Breaching Bad: New Cyber Security Regs for Defense Contractors

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/breaching-bad-new-cyber-security-regs-f-71737/

Defense contractors with access to classified information will soon be
required to quickly notify Defense Department (DOD) officials if the
company’s computer network or information system is successfully penetrated
in a cyber-attack. Those contractors will also be obligated to provide the
Pentagon with access to their breached computer systems for investigation
purposes, and also hand over any forensic analysis the company undertook
following the cyber-attack.

Section 941 of the National Defense Authorization Act for Fiscal Year 2013
directs the Secretary of Defense to establish such reporting procedures.[1]
A draft is expected to be released in September, which may include a public
notice and comment period.[2] Just how the DOD will implement the new
“rapid reporting” and other requirements, and how several key items will be
defined, remains to be seen.

Defense Contractors to Whom Section 941 Applies

The rapid reporting requirements will apply to “cleared defense
contractors,” which are those private companies that have been granted
clearance by the DOD to access, receive or store classified information for
the purpose of bidding for a contract or conducting activities in support
of any DOD program.[3] It will apply to “covered networks,” meaning the
network or information system of a cleared defense contractor that contains
or processes information created by or for the DOD with respect to which
such contractor is required to apply enhanced protection.[4]

What Section 941 Will Require

Rapid Reporting

Each cleared defense contractor will need to “rapidly report” to a
designated Pentagon official “each successful penetration” of the covered
network or information systems of such contractor. The report shall include
a description of the technique or method used in such penetration; a sample
of the malicious software, if discovered and isolated by the contractor,
involved in the penetration; and a summary of the information created by or
for the DOD that may have been compromised.[5]

Access for Pentagon Personnel to Compromised Systems and Information

In addition to the rapid reporting requirement, the  procedures will
provide mechanisms for DOD personnel to gain access to hacked equipment and
information for a forensic analysis of the penetration, as well as any
analysis already conducted by the contractor.[6] The DOD’s access to the
contractor’s computers is to be limited to determining what, if any, DOD
information was actually taken (or in cyber parlance, “exfiltrated”).
Section 941  calls for the reasonable protection of trade secrets,
commercial or financial information, and information that can be used to
identify a specific person.[7]  Non-DOD information derived through these
procedures is prohibited from being disclosed outside the DOD, unless the
contractor otherwise approves.[8]

Open Questions about Section 941

As with many regulations, the angels will be in the details. Section 941
did not specify several key items, such as how rapidly the contractor must
report the breach to the DOD.[9] Also yet to be determined is how a
“penetration” will be defined (and thus trigger the reporting requirement,
etc.) and whether the incident will be required to be publicly disclosed
or, conversely, whether it will be required not to be publicly disclosed
for national security reasons (a particular concern to defense contractors
which are public companies and may be subject to SEC disclosure
guidelines/requirements). Also left open is whether a penetrating
cyber-attack on a network or information system containing only
unclassified information will be considered a reportable event.

Similarly unclear is the extent of access to networks/information systems
the contractor must provide the DOD to allow a forensic analysis of the
penetration and data breach. Whether that means the government will be
allowed to access contractor business data or personal information of
contractor employees or for how long the government will be given access
(including taking physical possession of contractor computers and other
network hardware) is yet to be determined. How these situations are handled
could mean the difference between a contractor being able to continue
operating or having to close its doors, either temporarily or permanently.

Section 941: Part of a Broader Defense/Intelligence Cyber Security
Regulatory Scheme

The new reporting mandates in Section 941 are intended to be compatible
with other cyber protections and reporting requirements being developed by
the DOD and intelligence agencies for a broader range of contractors.

Protection of Unclassified DOD Controlled Technical Information

Late last year, the DOD issued a final rule amending the Defense Federal
Acquisition Regulations (DFARS) to add a new provision for safeguarding
unclassified controlled technical information.[10] It requires contractors
with unclassified “controlled technical information” resident on or passing
through their information systems to use a minimum set of cyber security
controls to protect the information. In addition, as with Section 941,
contractors bound by DFARS are required to notify the DOD of successful
cyber-attacks on information system on which the unclassified controlled
technical information is located. Notably, these new requirements also
apply to subcontractors and vendors.

New Intelligence Contractor Cyber Security Reporting Requirements

On July 7, 2014, the President signed into law the Intelligence
Authorization Act for Fiscal Year 2014 (Pub. L. 113-126). Section 325 of
this statute is similar to the DOD’s Section 941, but applies to cleared
intelligence contractors (those with security clearances). They, like their
defense contractor counterparts, will be required to rapidly report and
provide government investigators access following successful cyber-attacks
on their systems. The Director of National Intelligence will be responsible
for establishing the procedures to be followed by the affected intelligence
contractors.

Conclusion

Companies that work with the U.S. government, and particularly defense
contractors, have been prime targets for cyber-attacks for many years.
Significant resource allocation for cyber security is simply part of the
cost of doing business with the government.

Government is reacting to the cyber threat, in part, by doing what it does
– passing new laws and enacting new regulations. Consequently, the cost of
doing government business going forward will mean devoting more resources
to tracking and complying with an expanding scheme of cyber security
regulations.

The government’s attention to cyber security is not diminishing. Thus far
in 2014, nearly every cabinet-level federal agency has issued policy
statements, frameworks, directives, regulations or other guidance
concerning various aspects of cyber security. Maintaining regulatory
compliance will be an essential part of getting and keeping contracts, both
in the public and private sectors.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!