What the New Cybersecurity Standards Mean for Federal Contractors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://mashable.com/2014/02/13/obama-new-cyber-standards/

The White House on Wednesday issued voluntary cyber standards aimed at
defending key private networks essential to U.S. society - but it could be
years before the benefits are noticeable.

While optional for industry, it is expected that the guidelines -- which
encourage reporting data breaches to the government -- will be required for
federal contractors.

Government suppliers say they felt involved in the development of the
standards and are satisfied that their flexibility will not be burdensome.
That same flexibility has given some security observers pause, however,
over concerns that "critical infrastructure" industries, like the energy
and medial sectors that sustain daily living, will remain vulnerable.

With Wednesday's release, the Commerce Department met a one-year deadline
set by President Obama in a Feb. 12, 2013 executive order to develop a
pick-and-choose menu of controls understandable to everyone from
technicians to corporate boardroom members, who ultimately will determine
the rubric's viability in industry. The private sector operates most
critical infrastructure.

"Today I was pleased to receive the cybersecurity framework, which reflects
the good work of hundreds of companies, multiple federal agencies, and
contributors from around the world," Obama said in a statement. "This
voluntary framework is a great example of how the private sector and
government can, and should, work together to meet this shared challenge."

To prod uptake, federal officials last month published plans to make
contract awards contingent on compliance with many of the standards.

Reporting data compromises to authorities essentially will become
compulsory for contractors governmentwide, according to trade groups
briefed by Obama administration officials. Today, reporting typically is
only mandated for breaches of classified information or Pentagon technical
data, computer software, and other so-called unclassified controlled
technical information.

In a call with reporters on Wednesday, senior Obama administration
officials said most vendors do not know who to call within the federal
organizational chart when there is an incident. Officials said they will
work with contractors to help route them to the appropriate agency for each
stage of an incident. For example, they might work with the Homeland
Security Department to contain an infection and connect with the FBI or
Secret Service for criminal investigations.

Within the next two to three years, suppliers that often don't even know
they've had a breach, will be contractually bound to tell the government,
said Alan Chvotkin, executive vice president for the Professional Services
Council, a trade group representing government vendors.

"There's no classified information for contractors supporting the
Department of Housing and Urban Development, there's comparably very little
controlled technical information," he said. "You're now imposing a
requirement governmentwide that has today only been imposed on a subset of
all government contractors."

There could be some compliance issues and extra costs involved for the
suppliers, Chvotkin said.

Where it gets complicated is "assessing the extent of the damage, whether
the government can come in and seize equipment and your network while they
are doing their forensic reviews," he said.

"What is the company's liability to others because of that breach? Those
become the bigger barriers, not the mere reporting," he said. "If you do
make a report, here are the secondary and tertiary impacts of doing so, and
that's where companies take some time to evaluate before they make a
report."

In general, the contracting industry seems comfortable with the regime of
standards.

The format lets each organization choose a regimen of best practices for
handling hackers, from identifying potential vulnerabilities through
recovering from a successful intrusion. The best practices are drawn from
compendiums of federal and industry standards.

"It talks about a range of options. It's not a single item. It doesn't say
always do A, B, C and D," Chvotkin said.

"We like regulations that allow tailoring based on the size of the company,
the nature of the risk, and the market that they are in," he said. " It's
not about what industry you're in. It's not about whether you're a
government contractor or not. It's, What is the nature of the business
you're in, your risk assessment of the threat of cybersecurity?"

The February 2013 executive order defined "critical infrastructure" as
assets "so vital to the United States that the incapacity or destruction of
such systems and assets would have a debilitating impact on security,
national economic security, national public health or safety."

Officials with the Internet Security Alliance, a group representing
critical infrastructure companies, said in a statement earlier this week
that the new rubric will leave those industries vulnerable. "Sophisticated
attackers, including nation-states and nation-state affiliated sources, and
increasingly criminal organizations, will not be substantially deterred by
the basic the standards and practices," officials said. They cited a 2012
Ponemon Institute-Bloomberg study that found companies would need to spend
almost nine times more on network defense to prevent a catastrophic
cyberattack on the scale of Pearl Harbor.

Government coffers are trying to help, but cyber budget increases have not
scaled up by that magnitude either. A fiscal 2014 spending bill enacted in
January included $447 million for the Pentagon's Cyber Command -- a two-fold
increase over the component's fiscal 2013 budget of $191 million. The
legislation provided $792 million for cybersecurity at the Homeland
Security Department, an uptick of $35.5 million over last year.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!