SlideShare a Scribd company logo

Robert Nichols: Cybersecurity for Government Contractors

Download as PPTX, PDF
Government Technology and Services Coalition
Government Technology and Services Coalition

Government Technology & Services Coalition & InfraGard NCR's Program: Cyber Security: Securing the Federal Cyber Domain by Strengthening Public-Private Partnership Presentation: Cybersecurity for Government Contractors Presenter: Robert Nichols, Partner, Covington & Burling LLP

Government & Nonprofit
1 of 39
Cybersecurity for Government Contractors Presentation by Covington & Burling LLP Confidential and Proprietary
The Cyber Paradigm
3 Cybersecurity is the No. 1 Concern of General Counsel and Directors
4 The Cyber Risk Paradigm Cyber risks present real and present danger to business operations, costs, and, for some, continued viability Cyber risks are a legal problem, an operational problem, and an a governance problem – not simply a technological one Corporate leaders have a fiduciary responsibility to understand and manage cyber risks Leaders must bring together key components of the organization to develop joint ownership of risks and a comprehensive approach to cybersecurity
5 Threat: Actors and Motivations Nation States – Gain an upper hand, perform low level attacks Organized Criminals – Steal anything and everything for a profit Activists – Embarrass the target, damage their reputation Hackers – Anything goes Insiders – Disgruntled employees, payments by competitors
6 Multiple Risks…
7 Attack Vectors
8 Impacts of Cyber Events Loss of Competitiveness • Trade secrets • Patents • Customer records • M&A activities Damaged Reputation • Estimates from companies that have been breached have ranged in the several millions of dollars up to $200 million. Lost Productivity • Forensics • Vulnerability management • Rebuild corrupted systems • Compliance breaches Average cost of remediating cyber exploitations is $10 million • PCI DSS • HIPAA • NERC • FISMA • privacy rules
9 Cyber ERM Defined Cyber risk management : methods and processes used to manage enterprise-wide cyber risks by identifying particular legal and technical vulnerabilities, assessing them in terms of their likelihood and their magnitude of impact, determining an appropriate response strategy, implementing and evaluating that strategy.
10 Cyber ERM Benefits Effectively measures corporate ability to manage all three types of risks Links directly to assessment methodologies established by Chief Risk Officers to better inform board members and enable risk management and transfer Gives corporate leadership confidence in execution of fiduciary responsibilities
Technical Aspects
12 BUSINESS RISK • Risk Description • Use Case • Impact Map Business Risk to IT Assets Determine Relevant Vulnerabilities Determine Threat Vectors Assess Likelihood of Successful Attack Evaluate Security Programs Assess Security Program Effectiveness THREAT STATEMENT • Vulnerability • Threat Vector • Likelihood • Programs • Program Effectiveness Threat-to-Business-Risk Linkage
13 Technical Issues • National Cybersecurity Policy & Strategy development • Integrated Cyberspace Operations • Threat & Vulnerability Assessments • Cyber Threat Intelligence Analysis & Tradecraft • Incident Response • Continuous Diagnostics & Threat Mitigation • Research & Development • Technology Evaluation & Integration • Cyber Leadership and Skills Training
14 Technical Evolution Threat & Risk Identification & Assessment Strategy & Plans Implementation & Compliance Evaluation & Review Continuous Improvement Threat Monitoring & Update Scope Assessment Review Implementation Evaluation
The Role of Lawyers
16 Key Areas of Legal Issues • Government Contracts • Cybersecurity Compliance and Policy • Insurance • Labor & Employment • Trade Secrets • Privacy
17 Overview of the Federal Cybersecurity Landscape for Contractors • No comprehensive federal data security law to date • Numerous federal statutes, executive orders, regulations, and policies • Hundreds of NIST standards • NIST Framework • Continuing gaps and vagueness regarding expectations of contractors • Yet USG increasingly allocating risks to contractors • State laws protecting
18 Federal Legal and Policy Framework Governing Contractors • The Federal Information Security Management Act (“FISMA”) • NDAA FY 2013 Reporting Requirements • Executive Order 13556—“Controlled Unclassified Information” • E.O. 13636 “Improving Critical Infrastructure Cybersecurity” and Presidential Policy Directive 21 • 300+ NIST Information Security Documents • NIST Cybersecurity Framework • Industrial Security Requirements – NISPOM • DOD’s Defense Industrial Base Cyber Security/Information Assurance Program • Export Control Laws
19 Compliance Requirements • GSA and DOD Working Group Report, Improving Cybersecurity and Resilience through Acquisition • Proposed FAR Rule on Basic Safeguarding of Contractor Information Systems • DFARS Rule on Safeguarding DOD Unclassified Controlled Technical Information • DOD’s Counterfeit Prevention Policy and DOD’s Proposed Rule for Electronic Parts • Inconsistent Agency Cybersecurity Guidance • Flowing Down Cybersecurity Requirements • Safeguarding the Supply Chain • Uneven and Unrecoverable Costs of Compliance
20 What is the NIST Cybersecurity Framework? • E.O. 13636 mandated NIST establish a voluntary, risk-based framework to guide organizations in critical infrastructure sectors in the creation, assessment, and improvement of their cybersecurity programs. • Framework is not directed at all organizations, mandatory, or 20 prescriptive. • Framework is a useful methodology for organizing a program to identify, assess and respond to cyber threats, and for referencing other standards from NIST.
21 How is the Framework Structured? 21 Framework Core Implementation Tiers Framework Profile
