Archives page

Posts Tagged ‘PPD 21’

THE PRIVACY & CIVIL LIBERTIES ASSESSMENT REPORT: WHAT DOES IT REALLY TELL US? A CHIEF PRIVACY OFFICERS’ PERSPECTIVE
Read More

THE PRIVACY & CIVIL LIBERTIES ASSESSMENT REPORT: WHAT DOES IT REALLY TELL US? A CHIEF PRIVACY OFFICERS’ PERSPECTIVE

The week of April 7, 2014, with little notice or fanfare, the Department of Homeland Security issued its first annual Executive Order 13636 Privacy and Civil Liberties Assessment Report 2014. The report addresses the privacy and civil liberties impacts of certain agencies’ undertakings with respect to critical infrastructure cybersecurity and resilience. It is revealing as much for what it says, as it doesn’t say, with regard to the protection of privacy and civil liberties in the Executive Branch. The report is a study of contrasting approaches to privacy and civil liberties among first tier federal agencies.

On February 12, 2013, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, and Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience. Combined, the documents call for the federal government to work with the private sector to strengthen the security and resilience of the Nation’s infrastructure – the vast majority of which is privately owned – and do so in a way that protects the privacy and civil liberties of Americans.

As set forth in the EO 13636 Report, departments and agencies are required to do the following:

  • Develop a technology-neutral voluntary cybersecurity framework;
  • Promote and incentivize the adoption of cybersecurity practices;
  • Increase the volume, timeliness, and quality of cyber threat information sharing;
  • Explore the use of existing regulation to promote cyber security; and
  • Incorporate strong privacy and civil liberties protections into every initiative to secure our CI.

Additionally, PPD-21 requires that departments and agencies:

  • Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time;
  • Understand the cascading consequences of infrastructure failures;
  • Evaluate and mature the public-private partnership;
  • Update the National Infrastructure Protection Plan to take into account cyber aspects of infrastructure; and
  • Develop a comprehensive research and development plan.

The Department of Homeland Security (DHS) is the lead agency under the EO and PPD. And, under Section 5 of the Executive Order, Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS, in consultation with the Privacy and Civil Liberties Oversight Board and in coordination with the Office of Management and Budget, are responsible for issuing a privacy and civil liberties assessment, with contributions from the privacy and civil liberties officials of the other agencies covered under the Executive Order (the Departments of Commerce, Defense, Health and Human Services (HHS), Justice, Transportation, Treasury, and Energy; the Office of the Director of National Intelligence (ODNI); and the General Services Administration (GSA)).

“Protections” include the Fair Information Practice Principles and any other privacy or civil liberties policies, principles or frameworks. The Fair Information Practice Principles to be used are those found in Appendix A of the National Strategy for Trusted Identities in Cyberspace, which mirrors the DHS Fair Information Practices (FIPPs), set forth in DHS Privacy Policy Guidance Memorandum 2008-1, The Fair Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security.

At close to 50 pages, DHS’s section was the most comprehensive, robust assessment contained in the report. The two DHS offices addressed their authorities, frameworks, and involvement with the Administration’s critical infrastructure cybersecurity efforts, and then the four areas in which DHS was carrying out its responsibilities under EO 13636 and PDD 21: Cybersecurity Information Sharing–Sharelines; Expansion of the Enhanced Cybersecurity Services Program; the DHS Private Sector Clearance Program; and the DHS Loaned Executive Program. For each of the four areas, the DHS assessment provided a concise discussion of the agency’s actions, past and present, and the implications for privacy and civil liberties. Importantly, DHS addressed in very meaningful ways the circumstances under which it would use PII. After each area, the assessment listed recommendations to DHS, for a total of seven recommendations, many of which encourage increased transparency, oversight, and education.

The other departments and agencies assessments were far shorter, with far less detail. Significantly, many are sector-specific agencies in sectors with vast amounts of PII about American citizens. This month alone, the Government Accounting Office called out the SEC (GAO-14-419) to improve controls over financial systems and data, the IRS (GAO-14-405) and most notably, the overall lax Federal agency response to data breaches involving PII (GAO-14-487T). This sector-specific PII might well be the target of future cyber incidents, and it certainly would be connected to any future incidents, yet most of the other agencies required by the E.O. could only muster cursory assessments under 10 pages in length.

For example, Treasury, the sector-specific agency for banking and finance, lightly assessed its involvement in four pages with three programs, Critical Infrastructure Private Sector Clearance Program, Voluntary Critical Infrastructure Cybersecurity Program, and Identification of Critical Infrastructure at Greatest Risk. Treasury provided no meaningful discussion of the FIPPs in its assessment, a requirement of the Executive Order.

