SlideShare a Scribd company logo

DoD Implements Broad Cybersecurity Information–Sharing Program

Patton Boggs LLP
Patton Boggs LLP
1 of 2
Download to read offline
May 16, 2012 DoD Implements Broad Cybersecurity Information–Sharing Program Cybersecurity Client Alert On May 11, 2012, the Department of Defense (DoD) published an interim final rule expanding This Alert provides only its pilot program institutionalizing the sharing of cyber threat information between DoD and its general information and contractors. Comments on the rule are due on July 10, 2012. The following description of the rule outlines the basics of the program, the benefits of participation, the eligibility should not be relied upon as requirements, and the program mechanics. legal advice. This Alert may be considered attorney What is the Basic Purpose of the Program? advertising under court and DoD’s program establishes a bilateral cybersecurity information sharing activity among bar rules in certain Defense Industrial Base (DIB) government and industry stakeholders. As part of the program, jurisdictions. DoD will provide cyber threat information and information security best practices to participating companies in order to improve their abilities to safeguard information. For their part, participating companies are to report cyber intrusion incidents to the Defense Cyber For more information, contact Crime Center's DoD-DIB Collaborative Information Sharing Environment (DCIS). DCISE will your Patton Boggs LLP analyze these reports to accumulate information regarding cyber threats and vulnerabilities, attorney or the authors listed and develop effective response measures which DCISE will share with participating below. companies. In addition to this initial reporting and analysis, DoD and the reporting company may pursue, on a voluntary basis, more detailed, digital forensics analysis or damage assessments of individual incidents. Mary Beth Bosco mbbosco@pattonboggs.com What are the Benefits of Participation? Participation in the program is voluntary. Large defense contractors, such as Lockheed WWW.PATTONBOGGS.COM Martin, participated in the smaller, pilot DoD program and have announced they will participate in the expanded program. A DIB program participant will have access to DoD's experience in and resources for predicting and countering cyber attacks and to industry lessons learned. The rule sets out procedures for protecting contractor data on cyber breaches, thus allowing DoD to share on a non-attribution basis the experiences of other contractors, and best practices for detecting, preventing, and minimizing the risks and damage from cyber attacks. Accordingly, the most obvious benefit of program participation is access to both DoD and industry cyber threat assessment, prevention, and mitigation information. This benefit, however, will come with a cost of implementation and a reporting requirement. There is also the open question of potential liability or claims based on a participating company’s determination not to implement best practices which it becomes aware of through the program. Who is Eligible and What Information is Covered? To be eligible for the program, a company must have a facility clearance approved to handle at least secret information. The DIB company also must possess two or more DoD-approved assurance certificates to allow the sharing of unclassified data with the government, obtain a DoD Communications Security (COMSEC) account, and follow other protocols to be able to access and share data with the government.
The data covered by the program includes technical information as designated by DoD, export-controlled information, critical program information, personally identifiable information, information that could be assembled by hostile intelligence systems, nonclassified controlled information (such as information marked as "For Official Use Only"), and information protected from release by the Freedom of Information Act. If your company's IT system collects, develops, receives, transmits, uses or stores this type of information, and you meet the other criteria described above, you are eligible for the DIB program. How Does the Program Work? Once accepted in the program, contractors will be required to report cyber incidents to DoD within 72 hours of their occurrence. Once advised of the incident, DoD may choose to perform a cyber damage assessment report and work to develop the means to minimize the damage and prevent future similar incidents. On a non-attribution basis, DoD may also provide the information it develops concerning the nature, scope, prevention and mitigation of the cyber attack to other program participants (“Government Furnished Information” or “GFI”). Because the DIB program is premised on the exchange of information between DoD and its contractors, DoD’s interim final regulations focus on data protection. First, DIB contractors may only use GFI to safeguard information on covered DIB systems that are U.S.-based and may only share GFI with U.S. citizens within their organization. If a DIB contractor uses a third-party service provider (SP) for information system security systems, DoD must approve the SP. The approved SP will be required to enter into an agreement with the DIB contractor to be bound by all applicable DIB program requirements. Second, the government acknowledges that information shared by DIB participants may include extremely sensitive proprietary, commercial, or operational information that is not customarily shared outside of the company, and that the unauthorized use or disclosure of such information could cause substantial competitive harm to the DIB participant that reported that information. Accordingly, the government commits to restrict its internal use and disclosure of attribution information to government personnel and government support contractors that are bound by appropriate confidentiality obligations and restrictions relating to the handling of the sensitive information. In further recognition of the protections to be given the shared information, DoD and each DIB participant must enter into a Standardized Framework Agreement (FA) which will memorialize the procedures set forth in the new rule and the means of protecting the exchanged information. Participation in the DIB program is voluntary and does not obligate the participant to utilize the GFI in, or otherwise to implement any changes to, its information systems. Thus, there is no requirement for a DIB contractor to change its IT systems based on information concerning threat protection it receives under the program. This discretion raises an interesting question: If a cyber breach occurs after a participating company receives GFI containing best practices for breach protection and chooses not to implement the best practices, will any third-parties – such as employees, consumers, or shareholders – be able to use the non-implementation choice against the company? This is an open question, and one which should be weighed when a company considers whether to participate in the DIB cyber program. This Alert provides only general information and should not be relied upon as legal advice. This Alert may also be considered attorney advertising under court and bar rules in certain jurisdictions. WASHINGTON DC | NORTHERN VIRGINIA | NEW JERSEY | NEW YORK | DALLAS | DENVER | ANCHORAGE | DOHA, QATAR ABU DHABI, UAE

