This summer’s data security breach involving the Office of Personnel Management (OPM) exposed a stark reality that the federal cybersecurity contracting community has known for years—federal cybersecurity policy is a confusing maze of overlapping and sometimes inconsistent rules that are applied and enforced differently across various federal agencies. Congress and the White House have deputized various agencies to spearhead the federal government’s cybersecurity efforts. Yet truly coordinated policy and regulation have remained elusive. Based on our analysis, a primary reason for this is that most every agency and even many sub-agencies want a role in cybersecurity policy and data security as relates to their areas of responsibility. It is essential for federal contractors to track and comply with the cybersecurity and data protection requirements that apply to their specific government customers.
Efforts to Consolidate Cybersecurity Policy and Responsibilities
Recent efforts to consolidate federal data security controls began with the Federal Information Security Management Act of 2002 (FISMA). Through FISMA, Congress directed the Office of Management and Budget (OMB) to develop a framework for the creation and maintenance of minimum security controls to protect federal information systems.
FISMA was updated in 2014 to give the Department of Homeland Security (DHS) authority to implement federal cybersecurity policy. DHS was directed to assist the OMB with development and implementation of “binding operational directives” to agencies. “Binding operational directives” are defined in the FISMA update as “compulsory direction” to an agency “for the purposes of safeguarding Federal information and information systems from a known or reasonably suspected information security threat, vulnerability or risk.”
Relatedly, the National Cybersecurity Protection Act of 2014 directed that DHS’s existing National Cybersecurity and Communications Integration Center (NCCIC) be used as a means for the government and private sector to share information about cybersecurity threats and incident response.
Other legislation that year, the Cybersecurity Enhancement Act of 2014, gave authority to the Director of the National Institute of Standards and Technology (NIST) to work with the private sector to develop a “voluntary, industry-led, consensus-based” set of cybersecurity standards and best practices for “critical infrastructure.” This followed on the heels of the Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013, in which the President directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks.
Pursuant to these and other authorities, the responsible federal agencies have issued regulations and guidance intended to serve the purpose of standardizing, or at least coordinating, cybersecurity policy.
The OMB has worked with NIST and DHS to develop FISMA guidelines. NIST released its Risk Management Framework in February 2014. Additionally, NIST has spearheaded efforts to demonstrate how FISMA guidelines and standards can be used in concert with the Risk Management Framework.
For cloud-related security, the government-wide Federal Risk and Authorization Management Program (FedRAMP) standardizes the security assessment, authorization, and continuous monitoring requirements for cloud products and services. FedRAMP is the result of a collaboration among NIST, DHS, OMB and the General Services Administration (GSA), the Department of Defense (DoD), the National Security Agency (NSA), and the Federal Chief Information Officer (CIO) Council, as well as private industry.
Individual Agency Efforts
In addition to these coordinated activities, various federal agencies have taken their own steps to develop cybersecurity protections and parameters.
Perhaps most active has been the DoD. In April 2015, the DoD released a new cyber strategy in order to “guide the development of DoD’s cyber forces and strengthen [its] cyber defense and cyber deterrence posture.” Just last week, a final DoD-Defense Industrial Base Cybersecurity Activities regulation was issued, which mandates reporting of cyber incidents that result in an actual or potentially adverse effect on covered contractor information systems or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support.
The DoD is not the only agency to have developed its own cybersecurity strategy. The Departments of Energy, Health and Human Services, and Justice, the NSA, and several other agencies all have their own cybersecurity initiatives.
Indeed, in the last week alone, both the Central Intelligence Agency (CIA) and the Navy created new cybersecurity divisions. The CIA created its first new directorate in fifty years—the Directorate for Digital Innovation—whose goal is to create a “strategic framework” for IT management, innovation, and training, particularly around cyber issues. The Navy established the Navy Cybersecurity Division, and charged it with evaluating cyber investments and policy. The Department of Veterans Affairs and the Army also are preparing to unveil their new cyber strategies later this year.
The presence of so many different players, each with their own unique interests, makes inevitable the proliferation of additional and varied cybersecurity-related rules.
Differing Data Security Requirements Based on the Nature of the Information to Be Protected
One of the major ways in which the federal government has responded to the cyber threat is to impose specific cybersecurity responsibilities on contractors that have access to sensitive data. The laws, regulations, and policies that create these requirements are varied, and the protections that must be implemented frequently depend in large part on the nature of the information.
Contractors accessing classified information are subject to the requirements of the National Industrial Security Program Operating Manual (NISPOM). NISPOM data security restrictions are among the most stringent, requiring that information systems be accredited before they can process classified information. Contractors must report cyber attacks concerning classified information systems in accordance with the rules in the NISPOM.
