SlideShare una empresa de Scribd logo

Cybersecurity 101: Government Contracts

Patton Boggs LLP
Patton Boggs LLP
1 de 4
Descargar para leer sin conexión
MARCH 7, 2013 GOVERNMENT CONTRACTS AND CYBERSECURITY CLIENT ALERT This Alert provides only general information and should not be relied upon as legal advice. This CYBERSECURITY 101: GOVERNMENT Alert may be considered attorney advertising under court and bar CONTRACTORS rules in certain jurisdictions. If you are a contractor with the federal government, and if you are not already subject to regulations governing the security of your computer systems, you soon will be. On February 12, 2013, President Obama issued an Executive Order titled For more information, contact your “Improving Critical Infrastructure Cybersecurity.” Section 8(e) of the Order gives Patton Boggs LLP attorney or the DoD, GSA, and the Federal Acquisition Regulatory Council 120 days to make authors listed below. recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract MARY BETH BOSCO administration.” The recommendations must also address steps to harmonize mbbosco@pattonboggs.com existing procurement regulations related to cybersecurity. NORMA KRAYEM In order to assist in understanding how the actions outlined in the Executive nkrayem@pattonboggs.com Order could impact companies doing business with the federal government, this Client Alert summarizes the major cyber regulations already focusing on government contractors. It covers the existing GSA regulations, the proposed amendments to the Federal Acquisition Regulation (“FAR”), and the Defense FAR Supplement (“DFARS”), and the 2013 National Defense Authorization Act ABU DHABI (“NDAA”) provisions. In addition to establishing minimum standards for cyber ANCHORAGE protection, these provisions offer opportunities for companies either to obtain DALLAS procurement advantages or sell their products and services to the government. DENVER DOHA GSA’S CYBERSECURITY REQUIREMENTS NEW JERSEY NEW YORK GSA released its cyber regulations in January 2012. They apply to GSA contracts RIYADH for IT supplies, services or systems which involve physical or electronic access to WASHINGTON DC non-classified government information supporting GSA’s mission. The basic requirements are: • IT Security Plan: Covered contractors must submit an IT security plan to their contracting officers within 30 days of contract award. The plan must include a continuous monitoring program to detect cyber intrusions. • Security Authorization: Within six months of award, contractors must submit either a self-certification to, or a third-party validation of, compliance with the National Institute of Standards and Testing (“NIST”) Special Publication 800-37. PattonBoggs.com Cybersecurity 101: Government Contractors 1
• Notice and Access: GSA contractors must notify GSA each time an employee with access to GSA information leaves or is hired. GSA is also entitled to access to contractor and subcontractor personnel for the purpose of inspection, investigation or audit relating to cybersecurity regulation. DOD PROPOSED REGULATIONS DoD proposed cyber regulations in 2011. Its most recent regulatory agenda projects the regulations to be finalized this year. The regulations cover non-public, non-classified DoD information resident on or transitioning through a contractor’s systems. The proposed rules divide covered information into two subsets – basic and enhanced information-- with different protections applied to each. • Basic Information: This is non-public information (i.e., information not releasable under the Freedom of Information Act) used or generated in support of a DOD activity. Absent DOD’s determination that information is releasable, and with certain exceptions for audits and investigations, the proposed rules preclude contractors from releasing basic level information outside of their organizations or to employees or subcontractors who do not have a right to know the information. In addition to this release restriction, the proposed rules identify specific, minimum protections for even “basic” information. These are: o Contractors cannot process government information on publicly-accessible computers or on company computers that do not have access control. o Contractors’ electronic transmission systems must provide “the best level of security and privacy available, given facilities, conditions, and environment.” o Voice data may only be transmitted when the user has reasonable assurance that access is limited only to authorized recipients. o When information is not being accessed, it must be protected by at least one physical barrier (e.g., lock or password). o Contractors must have procedures to clear information from devices before they are released or discarded. o Contractors must have minimum intrusion protections, including regularly updated malware and prompt application of security-related patches and upgrades. • Enhanced Information: The second category of covered information is “enhanced” information, which includes information designated by DOD as critical, information subject to the export control laws, information subject to DOD-specific FOIA directives, information designated as controlled information (such as “Official Use Only”), personal identification information, and certain technical information. To meet the enhanced protection requirements, a contractor’s security program will need to comply with the specific standards set forth in NIST Special Publication 800-53. Importantly, DOD’s proposal mandates reporting of cyber incidents affecting enhanced DOD information within 72 hours of discovery. PattonBoggs.com Cybersecurity 101: Government Contractors 2