22 Framework Core Identifies five high-level cybersecurity functions organizations should be able to perform: 22
23 Framework Profile 23 Target Profile Current Profile pinpoint gaps in existing cybersecurity posture, develop action plan, and reduce overall risk
24 DFARS: Safeguarding UCTI – Quick Look • Requirements Overview: a DoD contractor must (1) safeguard UCTI “resident on or transiting through” its information system; (2) report cyber incidents; and (3) assist DoD with damage assessments. • Effective: November 18, 2013 • Applicability: – Clause at DFARS 252.704-7012 included in all DoD solicitations/contracts. – Clause only operable when UCTI “may be” present on a contractor’s information system. – Clause’s substance must be flowed down to all subcontractors, (even for commercial items). • Source: DFARS 204.7300 et seq.; DFARS 252.704-7012; 78 Fed. Reg. 69,273. 24
25 What is UCTI? • Controlled Technical Information - “technical information with military or space application . . . subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” • Marked with a Distribution Statement in accordance with DoD Instruction 5230.24. 25
26 DFARS: Safeguarding UCTI – Safeguarding Requirements • Must provide “adequate security” by either: – implementing 51 specified security controls from NIST SP 800-53 OR – written explanation to CO why controls are not required or specifying alternative • Plus any other security measures that are reasonably necessary to provide adequate security. – Addresses “willful blindness” 26
27 DFARS: Safeguarding UCTI – Reporting Requirements • A cyber incident is “reportable” when it: – involves unauthorized access to and possible exfiltration, manipulation, or other loss or compromise of any UCTI resident on or transiting through a Contractor’s, or its subcontractors’, unclassified information systems; and – affects UCTI. • Must report specific information via http://dibnet.dod.mil/ within 72 hours of discovery of any cyber incident that affects UCTI on contractor’s own or its subcontractors’ systems. • “Inadvertent release” of data triggers the rule 27
28 DFARS: Safeguarding UCTI – Damage Assessment Assistance 28 review network review data accessed preserve and protect • ID compromised computers, servers, specific data, and user accounts • ID specific UCTI associated with DoD programs, systems, or contracts • For at least 90 days preserve images of known affected IT systems and relevant capture/package data •Obligation to share files exists, unless legally prohibited
29 Impact of Non-Compliance • No specified penalties for non-compliance • But also no safe harbor – The CO must consider the cyber incident in the context of an “overall assessment” of the contractor’s compliance with the rule’s security requirements (Comment 30) • DoD allowed to share information received from contractors with other agencies for law enforcement, counterintelligence, and national security purposes – an exception that swallows the rule
30 Supply Chain Risks • IT systems especially vulnerable to attack • Congress has granted DoD, IC, and DOE “enhanced authority” to exclude contractors from procurements of National Security Systems when a contractor is deemed a supply chain risk • Implemented through DFARS interim rule (Nov. 2013) IC Directive (Dec. 2013), and DOE regulations still to be promulgated 30
31 Scope of Authority • Certain agencies have the power to: – Exclude a source that fails to meet qualification standards for the purpose of reducing supply chain risk in the acquisition of covered systems; – Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor in a solicitation; and – Withhold consent for a contractor to subcontract with a particular source. • Limited ability for contractors to challenge or even know the basis for exclusion 31
32 DoD/GSA Joint Report Recommendations 1. Institute baseline cybersecurity requirements as a condition for certain contract awards 4. Instituting a Government-wide cybersecurity risk management strategy 2. Training and industry outreach 5. Procure certain items solely from original equipment manufacturers (“OEM”), authorized resellers, or other trusted sources 3. Developing common cybersecurity definitions 6. Increase Government accountability 32
33 DoD/GSA Draft Implementation Plan • On March 12, 2014, GSA issued an RFI seeking stakeholder input on implementing the Joint Report’s fourth recommendation, “instituting a Government-wide cybersecurity risk management strategy” 33
DoD/GSA Draft Implementation Plan Proposed 34 Process (1) create categories encompassing similar items purchased by the Government (2) determine which categories present a cyber risk (3) prioritize those categories based on their perceived cyber risk (4) apply overlays to each category, which set the minimum security controls applicable to acquisition of items in that category 34
35 DoD/GSA Joint Working Group 35
36 Legal Risks from Non-Compliance • Whether the Framework Constitutes a Standard of Care • Directors’ Obligations to Shareholders • Obligations Regarding Security Breach Reporting • Default Terminations • Past Performance Evaluations and Responsibility Determinations • Administrative Suspensions and Debarments • False Claims Act
37 Business Risks Beyond Compliance • Loss of Intellectual Property • Litigation Risk – Threat of action by consumers and shareholders – Range of potential theories of liability – e.g., breach of contract, common law torts (although obstacles to applying elements and proving damages) • Contractual – Data security requirements in business partner agreements, customer contracts • Breach of Privacy • Business/PR Risk – Motivation for protection information also is non-legal
38 Limited Backstops for Risk • Untested Applicability of Government Contractor Defense • No Limitation on Liability or Safe Harbors • Indemnification for Contractor Losses • Standard Insurance vs. Cyber Insurance
Questions