Recommended

Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
Asset 1 security-in-the-cloud
Asset 1 security-in-the-cloudAsset 1 security-in-the-cloud
Asset 1 security-in-the-clouddrewz lin
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
 
Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...David Sweigert
 

Recommended

Cyber Insurance Temp
Cyber Insurance TempCyber Insurance Temp
Cyber Insurance TempRohan Sehgal
 
Improving cyber-security through acquisition
Improving cyber-security through acquisitionImproving cyber-security through acquisition
Improving cyber-security through acquisitionChristopher Dorobek
 
Asset 1 security-in-the-cloud
Asset 1 security-in-the-cloudAsset 1 security-in-the-cloud
Asset 1 security-in-the-clouddrewz lin
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And KeyYarko Petriw
 
New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...New York State Department of Financial Services Expands Its Cyber Focus to In...
New York State Department of Financial Services Expands Its Cyber Focus to In...NationalUnderwriter
 
Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...Cyber-insurance and liability caps proposed as incentives by Department of Co...
Cyber-insurance and liability caps proposed as incentives by Department of Co...David Sweigert
 
Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)NAFCU Services Corporation
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudPaige Rasid
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))NAFCU Services Corporation
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...Patton Boggs LLP
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability RiskChristopher Rieser
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Microsoft
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Deconstructing the cost of a data breach
Deconstructing the cost of a data breachDeconstructing the cost of a data breach
Deconstructing the cost of a data breachPatrick Florer
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Michael C. Keeling, Esq.
 
TRIA Cyber Risk Study (GAO)
TRIA Cyber Risk Study (GAO)TRIA Cyber Risk Study (GAO)
TRIA Cyber Risk Study (GAO)JasonSchupp1
 

More Related Content

What's hot

Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentationEthan S. Burger
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)NAFCU Services Corporation
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaThe Takshashila Institution
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Don Grauel
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services OfferedRachel Anne Carter
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Erik Ginalick
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudPaige Rasid
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceStatewide Insurance Brokers
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...Patton Boggs LLP
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Microsoft
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forwardNils Thulin
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...SafeNet
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
Deconstructing the cost of a data breach
Deconstructing the cost of a data breachDeconstructing the cost of a data breach
Deconstructing the cost of a data breachPatrick Florer
 

What's hot (20)

