Your SlideShare is downloading. ×
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cybersecurity 101: Government Contracts

155

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
155
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. MARCH 7, 2013 GOVERNMENT CONTRACTS AND CYBERSECURITY CLIENT ALERT This Alert provides only general information and should not be relied upon as legal advice. This CYBERSECURITY 101: GOVERNMENT Alert may be considered attorney advertising under court and bar CONTRACTORS rules in certain jurisdictions. If you are a contractor with the federal government, and if you are not already subject to regulations governing the security of your computer systems, you soon will be. On February 12, 2013, President Obama issued an Executive Order titled For more information, contact your “Improving Critical Infrastructure Cybersecurity.” Section 8(e) of the Order gives Patton Boggs LLP attorney or the DoD, GSA, and the Federal Acquisition Regulatory Council 120 days to make authors listed below. recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract MARY BETH BOSCO administration.” The recommendations must also address steps to harmonize mbbosco@pattonboggs.com existing procurement regulations related to cybersecurity. NORMA KRAYEM In order to assist in understanding how the actions outlined in the Executive nkrayem@pattonboggs.com Order could impact companies doing business with the federal government, this Client Alert summarizes the major cyber regulations already focusing on government contractors. It covers the existing GSA regulations, the proposed amendments to the Federal Acquisition Regulation (“FAR”), and the Defense FAR Supplement (“DFARS”), and the 2013 National Defense Authorization Act ABU DHABI (“NDAA”) provisions. In addition to establishing minimum standards for cyber ANCHORAGE protection, these provisions offer opportunities for companies either to obtain DALLAS procurement advantages or sell their products and services to the government. DENVER DOHA GSA’S CYBERSECURITY REQUIREMENTS NEW JERSEY NEW YORK GSA released its cyber regulations in January 2012. They apply to GSA contracts RIYADH for IT supplies, services or systems which involve physical or electronic access to WASHINGTON DC non-classified government information supporting GSA’s mission. The basic requirements are: • IT Security Plan: Covered contractors must submit an IT security plan to their contracting officers within 30 days of contract award. The plan must include a continuous monitoring program to detect cyber intrusions. • Security Authorization: Within six months of award, contractors must submit either a self-certification to, or a third-party validation of, compliance with the National Institute of Standards and Testing (“NIST”) Special Publication 800-37.PattonBoggs.com Cybersecurity 101: Government Contractors 1
  • 2. • Notice and Access: GSA contractors must notify GSA each time an employee with access to GSA information leaves or is hired. GSA is also entitled to access to contractor and subcontractor personnel for the purpose of inspection, investigation or audit relating to cybersecurity regulation.DOD PROPOSED REGULATIONSDoD proposed cyber regulations in 2011. Its most recent regulatory agenda projects the regulations to be finalizedthis year. The regulations cover non-public, non-classified DoD information resident on or transitioning through acontractor’s systems. The proposed rules divide covered information into two subsets – basic and enhancedinformation-- with different protections applied to each. • Basic Information: This is non-public information (i.e., information not releasable under the Freedom of Information Act) used or generated in support of a DOD activity. Absent DOD’s determination that information is releasable, and with certain exceptions for audits and investigations, the proposed rules preclude contractors from releasing basic level information outside of their organizations or to employees or subcontractors who do not have a right to know the information. In addition to this release restriction, the proposed rules identify specific, minimum protections for even “basic” information. These are: o Contractors cannot process government information on publicly-accessible computers or on company computers that do not have access control. o Contractors’ electronic transmission systems must provide “the best level of security and privacy available, given facilities, conditions, and environment.” o Voice data may only be transmitted when the user has reasonable assurance that access is limited only to authorized recipients. o When information is not being accessed, it must be protected by at least one physical barrier (e.g., lock or password). o Contractors must have procedures to clear information from devices before they are released or discarded. o Contractors must have minimum intrusion protections, including regularly updated malware and prompt application of security-related patches and upgrades. • Enhanced Information: The second category of covered information is “enhanced” information, which includes information designated by DOD as critical, information subject to the export control laws, information subject to DOD-specific FOIA directives, information designated as controlled information (such as “Official Use Only”), personal identification information, and certain technical information. To meet the enhanced protection requirements, a contractor’s security program will need to comply with the specific standards set forth in NIST Special Publication 800-53. Importantly, DOD’s proposal mandates reporting of cyber incidents affecting enhanced DOD information within 72 hours of discovery.PattonBoggs.com Cybersecurity 101: Government Contractors 2