Recommended

Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
Government Technology and Services Coalition
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
Government Technology and Services Coalition
 
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Government Technology and Services Coalition
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 

Recommended

Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
Government Technology and Services Coalition
 
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
GTSC Annual Meeting 2014: Justin Chiarodo: Ethics & Compliance: Suspension an...
Government Technology and Services Coalition
 
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Emile Monette: How do we Strengthen the Public-Private Partnership to Mitigat...
Government Technology and Services Coalition
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
Emerging Trends in Information Security and Privacy
Emerging Trends in Information Security and PrivacyEmerging Trends in Information Security and Privacy
Emerging Trends in Information Security and Privacy
lgcdcpas
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
Nils Thulin
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Imperva
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Cyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarlandCyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarland
Highervista
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
Kroll
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
PECB
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
Jon Bosco
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
PECB
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
InfinIT - Innovationsnetværket for it
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 
New age of risk for contractors slide presentation
New age of risk for contractors slide presentationNew age of risk for contractors slide presentation
New age of risk for contractors slide presentation1paramount
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
ObserveIT
 

More Related Content

What's hot

Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
Nils Thulin
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
lgcdcpas
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
Jessica Santamaria
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
Shawn Tuma
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Imperva
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Cyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarlandCyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarland
Highervista
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
Kroll
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
PECB
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
Jon Bosco
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
PECB
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
InfinIT - Innovationsnetværket for it
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
William McBorrough
 

What's hot (20)

Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Cyber security cgi moving forward
Cyber security cgi moving forwardCyber security cgi moving forward
Cyber security cgi moving forward
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
Emerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and SecurityEmerging Trends in Information Privacy and Security
Emerging Trends in Information Privacy and Security
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
New York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity RegulationsNew York Department of Financial Services Cybersecurity Regulations
New York Department of Financial Services Cybersecurity Regulations
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Cyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarlandCyber security for manufacturers umuc cadf-ron mcfarland
Cyber security for manufacturers umuc cadf-ron mcfarland
 
The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)The Science and Art of Cyber Incident Response (with Case Studies)
The Science and Art of Cyber Incident Response (with Case Studies)
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
 
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBMProtecting the "Crown Jewels" by Henrik Bodskov, IBM
Protecting the "Crown Jewels" by Henrik Bodskov, IBM
 
MCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service PresentationMCGlobalTech Consulting Service Presentation
MCGlobalTech Consulting Service Presentation
 

Viewers also liked

New age of risk for contractors slide presentation
New age of risk for contractors slide presentationNew age of risk for contractors slide presentation
New age of risk for contractors slide presentation1paramount
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
ObserveIT
 
Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...
Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...
Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...
browzcompliance
 
Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011
Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011
Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011
Whitfield
 
Security Clearance Information
Security Clearance InformationSecurity Clearance Information
Security Clearance Information
ClearanceJobs
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
Murray Security Services
 

Viewers also liked (6)

New age of risk for contractors slide presentation
New age of risk for contractors slide presentationNew age of risk for contractors slide presentation
New age of risk for contractors slide presentation
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
 
Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...
Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...
Mitigate Hidden Business Risk: Improving Safety by Pre-screening and Qualifyi...
 
Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011
Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011
Nsc 2011 Session 53 Contractors In War Zones R Whitfield Final 10 2011
 
Security Clearance Information
Security Clearance InformationSecurity Clearance Information
Security Clearance Information
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
 

Similar to Robert Nichols: Cybersecurity for Government Contractors

Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
JSchaus & Associates
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
Precisely
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Health Catalyst
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
Skoda Minotti
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferenceBill Despo
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
Ulf Mattsson
 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
GhofraneFerchichi2
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
SolarWinds
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
KBIZEAU
 
Cybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfCybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdf
DaveNjoga1
 
Asset Security
Asset Security Asset Security
Asset Security
Jagbir Singh
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
Ignyte Assurance Platform
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
 
Security+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdfSecurity+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdf
infosecTrain
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
Infosec train
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
priyanshamadhwal2
 

Similar to Robert Nichols: Cybersecurity for Government Contractors (20)

Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
New Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law RequirementsNew Ohio Cybersecurity Law Requirements
New Ohio Cybersecurity Law Requirements
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
 
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider ThreatsFederal Webinar: Best Practices and Tools for Reducing Insider Threats
Federal Webinar: Best Practices and Tools for Reducing Insider Threats
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
Cybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdfCybersec Supply Chain Risks and Governance v0.1.pdf
Cybersec Supply Chain Risks and Governance v0.1.pdf
 
Asset Security
Asset Security Asset Security
Asset Security
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Nist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quanticoNist cybersecurity framework isc2 quantico
Nist cybersecurity framework isc2 quantico
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Security+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdfSecurity+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdf
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
 

More from Government Technology and Services Coalition

GTSC 5th Anniversary Annual Report: Steady in a Sea of Change
GTSC 5th Anniversary Annual Report: Steady in a Sea of ChangeGTSC 5th Anniversary Annual Report: Steady in a Sea of Change
GTSC 5th Anniversary Annual Report: Steady in a Sea of Change
Government Technology and Services Coalition
 
Government Technology & Services Coalition 2015 Annual Report
Government Technology & Services Coalition 2015 Annual ReportGovernment Technology & Services Coalition 2015 Annual Report
Government Technology & Services Coalition 2015 Annual Report
Government Technology and Services Coalition
 
GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...
GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...
GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...
Government Technology and Services Coalition
 
GTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big Picture
GTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big PictureGTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big Picture
GTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big Picture
Government Technology and Services Coalition
 
GTSC Annual Meeting 2014: BD Exchange
GTSC Annual Meeting 2014: BD ExchangeGTSC Annual Meeting 2014: BD Exchange
GTSC Annual Meeting 2014: BD Exchange
Government Technology and Services Coalition
 
GTSC June 2013 - November 2014 Annual Report
GTSC June 2013 - November 2014 Annual ReportGTSC June 2013 - November 2014 Annual Report
GTSC June 2013 - November 2014 Annual Report
Government Technology and Services Coalition
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Government Technology and Services Coalition
 
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Government Technology and Services Coalition
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
Government Technology and Services Coalition
 
Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...
Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...
Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...
Government Technology and Services Coalition
 
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Government Technology and Services Coalition
 
Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...
Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...
Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...
Government Technology and Services Coalition
 
Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...
Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...
Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...
Government Technology and Services Coalition
 
Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...
Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...
Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...
Government Technology and Services Coalition
 
Brian Usher: The Evolving Threats: A Local Government Perspective
Brian Usher: The Evolving Threats: A Local Government PerspectiveBrian Usher: The Evolving Threats: A Local Government Perspective
Brian Usher: The Evolving Threats: A Local Government Perspective
Government Technology and Services Coalition
 
David Kaufman: FEMA's Preparedness: A Leading, Agile, Focused Agency
David Kaufman: FEMA's Preparedness: A Leading, Agile, Focused AgencyDavid Kaufman: FEMA's Preparedness: A Leading, Agile, Focused Agency
David Kaufman: FEMA's Preparedness: A Leading, Agile, Focused Agency
Government Technology and Services Coalition
 
Robert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionRobert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight session
Government Technology and Services Coalition
 
