Pursuant to Executive Order 13,556 and as forecasted in the draft of the National Institute for Standards and Technology’s (“NIST”) Special Publication (“SP”) 800-171, the National Archives and Record Administration (“NARA”) released on May 8, 2015 a proposed rule addressing the government-wide designation and safeguarding of Controlled Unclassified Information[1] (“CUI”) (“the Proposed CUI Rule” or “the Rule”).  On June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of CUI residing in nonfederal information systems.

SP 800-171 also includes interpretations of and best practices for compliance with the Proposed CUI Rule.  As a result, reading SP 800-171 in conjunction with the Proposed CUI Rule suggests that contractors may soon face significant additional burdens for safeguarding government information on their systems.

Continue Reading New Proposed Rule and Accompanying Guidance May Impose Additional Cybersecurity Burdens on Contractors Handling CUI

On February 25, 2015, the Office of the Secretary of Defense (AT&L) issued a memorandum containing an agency “Scorecard” for the implementation of the DFARS clause on safeguarding Unclassified Controlled Technical Information (“UCTI”).  The final UCTI rule was published on November 18, 2013 and required the new DFARS clause 252.204-7012−which imposes requirements for (1) safeguarding UCTI that is “resident on or transiting through contractor unclassified information systems,” and (2) reporting cyber incidents and UCTI compromises−to be included in all solicitations and contracts, including those for commercial items.  The Defense Procurement and Acquisition Policy (“DPAP”) office reviewed contract clause compliance data for the first quarter of 2015 and found that DFARS clause 252.240-7012 was included in only 65% of new awards.
Continue Reading DoD Memo Reveals Poor Scorecard for Agency’s Inclusion of the UCTI DFARS Clause in New Contracts

The National Defense Authorization Act for Fiscal Year 2015 (“NDAA FY 15”) was passed by the House of Representatives on December 4, 2014, and is expected to pass in the Senate.  Among NDAA FY 15’s cybersecurity and acquisition provisions are directions for the Secretary of Defense to establish rapid reporting requirements for “operationally critical contractors.”

Operationally Critical Contractors Rapid Reporting Regulations

Section 1632 of NDAA FY 15 requires the Secretary of Defense to establish within 90 days procedures to designate “operationally critical contractors” and the rapid reporting of cyber incidents affecting such contractors.  An “operationally critical contractor” is defined as a contractor determined to be a “critical source of supply for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.”

Designated and notified operationally critical contractors will be required to “rapidly” report each cyber incident on any of its networks or information systems.   For purposes of rapid reporting, a cyber incident is broadly defined as “actions taken through the use of computer networks that result in an actual or potential adverse effect on an information system or the information residing therein.”  Reports must include:

  • The contractor’s assessment of the effect of the cyber incident on its ability to meet its contractual obligations to the Department of Defense (“DoD”);
  • The technique or method utilized in the cyber incident;
  • Samples of any malicious software used in the incident, if discovered and isolated; and
  • A summary of the compromised information.

The Secretary’s procedures are also required to include mechanisms allowing DoD personnel to assist operationally critical contractors in detecting and mitigating penetrations.

Continue Reading DoD to Impose Yet Another Form of Rapid Reporting Requirements

The Nuclear Regulatory Commission (“NRC”) appears poised to be the next agency to promulgate cybersecurity breach notification requirements.  The NRC has stated that it is moving forward with draft breach notification rules it released in July 2014.  Under the draft rules, anyone licensed by NRC to operate a nuclear power plant would be required to report cybersecurity events to the NRC Headquarters Operations Center via its Emergency Notification System.  The draft rules set forth four types of notifications for cybersecurity breaches based on the imminence or severity of the event:  one-hour notifications; four-hour notifications; eight-hour notifications; and twenty-four hour recordable events, explained below.

One-hour Notification − Must be made within one hour of discovering a cyber attack that “adversely impacted safety-related or important-to-safety function, security functions, or emergency preparedness functions . . . or compromises support systems and equipment that results in adverse impacts to safety, security, or emergency preparedness functions.”

Four-hour Notification − Must be made within four hours of:

  • Discovering a cyber attack that “could have caused an adverse impact” to safety- and security-related functions;
  • Discovering a suspected or actual cyber attack that was initiated by personnel with physical or electronic access to computers, communications systems, and networks; and/or
  • Notification by a local, state, or federal agency of an event related to the implementation of the licensee’s cyber security program.

There is no requirement to make four-hour notification if a one-hour notification is made for the same event.

Continue Reading Nuclear Regulatory Commission Moving Forward on Data Breach Notification Rules