[BreachExchange] Three Ways that Counsel Can Assist Defense Contractors Achieve Proactive Compliance with the Department of Defense’s Newly Effective Cybersecurity Requirements

[Audrey McNeil]

https://www.jdsupra.com/legalnews/three-ways-that-counsel-can-assist-58929/

Although the Department of Defense (DOD) has long required its contractors
to provide “adequate security” to protect “Covered Defense Information,”
beginning on January 1 of this year, the Department specified that
“adequate security” means compliance with all 109 of the security controls
described in NIST 800-171. See Defense Federal Acquisition Regulation
Supplement (DFARS) 252.204-7012. These requirements apply regardless of a
contractor’s size or amount of business with the government. Failure to
meet these standards can result in legal actions against the contractor
(for breach of contract or under the False Claims Act) as well as
termination, suspension, and debarment from federal programs. While many of
the required secu-rity controls are highly technical, this article will
discuss a few basic ways that counsel to a defense contractor can provide
substantial value in a client’s efforts to meet the NIST 800-171 standards.

Breach Response Planning

In the wake of growing concerns over potential data breaches, the DOD has
tightened requirements for its con-tractors and the ways that they
implement protocols and respond to data incidents. The new DFARS clause
intro-duces a 72-hour reporting deadline for cyber incidents, while also
introducing additional handling procedures like the submission of malicious
software in accordance with a contracting officer’s direction and the
preservation and protection of images of affected information systems.

The DFARS cyber rules are not based on the question of “if” an incident
will occur, but rather “when” it will occur and how contractors can best
prepare for the road to recovery. The best practice for government
contractors is to update their plans to reflect the more specific DFARS
requirements. The initial hours following a data breach are the most
crucial. Contractors should already have an established set of protocols
and plans that they can immediately enact upon discovery of a data
incident. The first step should be to protect/privilege the data breach
investigation to allow for a free flow of information between key players.
>From the onset, contractors should have their in-house or outside counsel
assessing the facts and determining the potential risks and liabilities
they may face.

Next, there should be an immediate establishment of exactly what types of
data and how much data have been affected by the breach. Contractors should
already have a cyber-forensic team and additional technology experts on
retainer. As a general practice, it is best to negotiate those agreements
before a breach occurs so that there is no artificial pressure or unfair
leverage created by seeking help in a time of crisis.

The final considerations that contractors should keep in mind when updating
and applying data incident responses is how best to communicate during the
event of a breach. Although DFARS institutes a 72-hour reporting
requirement, contractors must consider whether they will need to provide
additional disclosure to customers, state attorney generals and/or
legislators, employees, the press, and, in some instances, law enforcement.
These are highly-complex determinations that can change based on a number
of factors – legal counsel is essential to helping contactors formulate an
appropriate plan for their organization. The types and contents of these
communications should be prepared well in advance and they should also be
ready to transmit within a reasonable time following the incident. Beyond
the channels of communication, though, contractors should also contemplate
business continuity plans that will allow them to maintain essential
functions despite the disruption of certain platforms and applications.
Nevertheless, attorneys should make sure that their contractor clients have
assembled a team capable of making the best business and legal decisions as
the incident unfolds and process of investigating, responding, and
recovering begins.

Vendor Management

Another concern of the DFARS rules is access control. The DFARS clause
requires that primary contractors “flow” the clause down to subcontractors
at any level who are involved in the processing of covered defense
information. Covered defense information (“CDI”) means unclassified
controlled technical information or other information, as described in the
Controlled Unclassified Information (CUI) Registry, that requires
safeguarding or dissemination controls pursuant to and consistent with law,
regulations, and government-wide policies. The information must be marked
as CDI and/or processed in support of the contrac-tor’s performance of a
government contract.

Essentially, the DFARS flow-down requirement compels both contractors and
subcontractors, alike, to provide adequate security pursuant to NIST
800-171. In practice, primary contractors are tasked with vendor
management, making sure that subcontractor work is performed on compliant
systems. Some ways that a primary contractor can tackle this complex task
include: engaging in direct communications with the subcontractor about the
specific requirements of DFARS; conditioning subcontract work on the
provision of evidence that subcontractors have engaged in a full NIST
800-171 security assessment and have developed, updated, and/or implemented
security plans to remediate any shortcomings; or, providing assistance to
subcontractors to ensure, firsthand, that they are in compliance with
DFARS. Creative and informed legal counsel can be a contractor’s best
weapon in negotiating downstream contracts that reduce a contractor’s
compli-ance risk due to failures by a subcontractor.

While there are several different approaches to vendor/subcontractor
management, it is incumbent on the primary contractor to decide which
method is the most feasible based on the extensiveness of the
subcontractor’s role to the contract. Contractors should also consider the
types of CDI that respective subcontractors will be handling. Given that
the prime contractor is ultimately liable for any violations of the DFARS
rules, contractors should be wary of subcontractors who are lax in their
cybersecurity or those who are completely unversed to the DFARS and NIST
control requirements. It is virtually impossible to exclude subcontractors
altogether; however, the addition of a non-DFARS compliant subcontractor
could lead to unnecessary liability in the wake of a data incident.

Employee Awareness and Training

Lastly, attorneys can assist their clients’ compliance efforts by
addressing every contractor’s highest cybersecurity risk: humans. While
software can be updated and systems patched, employee carelessness can only
be mitigated by repeated efforts to train the entire organization on sound
security practices. This area of risk is so significant that NIST 800-171
devotes an entire family of controls (3.2) to “Awareness and Training” of
system users. Counsel to defense contractors should, at minimum, become
conversant in the most common types of attacks targeting employees,
including phishing, malware, and social engineering. However, breaches
commonly occur without instigation by a third-party – misplaced or lost
laptops and phones are a risk area that must be addressed through employee
training and hardware policies. In addition, counsel should work closely
with a client’s human resource department to ensure that disgruntled or
departing employees cannot remove covered defense information from the
company’s systems.

While this article highlights select areas of cybersecurity compliance for
defense contractors, the NIST 800-171 standards are far more comprehensive.
In addition to these security controls, attorneys advising defense
contractors should be mindful that the specific agreements between the DOD
and its contractors may provide more specific compliance and certification
obligations (including an obligation for contractors to self-certify their
compliance or seek accommodations for areas where they are not yet
compliant). As with many complex business problems, contractors can benefit
from the perspective and protection of legal counsel and a privileged
deliberation process for their compliance strategies. Both the reality of
today’s data-driven business environment and the DFARS regulatory
requirements mean that defense contractors must be proactive in assessing
and mitigating their cyber risk—parties who are purely reactive in
addressing data issues are only preparing to fail in these critical
obligations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180626/b45ff06f/attachment.html>