Homeland Security: Understanding Funding and Spending
Homeland Security: Understanding Funding and SpendingHomeland Security: Understanding Funding and Spending
Homeland Security: Understanding Funding and Spending
Government Technology and Services Coalition
 
Homeland Security Funding 2013
Homeland Security Funding 2013Homeland Security Funding 2013
Homeland Security Funding 2013
Government Technology and Services Coalition
 
The Cyber Threat Landscape
The Cyber Threat LandscapeThe Cyber Threat Landscape
The Cyber Threat Landscape
Government Technology and Services Coalition
 

More from Government Technology and Services Coalition (20)

GTSC 5th Anniversary Annual Report: Steady in a Sea of Change
GTSC 5th Anniversary Annual Report: Steady in a Sea of ChangeGTSC 5th Anniversary Annual Report: Steady in a Sea of Change
GTSC 5th Anniversary Annual Report: Steady in a Sea of Change
 
Government Technology & Services Coalition 2015 Annual Report
Government Technology & Services Coalition 2015 Annual ReportGovernment Technology & Services Coalition 2015 Annual Report
Government Technology & Services Coalition 2015 Annual Report
 
GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...
GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...
GTSC Annual Meeting 2014: Michelle Mrdeza: What to Expect When You Are Expect...
 
GTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big Picture
GTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big PictureGTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big Picture
GTSC Annual Meeting 2014: Chani Wiggins: 114th Congress: Big Picture
 
GTSC Annual Meeting 2014: BD Exchange
GTSC Annual Meeting 2014: BD ExchangeGTSC Annual Meeting 2014: BD Exchange
GTSC Annual Meeting 2014: BD Exchange
 
GTSC June 2013 - November 2014 Annual Report
GTSC June 2013 - November 2014 Annual ReportGTSC June 2013 - November 2014 Annual Report
GTSC June 2013 - November 2014 Annual Report
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
Dr. Jim Murray: How do we Protect our Systems and Meet Compliance in a Rapidl...
 
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
David Knox: How do we Protect our Systems and Meet Compliance in a Rapidly Ch...
 
Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...
Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...
Antwayne Johnson: Alert/Notification Technologies: The Integrated Public Aler...
 
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
Justin Chiarodo: Government Contracts & Insurance Issues: How Prepared is You...
 
Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...
Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...
Todd Jasper: How Can We Leverage Technology to Improve Performance: Social Me...
 
Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...
Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...
Kevin Delin: How Can We Leverage Technology to Improve Performance: The Senso...
 
Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...
Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...
Brian Lepore: The Evolving Threats: GAO's Report on DOD's Infrastructure Adap...
 
Brian Usher: The Evolving Threats: A Local Government Perspective
Brian Usher: The Evolving Threats: A Local Government PerspectiveBrian Usher: The Evolving Threats: A Local Government Perspective
Brian Usher: The Evolving Threats: A Local Government Perspective
 
David Kaufman: FEMA's Preparedness: A Leading, Agile, Focused Agency
David Kaufman: FEMA's Preparedness: A Leading, Agile, Focused AgencyDavid Kaufman: FEMA's Preparedness: A Leading, Agile, Focused Agency
David Kaufman: FEMA's Preparedness: A Leading, Agile, Focused Agency
 
Robert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight sessionRobert Carey, Principal Deputy CIO, DOD Insight session
Robert Carey, Principal Deputy CIO, DOD Insight session
 
Homeland Security: Understanding Funding and Spending
Homeland Security: Understanding Funding and SpendingHomeland Security: Understanding Funding and Spending
Homeland Security: Understanding Funding and Spending
 
Homeland Security Funding 2013
Homeland Security Funding 2013Homeland Security Funding 2013
Homeland Security Funding 2013
 
The Cyber Threat Landscape
The Cyber Threat LandscapeThe Cyber Threat Landscape
The Cyber Threat Landscape
 

Recently uploaded

PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
ClaudioTebaldi2
 
A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
Roger Valdez
 
2024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 392024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 39
JSchaus & Associates
 
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
850fcj96
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
ARCResearch
 
2024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 382024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 38
JSchaus & Associates
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
viderakai
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
GrantManagementInsti
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
JSchaus & Associates
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
850fcj96
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
Cuyahoga County Planning Commission
 
Invitation Letter for an alumni association
Invitation Letter for an alumni associationInvitation Letter for an alumni association
Invitation Letter for an alumni association
elmerdalida001
 
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
johnmarimigallon
 
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHOMonitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Christina Parmionova
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
ResolutionFoundation
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
AjayVejendla3
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Congressional Budget Office
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
Saeed Al Dhaheri
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
SERUDS INDIA
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
Congressional Budget Office
 