Ci2 cyber insurance presentation
Ci2 cyber insurance presentationCi2 cyber insurance presentation
Ci2 cyber insurance presentation
 
Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)Data Breaches Preparedness (Credit Union Conference Session)
Data Breaches Preparedness (Credit Union Conference Session)
 
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in IndiaTakshashila Blue Paper: Charting a New Framework for Data Protection in India
Takshashila Blue Paper: Charting a New Framework for Data Protection in India
 
Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101Statewide Insurance Brokers - Cyber Insurance 101
Statewide Insurance Brokers - Cyber Insurance 101
 
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
Discussing Cyber Risk Coverage With Your Commercial Clients by Steve Robinson...
 
The Security Circle- Services Offered
The Security Circle- Services OfferedThe Security Circle- Services Offered
The Security Circle- Services Offered
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & Fraud
 
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide InsuranceCyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
Cyber Insurance, A Novel of 2017, Q1. By Statewide Insurance
 
Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))Data Breach Response Guide (Whitepaper))
Data Breach Response Guide (Whitepaper))
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
Cyber Liability Risk
Cyber Liability RiskCyber Liability Risk
Cyber Liability Risk
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
 
Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
 
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
4 Steps to Financial Data Security Compliance Technologies to Help Your Finan...
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
Deconstructing the cost of a data breach
Deconstructing the cost of a data breachDeconstructing the cost of a data breach
Deconstructing the cost of a data breach
 

Similar to DoD Implements Broad Cybersecurity Information–Sharing Program

Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Michael C. Keeling, Esq.
 
TRIA Cyber Risk Study (GAO)
TRIA Cyber Risk Study (GAO)TRIA Cyber Risk Study (GAO)
TRIA Cyber Risk Study (GAO)JasonSchupp1
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsPatton Boggs LLP
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software developmentMuhammadArif823
 
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Patton Boggs LLP
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportJasonSchupp1
 
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou MilradLou Milrad
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...TraintechTde
 
CBIZ Cyber Liability Flyer
CBIZ Cyber Liability FlyerCBIZ Cyber Liability Flyer
CBIZ Cyber Liability FlyerCBIZ, Inc.
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber riskaakash malhotra
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen Hamilton
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfdotco
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureLee Dalton
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkIOSR Journals
 
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...Jon Polenberg
 
July CLE Webinar material: Best Practices for Victim Response and Reporting o...
July CLE Webinar material: Best Practices for Victim Response and Reporting o...July CLE Webinar material: Best Practices for Victim Response and Reporting o...
July CLE Webinar material: Best Practices for Victim Response and Reporting o...LexisNexis
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 

Similar to DoD Implements Broad Cybersecurity Information–Sharing Program (20)

Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
TRIA Cyber Risk Study (GAO)
TRIA Cyber Risk Study (GAO)TRIA Cyber Risk Study (GAO)
TRIA Cyber Risk Study (GAO)
 
Cybersecurity 101: Government Contracts
Cybersecurity 101: Government ContractsCybersecurity 101: Government Contracts
Cybersecurity 101: Government Contracts
 
Maintain data privacy during software development
Maintain data privacy during software developmentMaintain data privacy during software development
Maintain data privacy during software development
 
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
 
Webcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats ReportWebcast - TRIA GAO Cyber Threats Report
Webcast - TRIA GAO Cyber Threats Report
 
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
10 Legal Challenges in Creating a BYOD Policy - Lou Milrad
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
7th ERM - S2 - Cyber security, Cyber Risk and Data Privacy - Kalpesh Doshi (1...
 
