Username
Password
	Remember Me
	» Lost your Password?

Archives page

Posts Tagged ‘EO 13636’

DOD & GSA Issue Final Report on Improving Cybersecurity & Resilience through Acquisition

On January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) submitted its eagerly anticipated final report on integrating cybersecurity requirements into all federal procurements. This report, which satisfies Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21, includes recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development.

The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril.

Cybersecurity issues will increasingly affect agency standard setting, coverage issues and incentives, government audits and investigations, security breach litigation, and other business drivers. Government contractors and other companies that handle government information or supply components that could be compromised electronically must begin, to the extent they have not already done so, to think both strategically and pragmatically about developing an integrated approach to these cybersecurity issues.

Background

On February 12, 2013, President Obama issued EO 13636 – Improving Critical Infrastructure Cybersecurity. Section 8(e) mandated that the Working Group, in consultation with the Department of Homeland Security (DHS) and the Federal Acquisition Regulatory (FAR) Council, “make recommendations to the President . . . on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Section 8(e) also directed the Working Group to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”

On May 13, 2013, the Working Group published a request for information (RFI), inviting public comment on the appropriate cybersecurity measures and parameters for federal procurements (summarized here). The Working Group also consulted with representatives from the DoD, GSA, DHS, FAR Council, the Office of Federal Procurement Policy, NIST, and others before issuing the final report.

Working Group Recommendations

The final report makes six recommendations, including that the federal government and/or contractors, as appropriate, should:

(1) institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;

(2) address cybersecurity in relevant training;

(3) develop common cybersecurity definitions for federal acquisitions;

(4) institute a federal acquisition cyber risk management strategy;

(5) include a requirement to purchase from original equipment or component manufacturers (OEM), their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and

(6) increase government accountability for cyber risk management.

For contractors, the most helpful recommendations ask the government to clarify, with more specificity, the standards to which contractors will be held accountable. For example, the first recommendation correctly observes that, “[o]ften, cybersecurity requirements are expressed in terms of compliance with broadly stated standards and are included in a section of the contract that is not part of the technical description of the product or service the government seeks to acquire.” This, the report concedes, “leaves too much ambiguity as to which cybersecurity measures are actually required in the delivered item.” Accordingly, the report recommends expressing baseline cybersecurity requirements as part of the acquisition’s technical requirements and including performance measures to ensure the baseline is maintained and risks are identified. The final report also recommends common cybersecurity definitions, which if adopted would dramatically advance anxiety about contractors’ and the government’s current and near-future cybersecurity obligations.

Though the recommendations are instructive, the final report does not actually mandate specific baseline requirements or propose common cybersecurity definitions. Nor does it propose a cyber risk management strategy or otherwise attempt to identify the acquisitions in which baseline requirements or OEM limitations are “appropriate.” Instead, the final report “intends” that others will harmonize these recommendations with ongoing rulemakings, cybersecurity standards, and statutory frameworks. In short: stay tuned.

Takeaways

First and foremost, change is coming. Although the final report recommendations are directed more toward government program managers and acquisition decision makers than industry, the harmonization of such recommendations with recent and forthcoming regulations, mandatory contract provisions, and other statutory requirements and protections will affect the industry directly and significantly.

Other critical points for government contractors to consider as the final report’s recommendations are implemented include:

What cybersecurity terms will be defined, and what will those definitions look like? Considering that the definitions will be used government-wide, it is imperative that contractors provide feedback lest a definition be issued that is contrary to their interests, much less defies common sense;

What topics will be covered in the cyber education program for the procurement work force? If procurement officials are not properly educated on a variety of threats, then they may fail to incorporate standards and requirements that are necessary for information protection;

How will federal risk management strategy be developed? And will it be flexible enough to account for the rapidly evolving threat environment?;

Are contractors prepared to fight back against cybersecurity requirements in federal acquisition programs that are being used to exclude otherwise acceptable vendors and technologies?; and

How deep will these requirements reach into federal contractors’ business? In other words, will the cybersecurity obligations be limited just to public-contracting programs, or will they effectively become company-wide requirements regardless of the buyer?

The final report is a clear signal that mandatory baseline standards, training protocols, and other risk-based requirements are on the horizon. Those standards will likely be based on the NIST framework or, in specialized areas, even stricter protocols. Government contractors and other companies that handle government information must implement an integrated strategy that mitigates the risks associated with these cybersecurity issues, and where viable, the opportunities that these changes might create.