Recently uploaded (20)

PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdfPNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
PNRR MADRID GREENTECH FOR BROWN NETWORKS NETWORKS MUR_MUSA_TEBALDI.pdf
 
A proposed request for information on LIHTC
A proposed request for information on LIHTCA proposed request for information on LIHTC
A proposed request for information on LIHTC
 
2024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 392024: The FAR - Federal Acquisition Regulations, Part 39
2024: The FAR - Federal Acquisition Regulations, Part 39
 
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
如何办理(uoit毕业证书)加拿大安大略理工大学毕业证文凭证书录取通知原版一模一样
 
Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023Opinions on EVs: Metro Atlanta Speaks 2023
Opinions on EVs: Metro Atlanta Speaks 2023
 
2024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 382024: The FAR - Federal Acquisition Regulations, Part 38
2024: The FAR - Federal Acquisition Regulations, Part 38
 
kupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptxkupon sample qurban masjid indonesia terbaru.pptx
kupon sample qurban masjid indonesia terbaru.pptx
 
Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200Uniform Guidance 3.0 - The New 2 CFR 200
Uniform Guidance 3.0 - The New 2 CFR 200
 
2024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 372024: The FAR - Federal Acquisition Regulations, Part 37
2024: The FAR - Federal Acquisition Regulations, Part 37
 
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
快速制作(ocad毕业证书)加拿大安大略艺术设计学院毕业证本科学历雅思成绩单原版一模一样
 
Transit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group MeetingTransit-Oriented Development Study Working Group Meeting
Transit-Oriented Development Study Working Group Meeting
 
Invitation Letter for an alumni association
Invitation Letter for an alumni associationInvitation Letter for an alumni association
Invitation Letter for an alumni association
 
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
2017 Omnibus Rules on Appointments and Other Human Resource Actions, As Amended
 
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHOMonitoring Health for the SDGs - Global Health Statistics 2024 - WHO
Monitoring Health for the SDGs - Global Health Statistics 2024 - WHO
 
State crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public financesState crafting: Changes and challenges for managing the public finances
State crafting: Changes and challenges for managing the public finances
 
NHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdfNHAI_Under_Implementation_01-05-2024.pdf
NHAI_Under_Implementation_01-05-2024.pdf
 
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
Effects of Extreme Temperatures From Climate Change on the Medicare Populatio...
 
ZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdfZGB - The Role of Generative AI in Government transformation.pdf
ZGB - The Role of Generative AI in Government transformation.pdf
 
Donate to charity during this holiday season
Donate to charity during this holiday seasonDonate to charity during this holiday season
Donate to charity during this holiday season
 
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
CBO’s Outlook for U.S. Fertility Rates: 2024 to 2054
 