CBIZ Cyber Liability Flyer
CBIZ Cyber Liability FlyerCBIZ Cyber Liability Flyer
CBIZ Cyber Liability Flyer
 
Digital economy and its effect on cyber risk
Digital economy and its effect on cyber riskDigital economy and its effect on cyber risk
Digital economy and its effect on cyber risk
 
B crisis
B crisisB crisis
B crisis
 
Booz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of DirectorsBooz Allen's 10 Cyber Priorities for Boards of Directors
Booz Allen's 10 Cyber Priorities for Boards of Directors
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
 
Training Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdfTraining Catalogue - CyberSec_Technocracy.pdf
Training Catalogue - CyberSec_Technocracy.pdf
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochure
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
 
July CLE Webinar material: Best Practices for Victim Response and Reporting o...
July CLE Webinar material: Best Practices for Victim Response and Reporting o...July CLE Webinar material: Best Practices for Victim Response and Reporting o...
July CLE Webinar material: Best Practices for Victim Response and Reporting o...
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 

More from Patton Boggs LLP

Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...Patton Boggs LLP
 
Update: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care ActUpdate: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care ActPatton Boggs LLP
 
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...Patton Boggs LLP
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Patton Boggs LLP
 
American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...Patton Boggs LLP
 
Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014Patton Boggs LLP
 
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent CasesSupreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent CasesPatton Boggs LLP
 
FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"Patton Boggs LLP
 
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of AuthorityALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of AuthorityPatton Boggs LLP
 
New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16Patton Boggs LLP
 
Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013Patton Boggs LLP
 
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible DustThe U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible DustPatton Boggs LLP
 
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...Patton Boggs LLP
 
Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013Patton Boggs LLP
 
Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013Patton Boggs LLP
 
CFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked QuestionsCFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked QuestionsPatton Boggs LLP
 
Australia Elects a New Federal Government
Australia Elects a New Federal GovernmentAustralia Elects a New Federal Government
Australia Elects a New Federal GovernmentPatton Boggs LLP
 
"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013Patton Boggs LLP
 
U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay DisclosureU.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay DisclosurePatton Boggs LLP
 

More from Patton Boggs LLP (20)

Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
 
Update: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care ActUpdate: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care Act
 
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...
 
American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...
 
Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014
 
Social Impact Bonds
Social Impact BondsSocial Impact Bonds
Social Impact Bonds
 
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent CasesSupreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
 
FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"
 
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of AuthorityALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
 
New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16
 
Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013
 
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible DustThe U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
 
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
 
Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013
 
Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013
 
CFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked QuestionsCFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked Questions
 
Australia Elects a New Federal Government
Australia Elects a New Federal GovernmentAustralia Elects a New Federal Government
Australia Elects a New Federal Government
 
"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013
 
U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay DisclosureU.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
 