PROPOSED FAR REGULATIONS A cyber amendment is also slated for the FAR. Once final, the new FAR clause will apply to contracts exceeding the simplified acquisition threshold ($150,000), including commercial acquisitions. The clause must be flowed down to subcontracts at any tier. The new clause, which will be in FAR Part 52.204, identifies seven basic safeguards for contractor information systems through which nonpublic information generated by or for the government either resides or transits. The basic safeguards identified in the proposed FAR amendment are similar to the ones governing DOD “basic” information: • Government information may not be processed on computers without access control or located in public areas. Similarly, government information cannot be posted on a public website. If posted to a web site, the site must control access either through user identification or password, user certificate or other technical means, and must provide protection via use of security technologies. • Electronic information may be transmitted only on systems that utilize technologies and processes that provide the best level of security and privacy available, given facilities, conditions and threat level. • Transmission by voice or fax may only occur when the sender has a reasonable assurance that access is limited to authorized recipients. • Systems must be protected by at least one level of physical barrier and one level of electronic barrier, such as lock and key in conjunction with a password, when not in the direct control of the individual user. • Media that is being released or discarded must be cleared and sanitized. • The contractor must provide at least the following means of intrusion protection: Current and regularly updated malware protection, such as anti-virus software and anti-spyware software; and prompt application of security-related upgrades and patches. • Information may only be transferred to those subcontractors with a contractual need to have the information and who employ the safeguards described in the clause. These proposed requirements will require covered contractors to review not just their hardware and software systems, but their facilities, employee practices, record-keeping systems, and subcontract relationships in order to ensure compliance. PattonBoggs.com Cybersecurity 101: Government Contractors 3
THE NATIONAL DEFENSE AUTHORIZATION ACT The 2013 NDAA instructs the Secretary of Defense to establish procedures requiring certain government contractors to report to DoD when one of their networks or information systems is “successfully penetrated.” Contractors covered by this provision are those holding security clearances. The procedures are due within 90 days of the NDAA’s enactment, which was January 2, 2013. The NDAA requires the reports to include: (1) a description of the technique or method used in the system penetration; (2) if discovered and isolated, a sample of the malicious software; and (3) a summary of information that was potentially compromised by the penetration. While contractors handling classified information already are required to report unauthorized access to classified information, the NDAA’s new reporting regime covers a broader spectrum of incursion as it presumably will cover external penetration of any of a cleared contractor’s computer systems. Under the new procedures, DoD will be able to obtain access to the contractor’s equipment or information for the purposes of conducting a forensic analysis, subject to appropriate protections for trade secrets, other confidential business information, and personal identification information. In addition to establishing mandatory reporting of cyber incursions by cleared contractors, the 2013 NDAA contains opportunities for companies providing software, systems, and system engineering to DoD. For example, Section 932 requires DoD to develop a strategy to acquire open-architecture, next-generation, host-based cybersecurity tools and equipment in time for inclusion in the FY 2015 budget. Similarly, the agency is to develop a baseline software assurance policy for all major software systems, and it must prepare an analysis of available large-scale software database or data analysis tools and determine whether to acquire such tools from the private sector. CONCLUSION This year will bring significant Congressional and executive branch cybersecurity activity. For government contractors, the proposed FAR and DFARS regulations provide a roadmap to prepare for the requirements that are certain to come. There will also be business opportunities. President Obama’s Executive Order envisions procurement preferences for companies with robust cybersecurity policies and procedures in place. The NDAA signals new DoD system standards that will require the supply of innovative software and hardware solutions to the agency. For additional information, please contact: Mary Beth Bosco Norma Krayem Mbbosco@pattonboggs.com nkrayem@pattonboggs.com 202.457.6420 202.457.5206 PattonBoggs.com Cybersecurity 101: Government Contractors 4