By Contributing Authors: Brian Finch, Justin Chiarodo, and Daniel Broderick from GTSC Strategic Partner Dickstein Shapiro

Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies. Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition. You can reach Brian at [email protected] (202)420-4823.

Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.

Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements.

Ten Cyber Issues Board and Chief Legal Officers Need to Know (and Worry) About

Boards of Directors have several fiduciary duties to uphold. Meeting such duties requires addressing cybersecurity and data loss. While this rapidly evolving area has its own unique challenges, boards, as well as the legal officers who advise them, face the same question about how to address cybersecurity, data loss, and data theft as they do any other critical ssue-are they acting prudently, reasonably, and responsibly? More and more boards are now asking themselves, and the legal counsel who advise them, these questions and placing cybersecurity and data theft risks at a higher level of priority than even physical disasters. The factors highlight 10 areas boards and their legal advisors should consider before their companies are faced with a real-world cyber threat.

1. The stakes to share value and the bottom line are high. Cybersecurity and data theft may sound like abstract concepts, but they have impacts-including financial ones-in the real world. It’s been estimated that the global cost of cyberattacks in 2011 was $388 billion in direct financial loss and the cost of recovering from the attacks. Losses can take the form of stolen intellectual property or trade secrets, data destruction, disruption of critical systems, or even damage to physical assets. They also can include the exposure of customer and employee personal information. Any of these scenarios can result in material losses impacting a company’s reputation, bottom line, and share price.

2. The hackers are two steps ahead of you already. While today’s headlines are focused on standard types of data breaches and hacking activity-viruses, malware, physical break-ins, etc.-the next generation of threats, such as heretofore unforeseen attacks (so-called “zero day attacks”), has yet to make it into the public consciousness, but directors and their advisors have to be aware of them. The constantly mutating tactics cyber criminals employ will pose a serious challenge to any company that uses electronic systems. This means boards and their advisors, including GCs, will need to focus their attention on risk mitigation in this area for decades to come.

3. Cyber and data loss threats pose merger risks. Acquiring companies may be subject to significant losses and boards may be exposed to shareholder suits should adequate cybersecurity and other data protection measures not be taken in the context of corporate M&A activity. If a company acquires a target with a malware-infested IT system without appropriate due diligence to avoid that outcome, there is a potential for a wide range of liabilities. Cybersecurity and other data protection methods should be added to the long roster of criteria a board and its legal and business advisors use when evaluating a potential acquisition and acquisition documents should contemplate and provide for appropriate representations, warranties, and indemnities related to cyber thefts and attacks.

4. Lost or stolen intellectual property or customer or employee information can turn a deal from sweet to sour. Imagine your company acquires a target for hundreds of millions of dollars. Then their systems are hacked and the blueprints for the widget that made the company attractive are stolen. Knockoffs flood the market and the company’s value evaporates. Or imagine your company is about to launch a new software program, but it is swiped from your servers days before launch. Similar issues may arise if sensitive customer or employee data is exposed. Among the many questions that will be asked – by many, including investors, business partners and regulators – in the aftermath, is whether or not the board and its legal advisors acted with reasonable care to prevent such incidents.

5. There is a maze of state and federal data protection and data loss notification requirements to navigate.With State Attorneys General and an assortment of federal agencies, including the Federal Trade Commission, having a hand in data protection, breach notification, and disclosure requirements, companies should have plans in place for how to respond in a timely fashion should a breach occur (and, of course, be well-versed on its legal compliance obligations beforehand). The myriad disclosure and notification requirements and cybersecurity obligations will only grow and enforcement activity is likely only to increase, so it is incumbent on companies and their counsel to stay abreast of these developments.

6. The failure to be fully informed of and proactive against cybersecurity and data loss risks could lead to litigation. Companies, directors, and corporate managers could be exposed to litigation risks and potential liability for compromised data, systems, and infrastructure resulting from a cyberattack or data loss. Such claims could include third-party claims for breach of contract, breach of warranty, and/or statutory or common law legal requirements under both state or federal law; claims by state and federal regulators for failure to comply with specific data protection and cybersecurity laws (as well as more general unfair and deceptive trade practice-type laws), shareholder claims for breaches of fiduciary duty in failing to take appropriate steps to protect the company’s assets, and business from cyber theft or other cyberattacks; and for publicly traded companies, investor securities law claims and SEC actions for failing to adequately disclose cyber risks.