Robert Nichols: Cybersecurity for Government Contractors

  • 1. Cybersecurity for Government Contractors Presentation by Covington & Burling LLP Confidential and Proprietary
  • 3. 3 Cybersecurity is the No. 1 Concern of General Counsel and Directors
  • 4. 4 The Cyber Risk Paradigm Cyber risks present real and present danger to business operations, costs, and, for some, continued viability Cyber risks are a legal problem, an operational problem, and an a governance problem – not simply a technological one Corporate leaders have a fiduciary responsibility to understand and manage cyber risks Leaders must bring together key components of the organization to develop joint ownership of risks and a comprehensive approach to cybersecurity
  • 5. 5 Threat: Actors and Motivations Nation States – Gain an upper hand, perform low level attacks Organized Criminals – Steal anything and everything for a profit Activists – Embarrass the target, damage their reputation Hackers – Anything goes Insiders – Disgruntled employees, payments by competitors
  • 8. 8 Impacts of Cyber Events Loss of Competitiveness • Trade secrets • Patents • Customer records • M&A activities Damaged Reputation • Estimates from companies that have been breached have ranged in the several millions of dollars up to $200 million. Lost Productivity • Forensics • Vulnerability management • Rebuild corrupted systems • Compliance breaches Average cost of remediating cyber exploitations is $10 million • PCI DSS • HIPAA • NERC • FISMA • privacy rules
  • 9. 9 Cyber ERM Defined Cyber risk management : methods and processes used to manage enterprise-wide cyber risks by identifying particular legal and technical vulnerabilities, assessing them in terms of their likelihood and their magnitude of impact, determining an appropriate response strategy, implementing and evaluating that strategy.
  • 10. 10 Cyber ERM Benefits Effectively measures corporate ability to manage all three types of risks Links directly to assessment methodologies established by Chief Risk Officers to better inform board members and enable risk management and transfer Gives corporate leadership confidence in execution of fiduciary responsibilities
  • 12. 12 BUSINESS RISK • Risk Description • Use Case • Impact Map Business Risk to IT Assets Determine Relevant Vulnerabilities Determine Threat Vectors Assess Likelihood of Successful Attack Evaluate Security Programs Assess Security Program Effectiveness THREAT STATEMENT • Vulnerability • Threat Vector • Likelihood • Programs • Program Effectiveness Threat-to-Business-Risk Linkage
  • 13. 13 Technical Issues • National Cybersecurity Policy & Strategy development • Integrated Cyberspace Operations • Threat & Vulnerability Assessments • Cyber Threat Intelligence Analysis & Tradecraft • Incident Response • Continuous Diagnostics & Threat Mitigation • Research & Development • Technology Evaluation & Integration • Cyber Leadership and Skills Training
  • 14. 14 Technical Evolution Threat & Risk Identification & Assessment Strategy & Plans Implementation & Compliance Evaluation & Review Continuous Improvement Threat Monitoring & Update Scope Assessment Review Implementation Evaluation
  • 15. The Role of Lawyers
  • 16. 16 Key Areas of Legal Issues • Government Contracts • Cybersecurity Compliance and Policy • Insurance • Labor & Employment • Trade Secrets • Privacy
  • 17. 17 Overview of the Federal Cybersecurity Landscape for Contractors • No comprehensive federal data security law to date • Numerous federal statutes, executive orders, regulations, and policies • Hundreds of NIST standards • NIST Framework • Continuing gaps and vagueness regarding expectations of contractors • Yet USG increasingly allocating risks to contractors • State laws protecting
  • 18. 18 Federal Legal and Policy Framework Governing Contractors • The Federal Information Security Management Act (“FISMA”) • NDAA FY 2013 Reporting Requirements • Executive Order 13556—“Controlled Unclassified Information” • E.O. 13636 “Improving Critical Infrastructure Cybersecurity” and Presidential Policy Directive 21 • 300+ NIST Information Security Documents • NIST Cybersecurity Framework • Industrial Security Requirements – NISPOM • DOD’s Defense Industrial Base Cyber Security/Information Assurance Program • Export Control Laws
  • 19. 19 Compliance Requirements • GSA and DOD Working Group Report, Improving Cybersecurity and Resilience through Acquisition • Proposed FAR Rule on Basic Safeguarding of Contractor Information Systems • DFARS Rule on Safeguarding DOD Unclassified Controlled Technical Information • DOD’s Counterfeit Prevention Policy and DOD’s Proposed Rule for Electronic Parts • Inconsistent Agency Cybersecurity Guidance • Flowing Down Cybersecurity Requirements • Safeguarding the Supply Chain • Uneven and Unrecoverable Costs of Compliance
  • 20. 20 What is the NIST Cybersecurity Framework? • E.O. 13636 mandated NIST establish a voluntary, risk-based framework to guide organizations in critical infrastructure sectors in the creation, assessment, and improvement of their cybersecurity programs. • Framework is not directed at all organizations, mandatory, or 20 prescriptive. • Framework is a useful methodology for organizing a program to identify, assess and respond to cyber threats, and for referencing other standards from NIST.
  • 21. 21 How is the Framework Structured? 21 Framework Core Implementation Tiers Framework Profile
  • 22. 22 Framework Core Identifies five high-level cybersecurity functions organizations should be able to perform: 22
  • 23. 23 Framework Profile 23 Target Profile Current Profile pinpoint gaps in existing cybersecurity posture, develop action plan, and reduce overall risk