Recomendados

Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Patton Boggs LLP
 
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
Patton Boggs LLP
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010
kapil_arora
 
NIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsNIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government Contractors
Unanet
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
Joe Orlando
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
SecureDocs
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
Davis Wright Tremaine LLP
 

Recomendados

Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Government Contractors Now Subject to Cybersecurity Regulations – And More ar...
Patton Boggs LLP
 
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
New FAR Clause Establishes Minimum Data Security Requirements for Federal Con...
Patton Boggs LLP
 
Tape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysisTape vaulting audit and encryption usage analysis
Tape vaulting audit and encryption usage analysis
Thomas Bronack
 
Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010Sector Focus; Information Technology; Issue 1 February 2010
Sector Focus; Information Technology; Issue 1 February 2010
kapil_arora
 
NIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government ContractorsNIST Cybersecurity Requirements for Government Contractors
NIST Cybersecurity Requirements for Government Contractors
Unanet
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
Joe Orlando
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
SecureDocs
 
Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009Advisory April Showers 02.19.2009
Advisory April Showers 02.19.2009
Davis Wright Tremaine LLP
 
Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
DFickett
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
Yarko Petriw
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
American Chamber of Commerce in Bahrain
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
Jon Bosco
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
Lifeline Data Centers
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challenging
Joe Orlando
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
Ulf Mattsson
 
Empowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesEmpowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated Industries
Globo Plc
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
Raffa Learning Community
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...
Martin Ruubel
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Brian Bissett
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
Ulf Mattsson
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
Martin Ruubel
 
2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...
2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...
2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...
Benjamin Ang
 
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Martin Ruubel
 
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Patton Boggs LLP
 
Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs Employment Law Insight ~ June 2013Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs LLP
 

Más contenido relacionado

La actualidad más candente

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
DFickett
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
Erik Ginalick
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
Raffa Learning Community
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
Sagar Rahurkar
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
Ulf Mattsson
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...
Martin Ruubel
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
Raffa Learning Community
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
Martin Ruubel
 
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Martin Ruubel
 

La actualidad más candente (20)

Sept 2012 data security & cyber liability
Sept 2012 data security & cyber liabilitySept 2012 data security & cyber liability
Sept 2012 data security & cyber liability
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
Cybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slidesCybersecurity in ME April 25 slides
Cybersecurity in ME April 25 slides
 
NYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity RegulationsNYS DFS CyberSecurity Regulations
NYS DFS CyberSecurity Regulations
 
Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991Managed Security For A Not So Secure World Wp090991
Managed Security For A Not So Secure World Wp090991
 
2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance 2018 01-25 Introduction to PCI and HIPAA Compliance
2018 01-25 Introduction to PCI and HIPAA Compliance
 
Data Security and Regulatory Compliance
Data Security and Regulatory ComplianceData Security and Regulatory Compliance
Data Security and Regulatory Compliance
 
Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000Compliance audit under the Information Technology Act, 2000
Compliance audit under the Information Technology Act, 2000
 
Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challenging
 
Where Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the CloudWhere Data Security and Value of Data Meet in the Cloud
Where Data Security and Value of Data Meet in the Cloud
 
Empowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated IndustriesEmpowering Secure Mobility in Regulated Industries
Empowering Secure Mobility in Regulated Industries
 
2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?2016 02-23 Is it time for a Security and Compliance Assessment?
2016 02-23 Is it time for a Security and Compliance Assessment?
 
Evolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technologyEvolving regulations are changing the way we think about tools and technology
Evolving regulations are changing the way we think about tools and technology
 
Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...Combating the enemy within – an elegant mathematical approach to insider thre...
Combating the enemy within – an elegant mathematical approach to insider thre...
 
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
Presentation given at Bio-IT World 2016 as a Senior Member of the IEEE on the...
 
Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0Risk Management Practices for PCI DSS 2.0
Risk Management Practices for PCI DSS 2.0
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime WhitepaperKSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
KSI for IoT Security - Turning Defence Into Offence - Guardtime Whitepaper
 
2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...
2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...
2017 cyber legislation in Singapore (v2) - case study and discussion of cybe...
 
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
Guardtime_KSI_Use_of_a_globally_distributed_blockchain_to_secure_SDN_whitepap...
 

Destacado

Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Patton Boggs LLP
 
Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs Employment Law Insight ~ June 2013Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs LLP
 
Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...
Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...
Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...
Patton Boggs LLP
 
Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...
Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...
Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...
Patton Boggs LLP
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
Patton Boggs LLP
 
2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...
2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...
2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...
Patton Boggs LLP
 

Destacado (8)

Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
 
Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs Employment Law Insight ~ June 2013Patton Boggs Employment Law Insight ~ June 2013
Patton Boggs Employment Law Insight ~ June 2013
 
Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...
Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...
Summary and Analysis: Obama Administration Report to Congress on GSE Reform: ...
 
Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...
Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...
Tax, Benefits and Nonprofit Organizations Alert: American Taxpayer Relief Act...
 
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
GSA Seeks Industry Comments on How Best to Incorporate Cybersecurity into Fed...
 
December 2012 Insights
December 2012 InsightsDecember 2012 Insights
December 2012 Insights
 
Insights ~ October 2012
Insights ~ October 2012Insights ~ October 2012
Insights ~ October 2012
 
2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...
2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...
2012 Post-Election Analysis - A Narrowly Divided Electorate Has Spoken: How W...
 

Similar a Cybersecurity 101: Government Contracts

Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
Government Technology and Services Coalition
 
DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program
Patton Boggs LLP
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
Jack Nichelson
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
itnewsafrica
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxRunning Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
Jack Nichelson
 

Similar a Cybersecurity 101: Government Contracts (20)

Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government Contractors
 
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal ContractorsArnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
Arnold & Porter Cybersecurity Compliance and Enforcement for Federal Contractors
 
DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program DoD Implements Broad Cybersecurity Information–Sharing Program
DoD Implements Broad Cybersecurity Information–Sharing Program
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
 
DFARS & CMMC Overview
DFARS & CMMC Overview DFARS & CMMC Overview
DFARS & CMMC Overview
 
FAR 'Final Rule' Blog
FAR 'Final Rule' BlogFAR 'Final Rule' Blog
FAR 'Final Rule' Blog
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptxA Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
A Clear Path to NIST & CMMC Compliance - 2022 Summit.pptx
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud ServicesThe Cloud Computing Contract Playbook: Contracting for Cloud Services
The Cloud Computing Contract Playbook: Contracting for Cloud Services
 
MCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance ServiceMCGlobalTech CMMC Managed Compliance Service
MCGlobalTech CMMC Managed Compliance Service
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
 
Contracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy BortzContracting in the Cloud by Tammy Bortz
Contracting in the Cloud by Tammy Bortz
 
FED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARSFED GOV CON - Cybersecurity Compliance Under The DFARS
FED GOV CON - Cybersecurity Compliance Under The DFARS
 
Cybersecurity and Data Privacy Update
Cybersecurity and Data Privacy UpdateCybersecurity and Data Privacy Update
Cybersecurity and Data Privacy Update
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxRunning Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
 
Ignyte - US Sovereign Cloud Computing
Ignyte - US Sovereign Cloud ComputingIgnyte - US Sovereign Cloud Computing
Ignyte - US Sovereign Cloud Computing
 
Cybersecurity Maturity Model Certification
Cybersecurity Maturity Model CertificationCybersecurity Maturity Model Certification
Cybersecurity Maturity Model Certification
 
