|What Contractors Now Face in the Federal Cybersecurity Landscape
Virginia Lawyers Weekly Roundtable on Cybersecurity, August 30, 2016
Final FAR Rule on Basic Safeguarding of Contractor Information Systems
DOD and GSA announced in a May 16, 2016 a text of a final rule on cybersecurity acquisition requirements for federal contractors to assure "basic safeguarding" of contractor information systems that process, store, or transmit federal contract information.
Read more: New cybersecurity requirements for government contractors.
Virginia Lawyers Weekly held a roundtable on Aug. 30 on cybersecurity, sponsored by the Fairfax law firm of Berenzweig Leonard. Participants included a lawyer, a risk assessment manager, an insurance specialist, a cybersecurity strategist and a public relations professional. The discussion covered, among other topics, pre
parations and precautions to take in advance of a security breach and steps to take should a breach actually happen.
Read more: A written excerpt from the 70-minute session.
Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems
A Rule by the Defense Department, the General Services Administration, and the National Aeronautics and Space Administration on 05/16/2016
Cybersecurity National Action Plan (CNAP)
On February 9, 2016, President Obama directed his Administration to implement a Cybersecurity National Action Plan (CNAP) that "takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security."
Read the rule.
Read the Fact Sheet.
Cybersecurity Concerns Fuel New Conflicts in Government Acquisition
Federal Publications Seminars recently held a course entitled, "Cybersecurity in Government Contracting: Regulations, Implications and Compliance." During the course, instructor David Bodenheimer of Crowell & Moring underscored that an increase in spending by the U.S. government on cybersecurity will mean more oversight and legal conflicts for government contractors.
The Cybersecurity Threat
The U.S. government is the "largest producer, collector, consumer, and disseminator of data in the world" and government contractors are entrusted with this private, sensitive data, making them attractive targets. Laws, regulations and standards have been issued requiring contractors to take broad security measures to safeguard data.
Read More: Cybersecurity Is A Severe And Growing Challenge For Government Contractors, by Eli Sugarman, Contributor to Forbes.
New Legal Requirements
On February 12, 2013 President Obama issued an executive order: Improving Critical Infrastructure Cybersecurity. This resulted in a "cybersecurity framework" issued by the National Institute of Standards and Technology (NIST).
Read the Executive Order
Read the "Cybersecurity Framework" issued by NIST on February 12, 2014
What New Legal Requirements Mean for Government Contractors
"Federal contractors trying to report a hack on their computer systems struggle with a maze of piecemeal regulations, contracting experts say. And clarifying that ambiguity could be a difficult long-term project because there is likely no one bill or executive action that would do the trick."
The federal information and communications technology (ITC) supply chain is a “complex, globally distributed, and interconnected ecosystem... composed of public and private sector entities (e.g., acquirers, system integrators, suppliers, and external service providers) and technology, law, policy, procedures, and practices that interact to design, manufacture, distribute, deploy, and use ICT products and services.”1 The ITC supply chain is vulnerable in numerous areas. In April, 2014, NIST released a publication entitled,
Supply Chain Risk Management Practices for Federal Information Systems and Organizations
1 - NIST Special Publication 800-161, April, 2015, authored by Jon Boyens, Celia Paulsen, Rama Moorthy, and Nadya Bartol
A guide federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.
"Absence of regular risk assessments is frequently cited by regulators as a factor in bringing data security enforcement actions," says Gavin Skok of Riddell Williams P.S. He suggests six proactive steps you can take with your clients to reduce risk.
Read More: Six Steps to Reduce Cyber-Risk, by Gavin Skok, published in Today's General Counsel, April/May 2015 issue
Begin With the End in Mind: Protecting the Company Against Malicious Insiders
"Treat those that will have the company's confidential or personal information ... as a potential threat, and then take the extra precautions necessary to ensure the safety of all," says Lisa J. Berry-Tayman, Senior Privacy and Information Government Advisor at IDT911 Consulting.
Read more: Protecting the Company Against Malicious Insiders, by Lisa J. Berry-Tayman, published in Today's General Counsel, April/May 2015 issue
Opportunities for Government Contractors
"President Obama's call during his 2015 State of the Union speech to stiffen America's digital defenses could help bolster the bottom lines of top defense and aerospace contractors facing cutbacks in Pentagon spending."