defined as reporting within 72 hours of the contractor’s discovery of the cyber incident using the reporting fields at https://dibnet.dod.mil.  

In a related rulemaking, the parallel mandatory cybersecurity incident reporting element of the DIB CS program now requires all DIB organizations that (1) have “agreements” with the DOD and (2) have CDI on their covered defense information systems to report cyber incidents to the DOD. This applies to all forms of DOD agreements, which is defined broadly as “contracts, grants, cooperative agreements, other transaction agreements, technology investment agreements, and any other type of legal instrument or agreement.” The DIB final rule notes that, for DOD procurement contracts, the DIB requirements are implemented through the DFARS rule discussed above. The bottom line for ADG companies is that if you have any type of DOD agreement and handle CDI then you will likely be subject to a DOD cyber incident reporting obligation.  

On 16 May 2016, more than three years after publication of a proposed rule, the government published the final rule for Basic Safeguarding of Covered Contractor Information Systems.⁸ The new contract clause FAR 52.204-21 identifies 15 security requirements, pulled verbatim from NIST SP 800-171, for safeguarding information systems owned or operated by a contractor that process, store, or transmit specified federal contract information (FCI). FCI is broadly defined as information “not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government” but excludes information provided by the Government to the public or simple transactional information. The FAR drafters have stressed that this rulemaking is less about the definition of a certain category of information and more about requiring contractors to have baseline cyber protections that the government believes every business should be implementing as a “best practice.”⁹  

Increased Federal Government emphasis on privacy concerns

As part of the OMB Circular A-130 revision, the former Appendix I (concerning how agencies should comply with the Privacy Act of 1974) was removed from A-130 and moved into the new OMB  Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, (23 December 2016).¹⁰ A-108 provides guidance to agencies on their responsibilities for “system[s] of records” under the Privacy Act, including a new requirement to establish and maintain an agency-wide privacy continuous monitoring (PCM) program. The Circular notes that the “requirement to establish and maintain a PCM program has replaced the prior OMB requirement for agencies to conduct annual Privacy Act reviews.”

On 20 December 2016, the FAR Council issued a final rule requiring certain federal contractor employees to take initial and annual privacy training.¹¹ Under the new contract clause, FAR 52.224-3, Privacy Training, contractors are responsible for ensuring that training is completed by their contractor employees that:

• Have access to a “system of records” under the Privacy Act of 1974;
• Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle PII on behalf of the agency; or
• Design, develop, maintain, or operate a system of records.

One of the training topics that must be covered under FAR 52.224-3 is regarding procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII. The FAR clause directs contractors to OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information (which was only officially released on 3 January 2017, after the FAR rulemaking, as OMB Memorandum M-17-12). OMB M-17-12 provides the policy for agencies to prepare for and respond to a breach of PII. It also directs agencies to ensure that breach response requirements are included in contracts when a contractor collects or maintains federal information on behalf of the agency or uses or operates an information system on behalf of the agency. Among other things, this includes requiring contractors and subcontractors (at any tier) to: 

• Properly encrypt PII; 
• Report a suspected or confirmed breach in accordance with agency procedures; and
• Allow for inspection, investigation, forensic analysis, and any other actions necessary to comply with OMB M-17-12 and assisting the agency with responding to a breach.

Conclusion

Over the past year the federal government continued to prioritize cybersecurity, and it does not appear this is going to change any time soon. Despite a proclaimed intent to reduce regulations in other areas, the new presidential administration has given no indication that it intends to modify, rescind, or otherwise roll back any cybersecurity rules (in fact, as of this writing, the industry is still awaiting the final version of this administration’s proposed cybersecurity Executive Order). ADG companies that do business with the U.S. Government are faced with a variety of cybersecurity rules and contractual requirements that are unique to the federal government. We expect cybersecurity for the ADG sector to remain a highly active field for the remainder of 2017.

¹      Pub. L. 114-113.
²      CISA Section 106(a), codified at 6 U.S.C § 1505. 
³      81 Fed. Reg. 68,312.
⁴      Pub. L. No. 107-347.
⁵      Pub. L. No. 113 - 283
⁶      81 Fed. Reg. 72,986.
⁷      “CDI” means DOD unclassified controlled technical information (UCTI) or other information identified on the CUI Registry that is either (1) “marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DOD in support of the performance of the agreement” or (2) “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.”  A “covered defense information system” means an unclassified information system owned or operated by or for a contractor that process, stores, or transmits CDI.
⁸      81 Fed. Reg. 30,439.
⁹      The preamble to the final rule states it “…focuses on ensuring a basic level of safeguarding for any contractor system with Federal information, reflective of actions a prudent business person would employ…”.
¹⁰      81 Fed. Reg. 94,424.
¹¹      81 Fed. Reg. 93,476.