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptxA Clear Path to NIST & CMMC Compliance_ISSA.pptx
A Clear Path to NIST & CMMC Compliance_ISSA.pptx
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
 

Más de Patton Boggs LLP

Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Patton Boggs LLP
 
Update: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care ActUpdate: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care Act
Patton Boggs LLP
 
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Patton Boggs LLP
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Patton Boggs LLP
 
American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...
Patton Boggs LLP
 
Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014
Patton Boggs LLP
 
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent CasesSupreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Patton Boggs LLP
 
FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"
Patton Boggs LLP
 
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of AuthorityALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
Patton Boggs LLP
 
New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16
Patton Boggs LLP
 
Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013
Patton Boggs LLP
 
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible DustThe U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
Patton Boggs LLP
 
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
Patton Boggs LLP
 
Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013
Patton Boggs LLP
 
Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013
Patton Boggs LLP
 
CFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked QuestionsCFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked Questions
Patton Boggs LLP
 
Australia Elects a New Federal Government
Australia Elects a New Federal GovernmentAustralia Elects a New Federal Government
Australia Elects a New Federal Government
Patton Boggs LLP
 
"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013
Patton Boggs LLP
 
U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay DisclosureU.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
Patton Boggs LLP
 

Más de Patton Boggs LLP (20)

Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
Crimea: U.S. Response Intensifies As Congress, President Obama Issue More San...
 
Update: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care ActUpdate: Employer Responsibilities Under the Affordable Care Act
Update: Employer Responsibilities Under the Affordable Care Act
 
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
Crimea: U.S. Executive Actions and Legal Implications of Overlapping Global S...
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...
 
American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...American University International Law Review Annual Symposium: Managing the G...
American University International Law Review Annual Symposium: Managing the G...
 
Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014Reinsurance Newsletter - March 2014
Reinsurance Newsletter - March 2014
 
Social Impact Bonds
Social Impact BondsSocial Impact Bonds
Social Impact Bonds
 
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent CasesSupreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
Supreme Court Agrees to Hear Two Cases on Attorneys' Fees in Patent Cases
 
FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"FTC Announces Study of "Patent Assertion Entities"
FTC Announces Study of "Patent Assertion Entities"
 
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of AuthorityALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
ALJ Ruling on Heart Attack Reporting Requirements Creates Split of Authority
 
New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16New TCPA Requirements for "Prior Express Written Consent" Effective October 16
New TCPA Requirements for "Prior Express Written Consent" Effective October 16
 
Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013Reinsurance Newsletter ~ September 2013
Reinsurance Newsletter ~ September 2013
 
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible DustThe U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
The U.S. Chemical Safety Board to OSHA: Get to Work on Combustible Dust
 
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...The Transatlantic Trade and Investment Partnership: The Intersection of the I...
The Transatlantic Trade and Investment Partnership: The Intersection of the I...
 
Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013Capital Thinking ~ July 29, 2013
Capital Thinking ~ July 29, 2013
 
Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013Capital Thinking ~ July 22, 2013
Capital Thinking ~ July 22, 2013
 
CFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked QuestionsCFTC Cross-Border Guidance Frequently Asked Questions
CFTC Cross-Border Guidance Frequently Asked Questions
 
Australia Elects a New Federal Government
Australia Elects a New Federal GovernmentAustralia Elects a New Federal Government
Australia Elects a New Federal Government
 
"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013"Advance Australia Fair" - The Australian Federal Election 2013
"Advance Australia Fair" - The Australian Federal Election 2013
 
U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay DisclosureU.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
U.S. Securities and Exchange Commission Proposes New Rule on Pay Disclosure
 

