Although the Department of Defense (DOD) has long required its contractors to provide “adequate security” to protect “Covered Defense Information,” beginning on January 1 of this year, the Department specified that “adequate security” means compliance with all 109 of the security controls described in NIST 800-171. See Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. These requirements apply regardless of a contractor’s size or amount of business with the government. Failure to meet these standards can result in legal actions against the contractor (for breach of contract or under the False Claims Act) as well as termination, suspension, and debarment from federal programs. While many of the required secu-rity controls are highly technical, this article will discuss a few basic ways that counsel to a defense contractor can provide substantial value in a client’s efforts to meet the NIST 800-171 standards.
Breach Response Planning
In the wake of growing concerns over potential data breaches, the DOD has tightened requirements for its con-tractors and the ways that they implement protocols and respond to data incidents. The new DFARS clause intro-duces a 72-hour reporting deadline for cyber incidents, while also introducing additional handling procedures like the submission of malicious software in accordance with a contracting officer’s direction and the preservation and protection of images of affected information systems.
The DFARS cyber rules are not based on the question of “if” an incident will occur, but rather “when” it will occur and how contractors can best prepare for the road to recovery. The best practice for government contractors is to update their plans to reflect the more specific DFARS requirements. The initial hours following a data breach are the most crucial. Contractors should already have an established set of protocols and plans that they can immediately enact upon discovery of a data incident. The first step should be to protect/privilege the data breach investigation to allow for a free flow of information between key players. From the onset, contractors should have their in-house or outside counsel assessing the facts and determining the potential risks and liabilities they may face.
Next, there should be an immediate establishment of exactly what types of data and how much data have been affected by the breach. Contractors should already have a cyber-forensic team and additional technology experts on retainer. As a general practice, it is best to negotiate those agreements before a breach occurs so that there is no artificial pressure or unfair leverage created by seeking help in a time of crisis.
The final considerations that contractors should keep in mind when updating and applying data incident responses is how best to communicate during the event of a breach. Although DFARS institutes a 72-hour reporting requirement, contractors must consider whether they will need to provide additional disclosure to customers, state attorney generals and/or legislators, employees, the press, and, in some instances, law enforcement. These are highly-complex determinations that can change based on a number of factors – legal counsel is essential to helping contactors formulate an appropriate plan for their organization. The types and contents of these communications should be prepared well in advance and they should also be ready to transmit within a reasonable time following the incident. Beyond the channels of communication, though, contractors should also contemplate business continuity plans that will allow them to maintain essential functions despite the disruption of certain platforms and applications. Nevertheless, attorneys should make sure that their contractor clients have assembled a team capable of making the best business and legal decisions as the incident unfolds and process of investigating, responding, and recovering begins.
Another concern of the DFARS rules is access control. The DFARS clause requires that primary contractors “flow” the clause down to subcontractors at any level who are involved in the processing of covered defense information. Covered defense information (“CDI”) means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. The information must be marked as CDI and/or processed in support of the contrac-tor’s performance of a government contract.
Essentially, the DFARS flow-down requirement compels both contractors and subcontractors, alike, to provide adequate security pursuant to NIST 800-171. In practice, primary contractors are tasked with vendor management, making sure that subcontractor work is performed on compliant systems. Some ways that a primary contractor can tackle this complex task include: engaging in direct communications with the subcontractor about the specific requirements of DFARS; conditioning subcontract work on the provision of evidence that subcontractors have engaged in a full NIST 800-171 security assessment and have developed, updated, and/or implemented security plans to remediate any shortcomings; or, providing assistance to subcontractors to ensure, firsthand, that they are in compliance with DFARS. Creative and informed legal counsel can be a contractor’s best weapon in negotiating downstream contracts that reduce a contractor’s compli-ance risk due to failures by a subcontractor.
While there are several different approaches to vendor/subcontractor management, it is incumbent on the primary contractor to decide which method is the most feasible based on the extensiveness of the subcontractor’s role to the contract. Contractors should also consider the types of CDI that respective subcontractors will be handling. Given that the prime contractor is ultimately liable for any violations of the DFARS rules, contractors should be wary of subcontractors who are lax in their cybersecurity or those who are completely unversed to the DFARS and NIST control requirements. It is virtually impossible to exclude subcontractors altogether; however, the addition of a non-DFARS compliant subcontractor could lead to unnecessary liability in the wake of a data incident.
Employee Awareness and Training
Lastly, attorneys can assist their clients’ compliance efforts by addressing every contractor’s highest cybersecurity risk: humans. While software can be updated and systems patched, employee carelessness can only be mitigated by repeated efforts to train the entire organization on sound security practices. This area of risk is so significant that NIST 800-171 devotes an entire family of controls (3.2) to “Awareness and Training” of system users. Counsel to defense contractors should, at minimum, become conversant in the most common types of attacks targeting employees, including phishing, malware, and social engineering. However, breaches commonly occur without instigation by a third-party – misplaced or lost laptops and phones are a risk area that must be addressed through employee training and hardware policies. In addition, counsel should work closely with a client’s human resource department to ensure that disgruntled or departing employees cannot remove covered defense information from the company’s systems.
While this article highlights select areas of cybersecurity compliance for defense contractors, the NIST 800-171 standards are far more comprehensive. In addition to these security controls, attorneys advising defense contractors should be mindful that the specific agreements between the DOD and its contractors may provide more specific compliance and certification obligations (including an obligation for contractors to self-certify their compliance or seek accommodations for areas where they are not yet compliant). As with many complex business problems, contractors can benefit from the perspective and protection of legal counsel and a privileged deliberation process for their compliance strategies. Both the reality of today’s data-driven business environment and the DFARS regulatory requirements mean that defense contractors must be proactive in assessing and mitigating their cyber risk—parties who are purely reactive in addressing data issues are only preparing to fail in these critical obligations.
Republished with permission. The article originally appeared in Volume 4, Issue 1 of Data and Security Dispatch on June 19, 2018.