Defense assessed of the Defense Industrial Base (DIB). Specific initiatives included: the DIB Cyber Security/Information Assurance (CS/IA) Program and the DIB Enhanced Cyber Security Services (DECS). Importantly, Defense noted that a “specific cyber incident may include PII that is incidental to, or embedded in, the information the DIB company has shared with [Defense] for cyber security analysis.” In the absence of a list of affected DIB companies, and the type and amount of PII that could be the subject of a cyber incident, the Defense assessment failed to provide a meaningful discussion of the privacy impacts associated with such sharing.

Justice’s assessment was surprisingly short, four pages, especially given that the Justice Privacy and Civil Liberties Officer is a senior position within the Department and an equal of DHS’s Chief Privacy Officer. The Justice assessment focused on iGuardian, “an unclassified web portal designed to accept cyber intrusion complaints from the private sector.” As the ACLU noted, Justice’s remark that only information that is “relevant” is maintained is dubious in a post-Snowden world, given that all information in the digital realm may be relevant to law enforcement and intelligence agencies.

Commerce’s very brief assessment focused on the National Institute of Standards and Technology’s (NIST) work on the Cybersecurity Framework in collaboration with industry. In fairness to Commerce, NIST has not yet issued its final version of the Framework, arguably limiting its ability to provide a thorough assessment of NIST’s efforts.

HHS – the sector-specific agency for health care – assessment ever so briefly touched on the various aspects of EO 13636 and PPD 21 with which it was involved: Cybersecurity Information Sharing; Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Greatest Risk. Transportation was the same, lightly touching on: Cybersecurity Information Sharing; Development of Cybersecurity Framework; The Cybersecurity Framework; Voluntary Critical Infrastructure Cybersecurity Program; and Identification of Critical Infrastructure at Risk. Energy’s assessment focused on its PPD-21 responsibilities related to the energy sector. Surprisingly, Energy failed to discuss those responsibilities from a civil liberties perspective.

ODNI assessed the implications of its issuance of “instructions for the Intelligence Community (IC) to ensure the timely production of unclassified cyber products to the U.S. homeland that identify a specific targeted entity”, otherwise known as “tearlines.” The ODNI assessment provided a passable discussion on the FIPPs, but in transitioning to the agency’s Intelligence Community responsibilities, it appeared to be accepting as true that any already collected PII was properly corrected. In light of the Snowden revelations and the bulk collection of telecommunications and internet service provider data, this part of the assessment rings hollow.

Finally, GSA addressed its responsibilities under the EO to work with Defense to make recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” GSA came to the remarkable conclusion that its joint report with Defense on acquisition “does not directly impact privacy and civil liberties as personally identifiable information (PII) is not collected, used, or disseminated.”

Taken as a whole, it is clear that privacy is not protected in an equal fashion across the Executive Branch. Many agencies do not grasp the policy implications of the FIPPs. Some did not even bother to address them. Lastly, there was an overall lack of transparency in the agencies’ critical infrastructure cybersecurity efforts. And that may be the most important aspect of this report: it shows how far tier one agencies have to go to get privacy right.

Contributing Author:  Hugo Teufel

Hugo TeufelHugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security.  An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.

DOD & GSA Issue Final Report on Improving Cybersecurity & Resilience through Acquisition
Read More

DOD & GSA Issue Final Report on Improving Cybersecurity & Resilience through Acquisition

On January 23, 2014, the Department of Defense (DoD) and General Services Administration (GSA) Joint Working Group on Improving Cybersecurity and Resilience Through Acquisition (Working Group) submitted its eagerly anticipated final report on integrating cybersecurity requirements into all federal procurements. This report, which satisfies Executive Order (EO) 13636 and Presidential Policy Directive (PPD) 21, includes recommendations on the increased use of cybersecurity standards in all federal acquisition activities, including strategic planning, capabilities needs assessment, systems acquisitions, and program and budget development. 

The final report is perhaps most notable as another step toward an era where most every government contractor must satisfy baseline cybersecurity requirements. While the final report does not provide explicit guidance on the details of creating such a new procurement environment, in light of recent, imminent and forthcoming government activity, including the final rule imposing cybersecurity and reporting obligations on DoD contractors (issued November 18, 2013 and summarized here), the upcoming final cybersecurity framework of the National Institute of Standards and Technology (NIST) (to be released in mid-February), and the forthcoming final rule governing the safeguarding of government contractor information systems (likely finalized next year), we view this final report as a bellwether. Government contractors who ignore the final report and the course it has set do so at their own peril.

Cybersecurity issues will increasingly affect agency standard setting, coverage issues and incentives, government audits and investigations, security breach litigation, and other business drivers. Government contractors and other companies that handle government information or supply components that could be compromised electronically must begin, to the extent they have not already done so, to think both strategically and pragmatically about developing an integrated approach to these cybersecurity issues.