Cybersecurity 101: Government Contracts

  • 1. MARCH 7, 2013 GOVERNMENT CONTRACTS AND CYBERSECURITY CLIENT ALERT This Alert provides only general information and should not be relied upon as legal advice. This CYBERSECURITY 101: GOVERNMENT Alert may be considered attorney advertising under court and bar CONTRACTORS rules in certain jurisdictions. If you are a contractor with the federal government, and if you are not already subject to regulations governing the security of your computer systems, you soon will be. On February 12, 2013, President Obama issued an Executive Order titled For more information, contact your “Improving Critical Infrastructure Cybersecurity.” Section 8(e) of the Order gives Patton Boggs LLP attorney or the DoD, GSA, and the Federal Acquisition Regulatory Council 120 days to make authors listed below. recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract MARY BETH BOSCO administration.” The recommendations must also address steps to harmonize mbbosco@pattonboggs.com existing procurement regulations related to cybersecurity. NORMA KRAYEM In order to assist in understanding how the actions outlined in the Executive nkrayem@pattonboggs.com Order could impact companies doing business with the federal government, this Client Alert summarizes the major cyber regulations already focusing on government contractors. It covers the existing GSA regulations, the proposed amendments to the Federal Acquisition Regulation (“FAR”), and the Defense FAR Supplement (“DFARS”), and the 2013 National Defense Authorization Act ABU DHABI (“NDAA”) provisions. In addition to establishing minimum standards for cyber ANCHORAGE protection, these provisions offer opportunities for companies either to obtain DALLAS procurement advantages or sell their products and services to the government. DENVER DOHA GSA’S CYBERSECURITY REQUIREMENTS NEW JERSEY NEW YORK GSA released its cyber regulations in January 2012. They apply to GSA contracts RIYADH for IT supplies, services or systems which involve physical or electronic access to WASHINGTON DC non-classified government information supporting GSA’s mission. The basic requirements are: • IT Security Plan: Covered contractors must submit an IT security plan to their contracting officers within 30 days of contract award. The plan must include a continuous monitoring program to detect cyber intrusions. • Security Authorization: Within six months of award, contractors must submit either a self-certification to, or a third-party validation of, compliance with the National Institute of Standards and Testing (“NIST”) Special Publication 800-37. PattonBoggs.com Cybersecurity 101: Government Contractors 1
  • 2. Notice and Access: GSA contractors must notify GSA each time an employee with access to GSA information leaves or is hired. GSA is also entitled to access to contractor and subcontractor personnel for the purpose of inspection, investigation or audit relating to cybersecurity regulation. DOD PROPOSED REGULATIONS DoD proposed cyber regulations in 2011. Its most recent regulatory agenda projects the regulations to be finalized this year. The regulations cover non-public, non-classified DoD information resident on or transitioning through a contractor’s systems. The proposed rules divide covered information into two subsets – basic and enhanced information-- with different protections applied to each. • Basic Information: This is non-public information (i.e., information not releasable under the Freedom of Information Act) used or generated in support of a DOD activity. Absent DOD’s determination that information is releasable, and with certain exceptions for audits and investigations, the proposed rules preclude contractors from releasing basic level information outside of their organizations or to employees or subcontractors who do not have a right to know the information. In addition to this release restriction, the proposed rules identify specific, minimum protections for even “basic” information. These are: o Contractors cannot process government information on publicly-accessible computers or on company computers that do not have access control. o Contractors’ electronic transmission systems must provide “the best level of security and privacy available, given facilities, conditions, and environment.” o Voice data may only be transmitted when the user has reasonable assurance that access is limited only to authorized recipients. o When information is not being accessed, it must be protected by at least one physical barrier (e.g., lock or password). o Contractors must have procedures to clear information from devices before they are released or discarded. o Contractors must have minimum intrusion protections, including regularly updated malware and prompt application of security-related patches and upgrades. • Enhanced Information: The second category of covered information is “enhanced” information, which includes information designated by DOD as critical, information subject to the export control laws, information subject to DOD-specific FOIA directives, information designated as controlled information (such as “Official Use Only”), personal identification information, and certain technical information. To meet the enhanced protection requirements, a contractor’s security program will need to comply with the specific standards set forth in NIST Special Publication 800-53. Importantly, DOD’s proposal mandates reporting of cyber incidents affecting enhanced DOD information within 72 hours of discovery. PattonBoggs.com Cybersecurity 101: Government Contractors 2