7. If the breach doesn’t get you, the litigation will. Even in those instances where a company or its directors are successful in defending a claim following a cyberattack or data loss, such litigation is likely to be expensive and a time-consuming distraction for management and the board. Beyond this, the cyberattack and the resultant attention from related legal proceedings could result in serious reputational harm.

8. There are federal programs available to help mitigate corporate liability through the SAFETY Act. Companies can gain valuable protections offered through an advanced approach to the Support Anti-Terrorism by Fostering Effective Technologies Act of 2002 (known as the SAFETY Act). This law provides tort liability protections for products and services that can be used to detect, defend
against, or respond to cyberattacks. It is essential that boards and their legal advisors be aware of
these programs and assess their applicability to cybersecurity products and services they either
procure or deploy on their own.

9. Insurance coverage is available through traditional or tailored policies. The demand for cybersecurity/data loss-specific coverage is incredibly high, placing pressure on availability, though some forms of traditional-and widely available-coverage such as Commercial General Liability may provide coverage for some types of claims. However, insurers are quickly working exclusions into these kinds of policies. Working with experienced coverage counsel can ensure the right kinds and amounts of coverage are in place.

10. Outside counsel comes with the benefit of attorney-client privilege.While there are armies of consultants at the ready to advise companies should a cyber or data loss incident occur, only legal counsel can offer the shield of attorney-client privilege, thereby ensuring that sensitive information about investigations cannot be used in litigation. Having your cybersecurity/data privacy attorney on speed dial is a good idea.

Is liability inevitable or can steps be taken to mitigate or eliminate it?
Cybersecurity and data loss liability and litigation is in a similar stage as environmental law in the
1970s: there has been a broad awakening that liabilities exist-and that they may be vast.
Companies have no choice but to assess their exposure and plan accordingly. That means in
today’s technology, dependent of business environment, it has become imperative that boards (or
their equivalents) and their business and legal advisors devote appropriate attention to
cybersecurity issues as a matter of good corporate practice and appropriate risk management.

This could mean causing management to (i) undertake a thorough cyber/data loss risk assessment
that includes both company-specific risks and risks to critical third parties that would adversely
impact the company, and (ii) identify and implement best practices relevant to the company’s cyber
and data loss risks.

Most importantly, boards and their senior management, including GCs, have to be aware of the
threats and have management take measures to mitigate them. Failure to do so could easily lead to
losses and liability.

By Divonne Smoyer, Brian E. Finch, & Emanuel Faust

Questions? Ask GTSC’s Strategic Advisor!

Brian Finch

Partner, Dickstein Shapiro LLP

[email protected]
(202) 420-4823

DISCLAIMER

The GTSC Legal Limits Brief is made available by GTSC for educational purposes only as well as to provide you with general informaiton and a general understanding of the law and legal changes that may impact your business, not to provide specific legal advice. No attorney client relationship is established with GTSC or our legal strategic partners by reading this brief. This information shold not be used as a substitute for competent legal advice from a licensed professional or attorney. Copyright © 2013. All Rights Reserved.

Key Cybersecurity Issues for Government Contractors

Dickstein Shapiro LLP and the Government Technology & Services Coalition (GTSC) held a webcast, “Key Cybersecurity Issues for Government Contractors.” This interactive program, of particular interest to government contractor compliance officers, CIOs, CISOs, General Counsel, and any other C-suite members, discussed how the federal government is planning on fundamentally altering its acquisition policies to make the cybersecurity of its contractors a top priority.

The discussion included:
– Proposed Federal Acquisitions Regulation (FAR) changes relating to President Obama’s Cybersecurity Executive Order;
– Planned changes to procurement requirements based on independent agency actions;
– Congressionally mandated cybersecurity requirements; and
Ways contractors can prepare for these changes

Speakers included:

Brian Finch, Partner, Global Security, Dickstein Shapiro LLP

Justin Chiarodo, Partner, Government Contracts, Dickstein Shapiro LLP

Emile Monette, Senior Action Officer for Cyber Security Policy, Government Services Administration

Kristina Tanasichuk, CEO, Government Technology & Services Coalition

View the slides here or watch the webinar by clicking the link below.