Cybersecurity

By final rule issued January 27, the Department of Defense (DoD) updated its Privacy Program, meaning that effective February 26, 2015, certain DoD contractors will be required to comply with additional “rules of conduct.”  These rules of conduct are consistent with the types of requirements imposed on federal agencies by the Privacy Act.

The final rule applies to all DoD components and to all DoD contractors (and any employee of such a contractor) involved in the “design, development, operation, or maintenance of any system of records.”[1]  Such contractors will be required to comply with expanded rules of conduct.  Specifically contractors must (new requirements are in bold):

  • preserve the security and confidentiality of Personally Identifiable Information (PII) on its systems;
  • refrain from disclosing any PII, except as authorized by applicable statutes, or be subject to criminal penalties and/or administrative sanctions;
  • report unauthorized disclosures of PII or any maintenance of a system of records not authorized by the DoD Privacy Program to the relevant privacy point of contact;
  • ensure anyone with access to a system of records is properly trained under the DoD Privacy Program;
  • prepare any required system of records notices (SORNs) for publication in the Federal Register;
  • refrain from maintaining a system of records without first ensuring a SORN was published in the Federal Register, or face criminal penalties and/or administrative sanctions;
  • minimize the collection of PII to that which is relevant and necessary to accomplish a DoD purpose;
  • refrain from maintaining records describing how any individual exercises his/her First Amendment rights, except when (1) authorized by statute; (2) authorized by the individual the record is about; (3) the record is pertinent and within the scope of an authorized law enforcement activity (including intelligence or administrative activities);
  • safeguard the privacy of all individuals and the confidentiality of all PII;
  • limit the availability of records containing PII to DoD personnel and contractors with a need to know;
  • prohibit unlawful possession, collection, or disclosure of PII whether or not within a system of records; and
  • maintain all records in a mixed system of records (a system that comingles the data of U.S. citizens and non-citizens) as if all records are subject to the Privacy Act.

Continue Reading DoD’s Updated Privacy Program Imposes Stringent Rules for Protection of PII

On December 18, 2014, President Obama signed a bill reforming the Federal Information Security Management Act of 2002 (“FISMA”). The new law updates and modernizes FISMA to provide a leadership role for the Department of Homeland Security, include security incident reporting requirements, and other key changes.

Background:  FISMA was originally passed in 2002 to provide a framework for the development and maintenance of minimum security controls to protect federal information systems. FISMA charged the Director of the Office of Management and Budget (“OMB”) with oversight of agency information security policies and practices.

Changes:  The newly signed law, the “Federal Information Security Modernization Act of 2014” (FISMA 2014”), makes several key changes to FISMA.

First, the law authorizes the Secretary of the Department of Homeland Security (“DHS”) to assist the OMB Director in administering the implementation of agency information and security practices for federal information systems. Among the Secretary’s responsibilities are convening meetings with senior agency officials, coordinating government-wide efforts for information security, consulting with the Director of the National Institute of Standards and Technology (“NIST”), and providing operational and technical assistance to agencies. Perhaps most importantly, the Secretary is tasked with developing and overseeing the implementation of “binding operational directives” to agencies to implement policies, principles, standards, and guidelines developed by the OMB Director. “Binding operational directives” are defined in FISMA 2014 as a “compulsory direction” to an agency “for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.”

This delegation of responsibility is likely related to another new law codifying DHS’s cybersecurity role, and authorizing a cybersecurity information-sharing hub, the National Cybersecurity and Communications Integrations Center.
Continue Reading FISMA Updated and Modernized

The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.Continue Reading DoD to Impose Yet Another Form of Rapid Reporting Requirements

On November 18, the National Institute of Standards and Technology (“NIST”) released Draft Special Publication 800-171 (“SP 800-171”), which includes new recommended security controls for nonfederal organizations such as government contractors, state and local governments, and colleges and universities that “process, store, or transmit” controlled unclassified information (“CUI”) on their own systems.  These draft standards were issued pursuant to Executive Order 13556, Controlled Unclassified Information (“CUI EO”), which called for the establishment of a uniform government approach for managing unclassified information requiring safeguarding or dissemination controls.  The draft standards are based on the security requirements and controls in FIPS Publication 200 and NIST SP 800-53, but were tailored to eliminate requirements that are uniquely federal, related primarily to availability, and/or presumably already routinely satisfied by nonfederal organizations.