DoD Implements Broad Cybersecurity Information–Sharing Program

  • 1. May 16, 2012 DoD Implements Broad Cybersecurity Information–Sharing Program Cybersecurity Client Alert On May 11, 2012, the Department of Defense (DoD) published an interim final rule expanding This Alert provides only its pilot program institutionalizing the sharing of cyber threat information between DoD and its general information and contractors. Comments on the rule are due on July 10, 2012. The following description of the rule outlines the basics of the program, the benefits of participation, the eligibility should not be relied upon as requirements, and the program mechanics. legal advice. This Alert may be considered attorney What is the Basic Purpose of the Program? advertising under court and DoD’s program establishes a bilateral cybersecurity information sharing activity among bar rules in certain Defense Industrial Base (DIB) government and industry stakeholders. As part of the program, jurisdictions. DoD will provide cyber threat information and information security best practices to participating companies in order to improve their abilities to safeguard information. For their part, participating companies are to report cyber intrusion incidents to the Defense Cyber For more information, contact Crime Center's DoD-DIB Collaborative Information Sharing Environment (DCIS). DCISE will your Patton Boggs LLP analyze these reports to accumulate information regarding cyber threats and vulnerabilities, attorney or the authors listed and develop effective response measures which DCISE will share with participating below. companies. In addition to this initial reporting and analysis, DoD and the reporting company may pursue, on a voluntary basis, more detailed, digital forensics analysis or damage assessments of individual incidents. Mary Beth Bosco mbbosco@pattonboggs.com What are the Benefits of Participation? Participation in the program is voluntary. Large defense contractors, such as Lockheed WWW.PATTONBOGGS.COM Martin, participated in the smaller, pilot DoD program and have announced they will participate in the expanded program. A DIB program participant will have access to DoD's experience in and resources for predicting and countering cyber attacks and to industry lessons learned. The rule sets out procedures for protecting contractor data on cyber breaches, thus allowing DoD to share on a non-attribution basis the experiences of other contractors, and best practices for detecting, preventing, and minimizing the risks and damage from cyber attacks. Accordingly, the most obvious benefit of program participation is access to both DoD and industry cyber threat assessment, prevention, and mitigation information. This benefit, however, will come with a cost of implementation and a reporting requirement. There is also the open question of potential liability or claims based on a participating company’s determination not to implement best practices which it becomes aware of through the program. Who is Eligible and What Information is Covered? To be eligible for the program, a company must have a facility clearance approved to handle at least secret information. The DIB company also must possess two or more DoD-approved assurance certificates to allow the sharing of unclassified data with the government, obtain a DoD Communications Security (COMSEC) account, and follow other protocols to be able to access and share data with the government.
  • 2. The data covered by the program includes technical information as designated by DoD, export-controlled information, critical program information, personally identifiable information, information that could be assembled by hostile intelligence systems, nonclassified controlled information (such as information marked as "For Official Use Only"), and information protected from release by the Freedom of Information Act. If your company's IT system collects, develops, receives, transmits, uses or stores this type of information, and you meet the other criteria described above, you are eligible for the DIB program. How Does the Program Work? Once accepted in the program, contractors will be required to report cyber incidents to DoD within 72 hours of their occurrence. Once advised of the incident, DoD may choose to perform a cyber damage assessment report and work to develop the means to minimize the damage and prevent future similar incidents. On a non-attribution basis, DoD may also provide the information it develops concerning the nature, scope, prevention and mitigation of the cyber attack to other program participants (“Government Furnished Information” or “GFI”). Because the DIB program is premised on the exchange of information between DoD and its contractors, DoD’s interim final regulations focus on data protection. First, DIB contractors may only use GFI to safeguard information on covered DIB systems that are U.S.-based and may only share GFI with U.S. citizens within their organization. If a DIB contractor uses a third-party service provider (SP) for information system security systems, DoD must approve the SP. The approved SP will be required to enter into an agreement with the DIB contractor to be bound by all applicable DIB program requirements. Second, the government acknowledges that information shared by DIB participants may include extremely sensitive proprietary, commercial, or operational information that is not customarily shared outside of the company, and that the unauthorized use or disclosure of such information could cause substantial competitive harm to the DIB participant that reported that information. Accordingly, the government commits to restrict its internal use and disclosure of attribution information to government personnel and government support contractors that are bound by appropriate confidentiality obligations and restrictions relating to the handling of the sensitive information. In further recognition of the protections to be given the shared information, DoD and each DIB participant must enter into a Standardized Framework Agreement (FA) which will memorialize the procedures set forth in the new rule and the means of protecting the exchanged information. Participation in the DIB program is voluntary and does not obligate the participant to utilize the GFI in, or otherwise to implement any changes to, its information systems. Thus, there is no requirement for a DIB contractor to change its IT systems based on information concerning threat protection it receives under the program. This discretion raises an interesting question: If a cyber breach occurs after a participating company receives GFI containing best practices for breach protection and chooses not to implement the best practices, will any third-parties – such as employees, consumers, or shareholders – be able to use the non-implementation choice against the company? This is an open question, and one which should be weighed when a company considers whether to participate in the DIB cyber program. This Alert provides only general information and should not be relied upon as legal advice. This Alert may also be considered attorney advertising under court and bar rules in certain jurisdictions. WASHINGTON DC | NORTHERN VIRGINIA | NEW JERSEY | NEW YORK | DALLAS | DENVER | ANCHORAGE | DOHA, QATAR ABU DHABI, UAE