Congress has enacted a recent wave of legislation to address ongoing cybersecurity threats; the Executive Branch, on May 12, 2016, adopted new cybersecurity regulations; and other Federal initiatives are underway and will bring additional promised change requiring enhanced cybersecurity protections.
The Cybersecurity Act of 2015 (“Cybersecurity Act”) presents the federal government’s first successful step toward creating a partnership between government and private industry to address cybersecurity issues.1 Although Congress struggled for years to pass legislation to address the geometric increase in cybersecurity threats, this is the first major cybersecurity legislation to succeed in bringing private industry and domestic nonfederal entities into a federal initiative directed at sharing information on cyber threat “indicators” detected and defensive measures taken to protect information systems and information accessible through or controlled by information systems. The key language of Title I of the Cybersecurity Act was taken from an earlier controversial bill known as the Cybersecurity Information Sharing Act (CISA),2 which was included with three other Titles that comprise the Cybersecurity Act. The consolidated Act was enacted as part of the FY2016 omnibus appropriations bill to ease passage through Congress. The Cybersecurity Act was signed into law on December 18, 2015.
Notwithstanding the delay in passing comprehensive cybersecurity legislation, the Executive Branch was well prepared for its passage, due in part to the federal actions mandated by the Federal Information Security Modernization Act of 2014 (FISMA).3 Many of the new Executive Branch initiatives implement the Cybersecurity Act, and others are farther reaching, continuing executive branch work described in the Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government.4 For example, while the Cybersecurity Act contemplates only voluntary reporting of cyber threat indicators and defensive measures, recent Department of Defense (DoD) regulations require covered federal contractors to report cyber incidents. These recent DoD regulations, implemented as part of the Defense Federal Acquisition Regulation Supplement (DFARS) require strengthening information systems through compliance with NIST SP 800-171 information system cybersecurity standards related to contract performance and adopt a new DoD policy on the acquisition of cloud computing services, all with associated contract clauses.5 Finally, on May 16, 2016, a final rule was published amending the Federal Acquisition Regulations (FAR) “to add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information.” This new, far-reaching, mandatory regulation is also discussed below. Mandatory reporting of cyber incidents for covered Executive agency contracts, similar to the recent DFARS requirements, may be expected.
Understanding the contours of the Cybersecurity Act, the new FAR regulation on safeguarding contractor information systems, and recent initiatives since passage of the Cybersecurity Act, are important to preparing for change.
Recent Cybersecurity Initiatives and New Regulations
The President and designated agencies took swift action to invigorate and implement the Cybersecurity Act. On February 9, 2016, the President announced the implementation of a Cybersecurity National Action Plan (CNAP), the culmination of a seven-year effort to strengthen cybersecurity, and issued an Executive Order creating the Commission on Enhancing National Cybersecurity (the “Commission”) as a central feature of CNAP, within the Department of Commerce.6 On April 13, 2016, the President announced the members of the Commission, selected by the President and bipartisan Congressional leadership.7 The National Institute of Standards and Technology (NIST) and its National Cybersecurity Center of Excellence (NCCoE), also seated within the Department of Commerce, will provide significant resources to the Commission.8 NIST is currently publishing Federal Register Notices concerning monthly open meetings held by the Commission. The first meetings were held on April 14, 2016 in Washington DC, and May 6, 2016 in New York City, at the New York University Center for Law. Watch for upcoming NIST Notices of future open meetings held by the Commission.
NIST also awarded a $29M indefinite delivery/indefinite quantity contract to MITRE Corp. to support the NCCoE, and MITRE has published a Common Attack Pattern Enumeration and Classification resource, which will be helpful in establishing a common cyber threat vocabulary, as various agencies continue to implement guidance.9 The NCCoE provides another NIST resource, as one of NCCoE’s missions is to collaborate with industry to identify the nation’s most pressing cybersecurity issues, generate a detailed technical description of each issue, and work with technology vendors to develop a standards-based example solution to address those issues. This work will offer private companies both informal access to the planning process and also contracting opportunities to participate directly in this process.10.