As the Senate approaches the end of its debate on the National Defense Authorization Act for Fiscal Year 2019, provisions of the bill regarding access to and review of information technology code deserve close attention. These sections, if enacted, would significantly impact Department of Defense contractors and also would affect matters associated with investments subject … Continue Reading
On April 24, 2018, the Department of Defense (DoD) issued a Notice and Request for Comment on draft guidance that DoD proposes for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST Special Publication (SP) 800-171. This includes assessments as part of source selection decisions and during contract performance. DFARS … Continue Reading
On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference. A copy of her prepared remarks is available here. Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure. Secretary Nielsen set the stage by describing the … Continue Reading
Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks. Four years later, NIST has released an updated version … Continue Reading
Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST … Continue Reading
Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity. On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs … Continue Reading
Inflection Point for IoT In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications — from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey — has rapidly proliferated, providing significant opportunities and … Continue Reading
[The referenced article was originally published in Law360.] Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been on meeting … Continue Reading
On December 20, 2017, the National Institute of Standards and Technology (“NIST”) held a live webcast to discuss the draft updates to the Framework for Improving Critical Infrastructure Cybersecurity (“the Cybersecurity Framework”) and the Roadmap for Improving Critical Infrastructure Cybersecurity (“the Roadmap”). Although the webcast is not currently available online, NIST plans to publish a … Continue Reading
On December 5, 2017, the National Institute of Standards and Technology (“NIST”) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), Version 1.1, Draft 2. NIST has also published an updated draft Roadmap to the Cybersecurity Framework, which “details public and private sector … Continue Reading
The Department of Defense (“DoD”) has updated portions of its internal guidance addressing compliance with the requirements of Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”… Continue Reading
Ahead of the upcoming December 31, 2017 deadline for federal defense contractors to implement National Institute of Standards and Technology (“NIST”) Special Publication 800-171 (“SP 800-171”), NIST has released a new draft publication designed to assist organizations in assessing compliance under SP 800-171, Draft Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (“CUI”) … Continue Reading
The Department of Defense (“DoD”) has issued two Class Deviations that provide defense agencies with greater flexibility when procuring in times of crisis. These Class Deviations allow for the use of simplified acquisition procedures and excuse certain procurement obligations when DoD is responding to a cyber-attack or providing relief in support of domestic or international … Continue Reading
On September 21, 2017, the Director of the Defense Pricing/Defense Procurement and Acquisition Policy (DPAP) issued guidance to Department of Defense (DoD) acquisition personnel in anticipation of the December 31, 2017 date for contractors to implement the security controls of NIST Special Publication (SP) 800-171. The guidance outlines (i) ways in which a contractor may … Continue Reading
The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 … Continue Reading
On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ … Continue Reading
The Department of Defense (“DoD”) held an “Industry Information Day” on June 23, 2017 to address questions regarding DFARS Case 2013-D018 “Network Penetration and Reporting for Cloud Services,” including DFARS clauses 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” and 252.239-7010 “Cloud Computing Services.” DoD’s presentation lasted approximately four hours and covered a wide range of … Continue Reading
On May 11, 2017, the U.S. China Economic and Security Review Commission (“Commission”) issued a Request for Proposal to “to provide a one-time unclassified report on supply chain vulnerabilities from China in U.S. federal information technology (IT) procurement.” Congress established the Commission in 2000 to monitor and report to Congress on the national security implications … Continue Reading
On January 27, 2017, the Department of Defense (DoD) issued an updated Frequently Asked Questions (FAQ) regarding the application and requirements of DFARS 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Though questions remain regarding various nuances of the rule, the FAQ is a helpful document for those contractors still working on implementation of … Continue Reading
In 2016, the dangers presented by an increasingly digital world clearly were on display. A cyber-attack using an army of Internet of Things devices interfered with the operations of major commercial websites. And the Presidential Election was plagued with allegations of state-sponsored cybersecurity hacking (for which the Obama Administration just issued sanctions against the Russian … Continue Reading
On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November … Continue Reading
On October 4th, the Department of Defense (DoD) issued a Final Rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors who have “agreements” with DoD. The Final Rule also highlights DoD’s desire to encourage greater participation in the voluntary Defense Industrial Base (DIB) cybersecurity information sharing program. This Rule is effective on … Continue Reading
On September 14, 2016, the National Archives and Record Administration (“NARA”) issued a Final Rule, effective November 13, 2016, establishing cross-agency practices and procedures for safeguarding, disseminating, controlling, destroying, and marking Controlled Unclassified Information (CUI). Although the Final Rule only applies directly to executive branch agencies that designate or handle information that meets the standards … Continue Reading
Supply chain protection has been a point of increasing emphasis by the Government and especially the Department of Defense (“DoD”) in recent years. In no area is this more true than ensuring that Government systems and equipment are free from counterfeit electronic parts, which can raise both security and defect concerns. DoD has accordingly taken several steps, many of which have taken the form of new requirements on contractors, to protect against counterfeit electronic parts. With these requirements has come added risk to contractors that even mistakenly use electronic parts in the goods they sell to DoD. However, an August 30, 2016, final DFARS rule (implemented at DFARS 2301.205-71) seeks to mitigate some of this risk by allowing contractors to recover the cost of replacing counterfeit electronic parts, as long as the contractor has taken certain steps to prevent the use of such parts.… Continue Reading