  • 3. PROPOSED FAR REGULATIONSA cyber amendment is also slated for the FAR. Once final, the new FAR clause will apply to contractsexceeding the simplified acquisition threshold ($150,000), including commercial acquisitions. The clausemust be flowed down to subcontracts at any tier. The new clause, which will be in FAR Part 52.204,identifies seven basic safeguards for contractor information systems through which nonpublic informationgenerated by or for the government either resides or transits. The basic safeguards identified in theproposed FAR amendment are similar to the ones governing DOD “basic” information: • Government information may not be processed on computers without access control or located in public areas. Similarly, government information cannot be posted on a public website. If posted to a web site, the site must control access either through user identification or password, user certificate or other technical means, and must provide protection via use of security technologies. • Electronic information may be transmitted only on systems that utilize technologies and processes that provide the best level of security and privacy available, given facilities, conditions and threat level. • Transmission by voice or fax may only occur when the sender has a reasonable assurance that access is limited to authorized recipients. • Systems must be protected by at least one level of physical barrier and one level of electronic barrier, such as lock and key in conjunction with a password, when not in the direct control of the individual user. • Media that is being released or discarded must be cleared and sanitized. • The contractor must provide at least the following means of intrusion protection: Current and regularly updated malware protection, such as anti-virus software and anti-spyware software; and prompt application of security-related upgrades and patches. • Information may only be transferred to those subcontractors with a contractual need to have the information and who employ the safeguards described in the clause.These proposed requirements will require covered contractors to review not just their hardware andsoftware systems, but their facilities, employee practices, record-keeping systems, and subcontractrelationships in order to ensure compliance.PattonBoggs.com Cybersecurity 101: Government Contractors 3
  • 4. THE NATIONAL DEFENSE AUTHORIZATION ACTThe 2013 NDAA instructs the Secretary of Defense to establish procedures requiring certain governmentcontractors to report to DoD when one of their networks or information systems is “successfullypenetrated.” Contractors covered by this provision are those holding security clearances. The proceduresare due within 90 days of the NDAA’s enactment, which was January 2, 2013.The NDAA requires the reports to include: (1) a description of the technique or method used in the systempenetration; (2) if discovered and isolated, a sample of the malicious software; and (3) a summary ofinformation that was potentially compromised by the penetration. While contractors handling classifiedinformation already are required to report unauthorized access to classified information, the NDAA’s newreporting regime covers a broader spectrum of incursion as it presumably will cover external penetration ofany of a cleared contractor’s computer systems. Under the new procedures, DoD will be able to obtainaccess to the contractor’s equipment or information for the purposes of conducting a forensic analysis,subject to appropriate protections for trade secrets, other confidential business information, and personalidentification information.In addition to establishing mandatory reporting of cyber incursions by cleared contractors, the 2013 NDAAcontains opportunities for companies providing software, systems, and system engineering to DoD. Forexample, Section 932 requires DoD to develop a strategy to acquire open-architecture, next-generation,host-based cybersecurity tools and equipment in time for inclusion in the FY 2015 budget. Similarly, theagency is to develop a baseline software assurance policy for all major software systems, and it must preparean analysis of available large-scale software database or data analysis tools and determine whether to acquiresuch tools from the private sector.CONCLUSIONThis year will bring significant Congressional and executive branch cybersecurity activity. For governmentcontractors, the proposed FAR and DFARS regulations provide a roadmap to prepare for the requirementsthat are certain to come. There will also be business opportunities. President Obama’s Executive Orderenvisions procurement preferences for companies with robust cybersecurity policies and procedures inplace. The NDAA signals new DoD system standards that will require the supply of innovative softwareand hardware solutions to the agency.For additional information, please contact:Mary Beth Bosco Norma KrayemMbbosco@pattonboggs.com nkrayem@pattonboggs.com202.457.6420 202.457.5206PattonBoggs.com Cybersecurity 101: Government Contractors 4

×