  • 3. PROPOSED FAR REGULATIONS A cyber amendment is also slated for the FAR. Once final, the new FAR clause will apply to contracts exceeding the simplified acquisition threshold ($150,000), including commercial acquisitions. The clause must be flowed down to subcontracts at any tier. The new clause, which will be in FAR Part 52.204, identifies seven basic safeguards for contractor information systems through which nonpublic information generated by or for the government either resides or transits. The basic safeguards identified in the proposed FAR amendment are similar to the ones governing DOD “basic” information: • Government information may not be processed on computers without access control or located in public areas. Similarly, government information cannot be posted on a public website. If posted to a web site, the site must control access either through user identification or password, user certificate or other technical means, and must provide protection via use of security technologies. • Electronic information may be transmitted only on systems that utilize technologies and processes that provide the best level of security and privacy available, given facilities, conditions and threat level. • Transmission by voice or fax may only occur when the sender has a reasonable assurance that access is limited to authorized recipients. • Systems must be protected by at least one level of physical barrier and one level of electronic barrier, such as lock and key in conjunction with a password, when not in the direct control of the individual user. • Media that is being released or discarded must be cleared and sanitized. • The contractor must provide at least the following means of intrusion protection: Current and regularly updated malware protection, such as anti-virus software and anti-spyware software; and prompt application of security-related upgrades and patches. • Information may only be transferred to those subcontractors with a contractual need to have the information and who employ the safeguards described in the clause. These proposed requirements will require covered contractors to review not just their hardware and software systems, but their facilities, employee practices, record-keeping systems, and subcontract relationships in order to ensure compliance. PattonBoggs.com Cybersecurity 101: Government Contractors 3
  • 4. THE NATIONAL DEFENSE AUTHORIZATION ACT The 2013 NDAA instructs the Secretary of Defense to establish procedures requiring certain government contractors to report to DoD when one of their networks or information systems is “successfully penetrated.” Contractors covered by this provision are those holding security clearances. The procedures are due within 90 days of the NDAA’s enactment, which was January 2, 2013. The NDAA requires the reports to include: (1) a description of the technique or method used in the system penetration; (2) if discovered and isolated, a sample of the malicious software; and (3) a summary of information that was potentially compromised by the penetration. While contractors handling classified information already are required to report unauthorized access to classified information, the NDAA’s new reporting regime covers a broader spectrum of incursion as it presumably will cover external penetration of any of a cleared contractor’s computer systems. Under the new procedures, DoD will be able to obtain access to the contractor’s equipment or information for the purposes of conducting a forensic analysis, subject to appropriate protections for trade secrets, other confidential business information, and personal identification information. In addition to establishing mandatory reporting of cyber incursions by cleared contractors, the 2013 NDAA contains opportunities for companies providing software, systems, and system engineering to DoD. For example, Section 932 requires DoD to develop a strategy to acquire open-architecture, next-generation, host-based cybersecurity tools and equipment in time for inclusion in the FY 2015 budget. Similarly, the agency is to develop a baseline software assurance policy for all major software systems, and it must prepare an analysis of available large-scale software database or data analysis tools and determine whether to acquire such tools from the private sector. CONCLUSION This year will bring significant Congressional and executive branch cybersecurity activity. For government contractors, the proposed FAR and DFARS regulations provide a roadmap to prepare for the requirements that are certain to come. There will also be business opportunities. President Obama’s Executive Order envisions procurement preferences for companies with robust cybersecurity policies and procedures in place. The NDAA signals new DoD system standards that will require the supply of innovative software and hardware solutions to the agency. For additional information, please contact: Mary Beth Bosco Norma Krayem Mbbosco@pattonboggs.com nkrayem@pattonboggs.com 202.457.6420 202.457.5206 PattonBoggs.com Cybersecurity 101: Government Contractors 4