A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
Several state attorneys general are reviewing a decision by Alphabet Inc.’s Google not to disclose a security glitch that exposed the data of at least 500,000 Google+ users.
Google said it wasn’t required to notify regulators or users under state data breach notification laws because, in its assessment, no private data was compromised. The information exposed was “limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age,” according to a statement by Google.
Attorneys general could still launch investigations under state consumer protection statutes that say companies must live up to promises they make about protecting data, according to Robert Braun, co-chair of Jeffer Mangels Butler & Mitchell’s cybersecurity and practice.
Senate lawmakers have passed by unanimous consent a long-awaited bill to rename the Department of Homeland Security’s cybersecurity office – the National Protection and Programs Directorate – to the Cybersecurity and Infrastructure Security Agency, or CISA.
Advocates of the name change have argued that NPPD’s non-descriptive bureaucratic name made it difficult to identify the office as the place to go for cybersecurity assistance, a central focus of the program.
The legislation also gives the office purview over “DHS’s responsibilities concerning chemical facilities antiterrorism standards.”
The House approved a similar bill in December; the Senate version now goes to a conference committee to iron out differences in the language of the bills.
Facebook’s European operations are based in Dublin, so it notified the Irish Data Protection Commission that it suffered a breach that put 50 million users at risk. The DPC signaled that it found Facebook’s breach report incomplete. “At present, Facebook is unable to clarify the nature of the breach and risk to users,” the DPC wrote. “We are pressing Facebook to urgently clarify these matters.”
In addition to the obvious exposure of personal information and access to Facebook itself, the breach also puts at risk anyone who ever used Facebook social login, a feature that allows users who are logged into Facebook to automatically log into other sites.
How Well Do You Know Your Supply Chain? New Policy Developments Affect Defense and Security Contractors
This post first appeared on Covington’s Global Policy Watch blog on September 7, 2018
Generating and sustaining the United States’ global economic and military superiority over more than the last half century has depended on a dominant U.S. global economic position and perpetual technological innovation. The United States has increasingly relied on a global industrial supply chain and a relatively open environment for foreign investment in early stage technology development to sustain this dominant position, but in so doing has built risk into the foundation of its competitive advantage. The U.S. Government has growing concerns that these past practices meant to extend the U.S. economic and military advantage are contributing to its erosion. As a result, the Department of Defense (DoD), other Executive agencies, and Congress are taking steps to mitigate risks across the defense industrial and innovation supply chains that provide hardware, software, and services to the U.S. Government.
The U.S. Government has been focused on supply chain issues for more than a decade. As the threats have increased, so has the Government’s scrutiny of its contractors and their suppliers. Underlying these efforts is the concern that a foreign government will be able to expropriate valuable technologies, engage in espionage with regard to sensitive government information, and/or exploit vulnerabilities in products or services. Many senior policymakers across the Executive Agencies and the Congress believe these threats are increasing, and they are focused on taking further steps to make security a business differentiator for those seeking to compete for U.S. Government contracts. Contractors need to understand these security obligations and implement compliance processes, or they may find themselves at competitive disadvantage or even precluded from competition.
Companies seeking to sustain and grow business with the U.S. federal government must ask: how well do you actually know your supply chain—from the materials you acquire to the software you include in your products or services? If you have not answered this question recently, you should consider adding it to your “to do” list. Not only does the United States Government want to know, the Government is seeking to integrate national security considerations into the acquisition process and expect contractors to be the first line of defense.
A cross-functional team from Covington’s Government Contracts, Public Policy, and National Security practices have studied the major initiatives the Government has launched to protect its supply chain. In a recent article (available here), we analyze new provisions in the recently enacted Fiscal Year 2019 John S. McCain National Defense Authorization Act, including restrictions on the procurement and use of certain telecommunications equipment, software, and services from manufacturers connected to the Chinese government, and stringent disclosure obligations related to foreign review of software code. Finally, we discuss how the Deliver Uncompromised initiative is likely to influence DoD going forward, and what impact this could have on defense contractors and suppliers.
Contractors and the U.S. Government share the strategic objectives of protecting the United States’ competitive edge and sustaining overmatch on the battlefield. Our recent article highlights some of the friction points in pursuing those goals. With planning, forethought, and experienced counsel, contractors can minimize disruption and continue to accomplish their business goals while furthering U.S. national security interests.
The Department of Defense (“DoD”) recently released the summary of its cyber strategy for 2018. The 2018 DoD Cyber Strategy, which replaces the DoD’s 2015 cyber strategy, is focused broadly on “defending forward,” shaping day-to-day competition, and preparing for conflict. But the strategy includes items that are sure to be of interest to contractors and other private sector DoD partners, particularly the members of the Defense Industrial Base (“DIB”). In addition to its emphasis on adopting a more flexible approach to procurement, the strategy is focused on protecting DIB networks and systems and holding members of the DIB and other private sector partners accountable for their cybersecurity practices. Many contractors may already be seeing evidence of this emphasis on accountability, with the recent announcement by the Secretary of Defense that the DoD Office of Inspector General (“OIG”) would conduct an audit to determine whether DoD contractors have security controls in place to protect the DoD controlled unclassified information (“CUI”) maintained on their internal information systems.
Flexible Procurement. The DoD’s cyber strategy highlights its interest in exploring new ways of procuring tools and solutions to reinforce its cyber capabilities. As part of its goals of building a more lethal joint force and reforming its approach to cybersecurity, the DoD’s strategy aims to reduce barriers to procuring software and hardware flexibly and rapidly. The DoD wants to reduce its reliance on expensive, bespoke software that is difficult to maintain and upgrade, and instead leverage COTS capabilities that can be optimized for DoD use.
Protecting the DIB. The DoD’s cyber strategy is particularly concerned with protecting members of the DIB, which often have access to sensitive DoD information. The DoD’s goal is to be prepared to defend DIB networks and systems and to collaborate with the DIB to strengthen the cybersecurity and resilience of its networks and systems. The DoD intends to do this in two ways: First, by setting and enforcing standards for cybersecurity, resilience, and reporting. Second, by being prepared, when requested and authorized, to provide direct assistance on non-DoD networks prior to, during, and after cyber incidents.
This focus on the DIB is also evident in the National Cyber Strategy, which was published by the White House on the same day. One priority of this strategy is strengthening Federal contractor cybersecurity, with a special concern raised as to contractors within the DIB responsible for researching and developing key DoD systems.
Increased Accountability. One of the goals of the DoD’s cyber strategy is reforming the Department through increased awareness and accountability. This includes holding the DoD’s private sector partners “accountable for their cybersecurity practices and choices.” The emphasis on accountability also appears in the National Cyber Strategy, which states that Federal contracts will soon authorize the government to review contractor systems and access those systems to test, hunt, sense, and respond to cyber incidents.
Consistent with the DoD’s statement in its cyber strategy to hold defense contractors “accountable for their cybersecurity practices and choices,” the DoD OIG recently announced it was conducting an audit at the request of the Secretary of Defense with the objective to “determine whether DoD contractors have security controls in place to protect the DoD controlled unclassified information maintained on their systems and networks from internal and external cyber threats.” Initial indications are that the OIG is seeking to conduct audits beyond a review of a contractor’s System Security Plan, as was anticipated based on guidance from the DoD Chief Information Office and the requirements of NIST Special Publication 800-171. How contractors will be chosen, the scope of these audits, and the OIG’s authority to conduct them remains unclear. But contractors should be prepared with a position should the OIG approach them to assess the security controls in place on information systems where CUI is transmitted, stored, or processed.