  • 24. 24 DFARS: Safeguarding UCTI – Quick Look • Requirements Overview: a DoD contractor must (1) safeguard UCTI “resident on or transiting through” its information system; (2) report cyber incidents; and (3) assist DoD with damage assessments. • Effective: November 18, 2013 • Applicability: – Clause at DFARS 252.704-7012 included in all DoD solicitations/contracts. – Clause only operable when UCTI “may be” present on a contractor’s information system. – Clause’s substance must be flowed down to all subcontractors, (even for commercial items). • Source: DFARS 204.7300 et seq.; DFARS 252.704-7012; 78 Fed. Reg. 69,273. 24
  • 25. 25 What is UCTI? • Controlled Technical Information - “technical information with military or space application . . . subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” • Marked with a Distribution Statement in accordance with DoD Instruction 5230.24. 25
  • 26. 26 DFARS: Safeguarding UCTI – Safeguarding Requirements • Must provide “adequate security” by either: – implementing 51 specified security controls from NIST SP 800-53 OR – written explanation to CO why controls are not required or specifying alternative • Plus any other security measures that are reasonably necessary to provide adequate security. – Addresses “willful blindness” 26
  • 27. 27 DFARS: Safeguarding UCTI – Reporting Requirements • A cyber incident is “reportable” when it: – involves unauthorized access to and possible exfiltration, manipulation, or other loss or compromise of any UCTI resident on or transiting through a Contractor’s, or its subcontractors’, unclassified information systems; and – affects UCTI. • Must report specific information via http://dibnet.dod.mil/ within 72 hours of discovery of any cyber incident that affects UCTI on contractor’s own or its subcontractors’ systems. • “Inadvertent release” of data triggers the rule 27
  • 28. 28 DFARS: Safeguarding UCTI – Damage Assessment Assistance 28 review network review data accessed preserve and protect • ID compromised computers, servers, specific data, and user accounts • ID specific UCTI associated with DoD programs, systems, or contracts • For at least 90 days preserve images of known affected IT systems and relevant capture/package data •Obligation to share files exists, unless legally prohibited
  • 29. 29 Impact of Non-Compliance • No specified penalties for non-compliance • But also no safe harbor – The CO must consider the cyber incident in the context of an “overall assessment” of the contractor’s compliance with the rule’s security requirements (Comment 30) • DoD allowed to share information received from contractors with other agencies for law enforcement, counterintelligence, and national security purposes – an exception that swallows the rule
  • 30. 30 Supply Chain Risks • IT systems especially vulnerable to attack • Congress has granted DoD, IC, and DOE “enhanced authority” to exclude contractors from procurements of National Security Systems when a contractor is deemed a supply chain risk • Implemented through DFARS interim rule (Nov. 2013) IC Directive (Dec. 2013), and DOE regulations still to be promulgated 30
  • 31. 31 Scope of Authority • Certain agencies have the power to: – Exclude a source that fails to meet qualification standards for the purpose of reducing supply chain risk in the acquisition of covered systems; – Exclude a source that fails to achieve an acceptable rating with regard to an evaluation factor in a solicitation; and – Withhold consent for a contractor to subcontract with a particular source. • Limited ability for contractors to challenge or even know the basis for exclusion 31
  • 32. 32 DoD/GSA Joint Report Recommendations 1. Institute baseline cybersecurity requirements as a condition for certain contract awards 4. Instituting a Government-wide cybersecurity risk management strategy 2. Training and industry outreach 5. Procure certain items solely from original equipment manufacturers (“OEM”), authorized resellers, or other trusted sources 3. Developing common cybersecurity definitions 6. Increase Government accountability 32
  • 33. 33 DoD/GSA Draft Implementation Plan • On March 12, 2014, GSA issued an RFI seeking stakeholder input on implementing the Joint Report’s fourth recommendation, “instituting a Government-wide cybersecurity risk management strategy” 33
  • 34. DoD/GSA Draft Implementation Plan Proposed 34 Process (1) create categories encompassing similar items purchased by the Government (2) determine which categories present a cyber risk (3) prioritize those categories based on their perceived cyber risk (4) apply overlays to each category, which set the minimum security controls applicable to acquisition of items in that category 34
  • 35. 35 DoD/GSA Joint Working Group 35
  • 36. 36 Legal Risks from Non-Compliance • Whether the Framework Constitutes a Standard of Care • Directors’ Obligations to Shareholders • Obligations Regarding Security Breach Reporting • Default Terminations • Past Performance Evaluations and Responsibility Determinations • Administrative Suspensions and Debarments • False Claims Act
  • 37. 37 Business Risks Beyond Compliance • Loss of Intellectual Property • Litigation Risk – Threat of action by consumers and shareholders – Range of potential theories of liability – e.g., breach of contract, common law torts (although obstacles to applying elements and proving damages) • Contractual – Data security requirements in business partner agreements, customer contracts • Breach of Privacy • Business/PR Risk – Motivation for protection information also is non-legal
  • 38. 38 Limited Backstops for Risk • Untested Applicability of Government Contractor Defense • No Limitation on Liability or Safe Harbors • Indemnification for Contractor Losses • Standard Insurance vs. Cyber Insurance