To maintain the security of CUI, the CUI EO instructed the National Archives and Records Administration (“NARA”) to collaborate with various agencies to propose CUI classifications and associated markings, and issue any directives necessary to implement the CUI EO.  As noted in SP 800-171, “the CUI program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions” through a federal CUI Registry.  This Registry outlines 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process.  Although the categories of information included in the Registry are unclassified, the government has determined that additional safeguarding – such as storage on a secure server – or limitations on sharing the data should be employed.  To ensure that controls are reasonable and justified , the CUI EO requires each category to be based in statute, regulation, or government-wide policy, and the Registry lists such authorizations.Continue Reading NIST Draft Standards Provide Guidance For Protecting CUI on Contractor Systems

The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements.  The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014.  Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System.  The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event:  one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.

One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”

Four-hour Notification − Must be made within four hours of:

  • Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
  • Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
  • Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.

There is no requirement to make four-hour notification if a one-hour notification is made for the same event.Continue Reading Nuclear Regulatory Commission Moving Forward on Data Breach Notification Rules

The U.S. Food and Drug Administration recently became one of a number of federal agencies to adopt the National Institute of Standards and Technology’s (“NIST”) core cybersecurity framework.  On October 2, 2014, FDA issued final guidance on the content of premarket submissions for the management of cybersecurity in medical devices.  The final guidance sets forth recommendations for the design and development of medical devices, as well as the preparation of premarket submissions, that are intended to reduce the likelihood that medical devices will be compromised as a result of inadequate cybersecurity.  Although the final guidance is not binding, it is broadly applicable—the recommendations apply to device manufacturers submitting premarket applications and notifications (including 510(k) notifications), as well as to manufacturers implementing the requirements under the Quality System Regulation.   The guidance supplements other standards generally applicable to software included in medical devices, as well as specific standards addressing cybersecurity risks in medical devices containing off-the-shelf software.

In addition to adopting the NIST core cybersecurity framework, which FDA recently agreed to promote in a Memorandum of Understanding with the National Health Information Sharing and Analysis Center, the final guidance sets forth concrete recommendations specifically applicable to medical devices.  The final guidance suggests, for example, that device manufacturers put systems in place to detect compromises and implement safeguards to preserve critical functionality and recover previous configurations.  The final guidance also recommends that device manufacturers track all cybersecurity risks considered in the design of a device and justify in premarket submissions the safeguards put in place to addresses identified risks.  Specifically, the final guidance recommends that manufacturers justify a decision to use a particular security function, such as the use of one among many authentication processes or methods of securing the transfer of data.Continue Reading FDA Adopts Core NIST Framework in Guidance for Management of Cybersecurity in Medical Devices

On February 12, 2013, President Obama issued Executive Order 13636, which directed federal agencies to undertake a broad range of tasks aimed at enhancing the security and resilience of the nation’s critical infrastructure.  One task directed the National Institute of Standards and Technology (“NIST”) to establish a technology-neutral, voluntary, risk-based
Continue Reading New RFI Seeks Feedback on NIST Cybersecurity Framework

The Department of Defense (“DOD”) has once again delayed the promulgation of regulations requiring DOD contractors to rapidly report data breaches and allowing DOD to access the contractor’s equipment to conduct a forensic analysis.  The National Defense Authorization Act for Fiscal Year 2013 originally required an ad hoc committee to
Continue Reading DOD Rapid Reporting Regulations Further Delayed

When it became law on July 7, 2014, the 2014 Intelligence Authorization Act (“IAA”) gave the Director of National Intelligence (“DNI”) 90 calendar days to issue new regulations addressing the requirement that “cleared intelligence contractors” report any “successful penetration” of their networks and information systems.  With the DNI on the clock, what can these contractors expect?

For one thing, following a penetration of a covered network or information system, the DNI regulations will require that a cleared intelligence contractor report the following information to a designated element of the Intelligence Community (“IC”):