Controlled Unclassified Information
Controlled Unclassified Information (CUI) is defined in a recently issued proposed FAR rule as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.” The term CUI was first described in a May 9, 2008 Presidential directive. CUI initially was intended to replace categories such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES). A related concept is Unclassified Controlled Technical Information (UCTI), which is often used interchangeable with CUI to describe non-classified information still in need of protection from disclosure.
On November 4, 2010, President Obama signed Executive Order 13556, “Controlled Unclassified Information,” which sought to establish a government-wide program for managing CUI. The Executive Order encouraged dialogue between the executive branch, departments or agencies, other stakeholders, and the general public to consolidate and standardize CUI terms and practices. Each agency was to develop its own implementing regulations for designating and labelling CUI. Unfortunately, very little has been done at the agency level to advance these goals, and policies remain largely inconsistent.
Earlier this summer NIST published new CUI guidelines in the form of Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
The new guidelines are designed to apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for those components. They are based on existing requirements found in two of NIST’s foundational information security documents: Federal Information Processing Standard (FIPS) 200 and the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53). The new guidelines have been in the works for several years, as they were developed pursuant to a 2010 Executive Order on CUI. The CUI program itself is actually overseen by another federal agency, the National Archives and Records Administration (NARA). This summer, NARA published in the federal register its proposed Federal Acquisition Regulation (FAR) changes that will apply the NIST CUI guidelines to federal contracts. It is expected that a final FAR clause will be issued in 2016.
In August 2015, the OMB issued a draft guidance memorandum providing direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provide access to Controlled Unclassified Information (CUI) on behalf of the Federal government.”
Even with the OMB, NIST, and NARA guidance, and particularly before a final rule becomes effective, contractors face differing agency requirements in terms of how to protect CUI and what sorts of data breaches need to be reported (and how quickly).
The General Services Administration (GSA) FAR supplement requires that contractors submit a FISMA-compliant IT security plan in order to house certain sensitive GSA data and that contractors provide specific warnings to users accessing GSA information as well as a “continuous monitoring plan” to identify vulnerabilities.
DoD has similar requirements, although they have changed rather significantly in just the past two years. In 2013, the agency issued cybersecurity rules related to DoD UCTI to which contractors had access. Under DFAR Subpart 204.73, “Safeguarding Unclassified Controlled Technical Information,” contractors were required to satisfy specific NIST standards, with supplemental protections as deemed necessary, in order to protect UCTI, which the DoD defined as technical data or computer software with a military or space application that is subject to controls and is marked as controlled information under DoD Directive 5230.24. Contractors also were required to report any breach incidents on the contractors’ systems (or their subcontractors’ systems) that involved UCTI within 72 hours of discovery.
On August 26, 2015, however, the DoD issued an immediately effective interim rule requiring government contractors and subcontractors to report cybersecurity breaches of their (and their subcontractors’) information technology systems not only for UCTI, but for all types of what DoD now calls “covered defense information,” a term that includes UCTI plus other categories of non-classified information that requires special handling, such as export control data and operations security information. The new rule therefore expands the types of cyber incidents that must be reported and the types of defense information that must be protected by DoD contractors and subcontractors. Just six weeks after issuing the new rule, however, DoD apparently recognized that at least one part of the rule was not practicable, because on October 8, 2015 DoD issued a class deviation giving covered contractors an additional nine months to satisfy the requirement for “multifactor authentication for local and network access” found in NIST Special Publication 800-171.
Special Data Categories
Under federal (and state) privacy laws, companies are legally obligated to protect certain types of sensitive personal information. Federal regulations were issued to require certain entities, particularly in the health care and financial services sectors, to implement information security programs and provide breach notice to affected persons.
Many of these rules are designed to protect consumers, but there are federal agency reporting obligations as well. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that certain covered entities disclose to the Secretary of Health and Human Services any cybersecurity breaches involving “protected health information.” And under the Gramm-Leach-Bliley Act, federal financial institutions must notify their primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to, or use of, “sensitive customer information,” a category which includes social security numbers, driver’s license numbers, account numbers or credit or debit card numbers, or personal identification numbers or passwords that would permit access to the customer’s account.
In short, additional cybersecurity and data breach notification requirements may apply depending on the type of work a company is performing.
October is “Cybersecurity Awareness Month.” We would advise all government IT contractors to remain aware of the changing cybersecurity regulatory environment, and to be certain they understand the statutes and regulations that apply to their government-related activities. Ideally, at some point in the future, these requirements will be straightforward and standardized, but until then, extreme vigilance is required to ensure full compliance.