Cybersecurity

On September 21, 2017, the Director of the Defense Pricing/Defense Procurement and Acquisition Policy (DPAP) issued guidance to Department of Defense (DoD) acquisition personnel in anticipation of the December 31, 2017 date for contractors to implement the security controls of NIST Special Publication (SP) 800-171.  The guidance outlines (i) ways in which a contractor may use a System Security Plan (SSP) to document implementation of NIST SP 800-171; and (ii) provides examples of how DoD organizations could leverage a contractor’s SSP and related Plan of Action and Milestones (POA&M) in the contract formation, administration, and source selection processes.
Continue Reading DoD Issues Further Guidance on Implementation of DFARS Cyber Rule

The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53. NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”). The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems. 
Continue Reading NIST Releases Fifth Revision of Special Publication 800-53

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ IoT devices by directing executive agencies to include specified clauses in contracts for the acquisition of Internet-connected devices.

The bill’s provisions leverage federal purchasing power to improve the security of IoT devices by requiring, among other things, IoT device, software, and firmware providers to certify compliance with specified security controls and requirements relating to vulnerability patching and notification, unless such contractors otherwise satisfy one of three waiver requirements.

The bill also directs the Department of Homeland Security (“DHS”) to issue vulnerability disclosure guidance for government contractors; to amend federal statutes, specifically the Computer Fraud and Abuse Act (“CFAA”) and Digital Millennium Copyright Act (“DMCA”), to exempt certain “good faith” activities by cybersecurity researchers; and require all executive branch agencies to maintain an inventory of IoT devices active on their networks.

In addition, the statute would require the Director of the Office of Management and Budget (“OMB”) to issue guidelines to federal agencies consistent with the bill within 180 days of enactment.

The bill is summarized below.
Continue Reading A Summary of the Recently Introduced “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”

The Department of Defense (“DoD”) held an “Industry Information Day” on June 23, 2017 to address questions regarding DFARS Case 2013-D018 “Network Penetration and Reporting for Cloud Services,” including DFARS clauses 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” and 252.239-7010 “Cloud Computing Services.”   DoD’s presentation lasted approximately four
Continue Reading Highlights from DoD Industry Day on DFARS Cyber Rule

On May 11, 2017, the U.S. China Economic and Security Review Commission (“Commission”) issued a Request for Proposal to “to provide a one-time unclassified report on supply chain vulnerabilities from China in U.S. federal information technology (IT) procurement.”

Congress established the Commission in 2000 to monitor and report to Congress
Continue Reading USSC Issues RFP For Report On Supply Chain IT Vulnerabilities From China

On January 27, 2017, the Department of Defense (DoD) issued an updated Frequently Asked Questions (FAQ) regarding the application and requirements of DFARS 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. Though questions remain regarding various nuances of the rule, the FAQ is a helpful document for those contractors still working on implementation of DFARS 252.204.7012.  Divided into three sections — (1) General Application, (2) Security Requirements, and (3) Cloud Computing — the FAC provides answers to 59 commonly asked questions and provides greater clarity on a number of important points, which are discussed in greater detail below.
Continue Reading DoD Further Clarifies Its DFARS Cybersecurity Requirements

In 2016, the dangers presented by an increasingly digital world clearly were on display. A cyber-attack using an army of Internet of Things devices interfered with the operations of major commercial websites. And the Presidential Election was plagued with allegations of state-sponsored cybersecurity hacking (for which the Obama Administration just issued sanctions against the Russian government). Cybersecurity threats are unlikely to cede the spotlight in the coming year. Indeed, Marcel Lettre, the Undersecretary of Defense for Intelligence recently described cybersecurity as a “political, economic, diplomatic and military challenge” that is “evolving and growing more acute over time.”
Continue Reading More Cybersecurity Changes Expected for Contractors in 2017

On October 21, 2016, the Department of Defense (DoD) issued its long-awaited Final Rule—effective immediately—imposing safeguarding and cyber incident reporting obligations on defense contractors whose information systems process, store, or transmit covered defense information (CDI). The Final Rule has been years in the making and is the culmination of an initial rule issued in November 2013, two interim rules published in August 2015 and December 2015, and years of comments and experience by DoD and its contractors.  The new Rule materially alters the predecessor rule in a number of respects and clarifies several important issues relating to contracting for cloud computing services.
Continue Reading Cybersecurity Update: DoD Releases Long-Awaited Final Rule

On October 4th, the Department of Defense (DoD) issued a Final Rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors who have “agreements” with DoD.  The Final Rule also highlights DoD’s desire to encourage greater participation in the voluntary Defense Industrial Base (DIB) cybersecurity information sharing program.  This Rule is effective on November 3, 2016.

This Final Rule implements, in part, statutory requirements for rapidly reporting cyber incidents, including section 941 of the Fiscal Year (FY) 2013 National Defense Authorization Act (NDAA) and sections 391 and 393 of Title 10, and follows an interim rule issued on October 2, 2015.  DoD intends for this Rule to incorporate and harmonize all of the cyber incident reporting requirements – both mandatory and voluntary – for entities that have any “agreements” with DoD.  81 Fed. Reg. 68316.  Key highlights of the Final Rule are addressed below.Continue Reading DoD Finalizes Rule on Policies for Cyber Incident Reporting

On September 14, 2016, the National Archives and Record Administration (“NARA”) issued a Final Rule, effective November 13, 2016, establishing cross-agency practices and procedures for safeguarding, disseminating, controlling, destroying, and marking Controlled Unclassified Information (CUI).  Although the Final Rule only applies directly to executive branch agencies that designate or
Continue Reading NARA Sets the Stage for a Final FAR Cyber Clause