Cybersecurity

On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.

To accomplish this goal, the Act puts forth several action items for the Director of the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”). Details of these action items and their deadlines are discussed below.Continue Reading Senate Reintroduces IoT Cybersecurity Improvement Act

Compliance with the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is only the beginning for contractors that receive controlled defense information (CDI) in performance of Department of Defense (DoD) contracts and subcontracts.  Faced with an evolving cyber threat, DoD contractors have experienced an increased emphasis on protecting DoD’s information and on confirming contractor compliance with DoD cybersecurity requirements.  This includes audits by the DoD Inspector General (IG) “to determine whether DoD contractors have security controls in place” to protect CDI and enhanced security controls for certain high risk contractor networks.  And on September 28, 2018, the Navy issued a policy memorandum calling for enhanced cybersecurity requirements, including some that have generated opposition within the defense community such as the installation of network sensors by the Naval Criminal Investigative Service on contractor systems.  Other requiring activities are reportedly requiring similar enhanced protections and NIST is expected to issue a public draft of Revision 2 to NIST SP 800-171 by the end of February, with an appendix of additional enhanced controls.

As discussed in our blog post here, on November 6, 2018, DoD issued final guidance to requiring activities for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST SP 800-171.  Since then, DoD has issued two additional guidance memoranda; one that includes contractual language for implementing the November 6th guidance and one that explains how DoD plans to confirm contractor oversight of subcontractor compliance with the DFARS 252.204-7012 cybersecurity requirements.Continue Reading DoD Continues to Up the Ante on Cybersecurity Compliance for Contractors

On the eve of the recent government shutdown over border security, Congress and the President were in agreement on a different issue of national security:  mitigating supply chain risk.  On December 21, 2018, the President signed into law the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act”) (P.L. 115-390).  The Act includes a trio of bills that were designed to strengthen the cyber defenses of the Department of Homeland Security (“DHS”) and mitigate supply chain risks in the procurement of information technology.  The last of these three bills, the Federal Acquisition Supply Chain Security Act, should be of particular interest to contractors that procure information technology-related items related to the performance of a U.S. government contract.  Among other things, the bill establishes a Federal Acquisition Security Council, which is charged with several functions, including assessing supply chain risk.  The bill also gives the Secretary of DHS, the Secretary of the Department of Defense (“DoD”) and the Director of National Intelligence authority to issue exclusion and removal orders as to sources and/or covered articles based on the Council’s recommendation.  Finally, the bill allows federal agencies to exclude sources and/or covered articles deemed to pose a supply chain risk from certain procurements.
Continue Reading Jumping to Exclusions: New Law Provides Government-Wide Exclusion Authorities to Address Supply Chain Risks

The Department of Defense (DoD) recently issued final guidance for requiring activities to assess contractors’ System Security Plans (SSPs) and their implementation of the security controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.  A draft of this guidance was made available for public comment in April 2018.  As noted in our original post on the draft guidance, DoD’s proposed approach raised significant questions as to what role offerors’ implementation of the security controls in NIST SP 800-171 would play in bid protests, contract performance, and post award audits.  In the memorandum accompanying the final guidance documents, DoD notes that it has incorporated comments it received from the public into the final guidance.  As discussed below, although the DoD has addressed some of the issues raised by the April draft, the final guidance adds some additional concerns and ambiguities.
Continue Reading DoD Issues Final Guidance for Assessing Contractor Compliance with NIST SP 800-171

This post first appeared on Covington’s Global Policy Watch blog on September 7, 2018

Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly
Continue Reading How Well Do You Know Your Supply Chain? New Policy Developments Affect Defense and Security Contractors

The Department of Defense (“DoD”) recently released the summary of its cyber strategy for 2018.  The 2018 DoD Cyber Strategy, which replaces the DoD’s 2015 cyber strategy, is focused broadly on “defending forward,” shaping day-to-day competition, and preparing for conflict.  But the strategy includes items that are sure to be of interest to contractors and other private sector DoD partners, particularly the members of the Defense Industrial Base (“DIB”).  In addition to its emphasis on adopting a more flexible approach to procurement, the strategy is focused on protecting DIB networks and systems and holding members of the DIB and other private sector partners accountable for their cybersecurity practices.  Many contractors may already be seeing evidence of this emphasis on accountability, with the recent announcement by the Secretary of Defense that the DoD Office of Inspector General (“OIG”) would conduct an audit to determine whether DoD contractors have security controls in place to protect the DoD controlled unclassified information (“CUI”) maintained on their internal information systems.
Continue Reading 2018 DoD Cyber Strategy: The DoD Defends Forward While the DIB Must Defend its Cyber Practices

The National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), will host a Workshop providing an overview of Controlled Unclassified Information (CUI) on October 18, 2018. The agenda for the Workshop shows a full day of panels, including those addressing DoD’s “Safeguarding Covered Defense Information and Cyber Incident Reporting” Clause (DFARS Cyber Rule), overviews of NIST Special Publications (SPs) 800-171 and 800-171A, and Government expectations when evaluating contractor implementation of the 800-171 security controls.
Continue Reading NIST to Host CUI Information Security Workshop

As the Senate approaches the end of its debate on the National Defense Authorization Act for Fiscal Year 2019, provisions of the bill regarding access to and review of information technology code deserve close attention.  These sections, if enacted, would significantly impact Department of Defense contractors and also would affect matters associated with investments subject to review by U.S. national security agencies.

As drafted, the provisions could expose current and prospective contractors to intrusive scrutiny and significant risks.  They lack clarity on key definitions, leaving the precise scope of those risks unclear.  We summarize major issues and concerns below.  We expect these provisions to receive scrutiny during the House-Senate conference on the NDAA over the summer. 
Continue Reading Senate Armed Services Committee Proposes Expansive but Unclear Software Review Provisions

On April 24, 2018, the Department of Defense (DoD) issued a Notice and Request for Comment on draft guidance that DoD proposes for assessing contractors’ System Security Plans (SSPs) and their implementation of the security controls in NIST Special Publication (SP) 800-171. This includes assessments as part of source selection decisions and during contract performance. DFARS 252.204-7012 requires defense contractors to provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. Adequate security means, “at a minimum,” implementing NIST SP 800-171. To demonstrate implementation or planned implementation of the security controls in NIST SP 800-171, contractors must describe in a SSP how the security requirements have been implemented and develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met.
Continue Reading Draft DoD Guidance on SSPs and NIST SP 800-171 – Impact on Bid Protests and Ongoing Contract Performance

On April 17, 2018, Department of Homeland Security (DHS) Secretary Kirstjen Nielsen delivered a keynote address at the RSA Conference.  A copy of her prepared remarks is available here.  Secretary Nielsen’s remarks highlighted efforts by DHS to address the evolving cybersecurity threats to our country’s critical infrastructure.

Secretary Nielsen set the stage by describing the realities of the cyber threat landscape:  2017 was a landmark year in terms of cyberattack volume, with nearly half of all Americans having their sensitive personal information exposed online and ransomware attacks spreading to more than 150 countries.  The Secretary stated that cybercrime damages are estimated to reach $6 trillion annually[1] by 2021, and suggested that the emergence of internet-connected devices could make us even more vulnerable to cyberattacks.

To address evolving cyber threats and more sophisticated threat actors, Secretary Nielsen posited a five part approach that DHS is taking to support a “more forward-leaning posture” in the cybersecurity area.  Those five approaches are summarized below:Continue Reading Department of Homeland Security Secretary Kirstjen Nielsen Proposes “More Forward-Leaning Posture” for Federal Government in Cybersecurity