Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks. Four years later, NIST has released an updated version of the Framework.
Continue Reading NIST Releases Updated Cybersecurity Framework
Cybersecurity
NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance
Late last month, the National Institute of Standards and Technology (“NIST”) released a set of documents for public comment that are aimed at helping contractors assess and implement compliance with NIST Special Publication (“SP”) 800-171, which establishes the standards for protecting Covered Defense Information (“CDI”), among other forms of Controlled Unclassified Information (“CUI”). First, NIST released an updated final public draft of SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. Second, NIST released templates for contractor system security plans (“SSPs”) and plans of action and milestones (“POAMs”). While neither finalized nor mandatory, these documents provide useful guidance for contractors struggling with SP 800-171 compliance.
Continue Reading NIST Seeks to Assist Contractors in Assessing SP 800-171 Compliance
DHS Cybersecurity Legislation Advances Through Capitol Hill
By Raymond Biagini & Susan B. Cassidy on
Posted in Cybersecurity, SAFETY Act
Earlier this week, both chambers on Capitol Hill took steps that would increase the Department of Homeland Security’s (DHS) role in the area of cybersecurity. On the Senate side, the Senate Homeland Security and Governmental Affairs Committee approved a DHS reauthorization bill that included amendments to rename and reorganize the DHS National Protection and Programs Directorate (NPPD), to increase protections for certain personally identifiable information (PII), and to emphasize the need for cybersecurity research. On the House side, the House Homeland Security Committee approved the Cyber Incident Response Teams Act, which would establish teams within DHS devoted to cyber incident response.
Continue Reading DHS Cybersecurity Legislation Advances Through Capitol Hill
Latest NIST Draft Report a Call to Action for Federal Agencies and Private Companies
By Susan B. Cassidy & Priscilla Combari on
Posted in Cybersecurity, Internet of Things (IoT)
Inflection Point for IoT
In a relatively short amount of time, the adoption of the Internet of Things (IoT) and its applications — from smart cars to the myriad of interconnected sensors in the General Service Administration building reminiscent of HAL 9000 from 2001: A Space Odyssey — has rapidly proliferated, providing significant opportunities and benefits. However, the increased ubiquity of IoT comes with heightened risks to security, privacy and physical safety and without a standardized set of cybersecurity requirements, many IoT devices and systems are vulnerable to attack. Earlier this month, the National Institute of Standards and Technology (NIST) (through the Interagency International Cybersecurity Standardization Working Group (IICS WG)) released a draft report to help both federal agencies and private companies plan and develop cybersecurity standards in their use and production of IoT components, products, systems and services. The draft report stresses the importance of coordination across the private and public sectors in developing standards to bolster the security and resilience of IoT, provides a snapshot of current international cybersecurity standards, and offers recommendations for gap-filling.Continue Reading Latest NIST Draft Report a Call to Action for Federal Agencies and Private Companies
DFARS Cyber Rule – What Questions Should Contractors Ask Themselves in the New Year?
By Susan B. Cassidy on
Posted in Cybersecurity
[The referenced article was originally published in Law360.]
Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. …
Continue Reading DFARS Cyber Rule – What Questions Should Contractors Ask Themselves in the New Year?
NIST Holds Webcast to Discuss Updates to Cybersecurity Framework
By Susan B. Cassidy & Moriah Daugherty on
Posted in Cybersecurity
On December 20, 2017, the National Institute of Standards and Technology (“NIST”) held a live webcast to discuss the draft updates to the Framework for Improving Critical Infrastructure Cybersecurity (“the Cybersecurity Framework”) and the Roadmap for Improving Critical Infrastructure Cybersecurity (“the Roadmap”). Although the webcast is not currently available online, NIST plans to publish a recording of the live webcast in early January 2018.
During this webcast, NIST provided an overview of the updates to Version 1.1 of the Cybersecurity Framework (“Version 1.1”), which were analyzed in previous blog posts on Inside Privacy and Inside Government Contracts. The webcast included a discussion of the following topics:
Continue Reading NIST Holds Webcast to Discuss Updates to Cybersecurity Framework
NIST Releases Updated Draft of Cybersecurity Framework
By Susan B. Cassidy & Moriah Daugherty on
Posted in Cybersecurity
On December 5, 2017, the National Institute of Standards and Technology (“NIST”) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), Version 1.1, Draft 2. NIST has also published an updated draft Roadmap to the Cybersecurity Framework, which “details public and private sector efforts related to and supportive of [the] Framework.”
Continue Reading NIST Releases Updated Draft of Cybersecurity Framework
DoD Updates Internal Guidance on DFARS Cyber Rule
By Susan B. Cassidy on
The Department of Defense (“DoD”) has updated portions of its internal guidance addressing compliance with the requirements of Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Continue Reading DoD Updates Internal Guidance on DFARS Cyber Rule
NIST Releases New Draft Publication Designed to Assist Contractors In Assessing Compliance with NIST SP 800-171
Ahead of the upcoming December 31, 2017 deadline for federal defense contractors to implement National Institute of Standards and Technology (“NIST”) Special Publication 800-171 (“SP 800-171”), NIST has released a new draft publication designed to assist organizations in assessing compliance under SP 800-171, Draft Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (“CUI”) (“SP 800-171A”).
Continue Reading NIST Releases New Draft Publication Designed to Assist Contractors In Assessing Compliance with NIST SP 800-171
DoD Class Deviations Allow for Greater Contracting Flexibility in Times of Crisis
The Department of Defense (“DoD”) has issued two Class Deviations that provide defense agencies with greater flexibility when procuring in times of crisis. These Class Deviations allow for the use of simplified acquisition procedures and excuse certain procurement obligations when DoD is responding to a cyber-attack or providing relief in…
Continue Reading DoD Class Deviations Allow for Greater Contracting Flexibility in Times of Crisis