Background

On February 12, 2013, President Obama issued EO 13636 – Improving Critical Infrastructure Cybersecurity. Section 8(e) mandated that the Working Group, in consultation with the Department of Homeland Security (DHS) and the Federal Acquisition Regulatory (FAR) Council, “make recommendations to the President . . . on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” Section 8(e) also directed the Working Group to “address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”

On May 13, 2013, the Working Group published a request for information (RFI), inviting public comment on the appropriate cybersecurity measures and parameters for federal procurements (summarized here). The Working Group also consulted with representatives from the DoD, GSA, DHS, FAR Council, the Office of Federal Procurement Policy, NIST, and others before issuing the final report.

Working Group Recommendations

The final report makes six recommendations, including that the federal government and/or contractors, as appropriate, should:

(1) institute baseline cybersecurity requirements as a condition of contract award for appropriate acquisitions;

(2) address cybersecurity in relevant training;

(3) develop common cybersecurity definitions for federal acquisitions;

(4) institute a federal acquisition cyber risk management strategy;

(5) include a requirement to purchase from original equipment or component manufacturers (OEM), their authorized resellers, or other trusted sources, when available, for appropriate acquisitions; and

(6) increase government accountability for cyber risk management.

For contractors, the most helpful recommendations ask the government to clarify, with more specificity, the standards to which contractors will be held accountable. For example, the first recommendation correctly observes that, “[o]ften, cybersecurity requirements are expressed in terms of compliance with broadly stated standards and are included in a section of the contract that is not part of the technical description of the product or service the government seeks to acquire.” This, the report concedes, “leaves too much ambiguity as to which cybersecurity measures are actually required in the delivered item.” Accordingly, the report recommends expressing baseline cybersecurity requirements as part of the acquisition’s technical requirements and including performance measures to ensure the baseline is maintained and risks are identified. The final report also recommends common cybersecurity definitions, which if adopted would dramatically advance anxiety about contractors’ and the government’s current and near-future cybersecurity obligations.

Though the recommendations are instructive, the final report does not actually mandate specific baseline requirements or propose common cybersecurity definitions. Nor does it propose a cyber risk management strategy or otherwise attempt to identify the acquisitions in which baseline requirements or OEM limitations are “appropriate.” Instead, the final report “intends” that others will harmonize these recommendations with ongoing rulemakings, cybersecurity standards, and statutory frameworks. In short: stay tuned.

Takeaways

First and foremost, change is coming. Although the final report recommendations are directed more toward government program managers and acquisition decision makers than industry, the harmonization of such recommendations with recent and forthcoming regulations, mandatory contract provisions, and other statutory requirements and protections will affect the industry directly and significantly.

Other critical points for government contractors to consider as the final report’s recommendations are implemented include:

  • What cybersecurity terms will be defined, and what will those definitions look like? Considering that the definitions will be used government-wide, it is imperative that contractors provide feedback lest a definition be issued that is contrary to their interests, much less defies common sense;
  • What topics will be covered in the cyber education program for the procurement work force? If procurement officials are not properly educated on a variety of threats, then they may fail to incorporate standards and requirements that are necessary for information protection;
  • How will federal risk management strategy be developed? And will it be flexible enough to account for the rapidly evolving threat environment?;
  • Are contractors prepared to fight back against cybersecurity requirements in federal acquisition programs that are being used to exclude otherwise acceptable vendors and technologies?; and
  • How deep will these requirements reach into federal contractors’ business? In other words, will the cybersecurity obligations be limited just to public-contracting programs, or will they effectively become company-wide requirements regardless of the buyer?

The final report is a clear signal that mandatory baseline standards, training protocols, and other risk-based requirements are on the horizon. Those standards will likely be based on the NIST framework or, in specialized areas, even stricter protocols. Government contractors and other companies that handle government information must implement an integrated strategy that mitigates the risks associated with these cybersecurity issues, and where viable, the opportunities that these changes might create.

By Contributing Authors:   Brian FinchJustin Chiarodo, and Daniel Broderick from GTSC Strategic Partner Dickstein Shapiro

Brian Finch

Brian Finch, a partner in Dickstein Shapiro’s Washington, DC office, is head of the firm’s Global Security Practice. Named by Washingtonian magazine in 2011 as one of the top 40 federal lobbyists under the age of 40, Brian is a recognized authority on global security matters who counsels clients on regulatory and government affairs issues involving the Department of Homeland Security, Congress, the Department of Defense, and other federal agencies.  Dickstein Shapiro is a Strategic Partner of the Government Technology & Services Coalition.   You can reach Brian at [email protected] (202)420-4823. 

Justin C


Justin Chiarodo represents clients in all aspects of federal, state, and local procurement law. Named by Law360 in 2013 as a “Rising Star” in Government Contracts, Justin has extensive experience in government contracts litigation, compliance, and regulatory matters, with particular expertise in the defense, health care, technology, and professional services sectors.

broderick
Daniel Broderick is a Washington, DC-based associate in Dickstein Shapiro’s Energy Practice. He focuses on regulatory and project development matters affecting clients in the electricity industry, including electric market design, municipalization, compliance, certification, and power purchase agreements.