A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
Christopher Krebs, director of the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency, says officials are working to secure the 2020 presidential election.
In testimony to the House Homeland Security Committee, Krebs said he is trying to shift focus from what happened in 2016 with Russian interference to what could happen next, and to get election security officials to think ahead and prepare for possibilities.
But he also says even the threat of a disruption can sow discord, and the government is working to better inform Americans.
Intelligence officials last week gave President Donald Trump a classified report on the 2018 midterm election that said no evidence was found that efforts by Russians or other foreign groups affected election or campaign infrastructure.
For over a year now, federal defense contractors have been required to comply with Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (see our recent firm alert). Recently, however, the Department of Defense (DoD) announced in a memorandum to DoD officials that it has “asked” the Director of the Defense Contract Management Agency (DCMA) to begin auditing contractor compliance with the cybersecurity requirements described in DFARS Clause 252.204-7012.
More specifically, the memorandum states that “to effectively implement the cybersecurity requirements addressed in” DFARS Clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations, DoD has instructed DCMA to “leverage its review of a contractor’s purchasing system in accordance with DFARS Clause 252.244-7001, Contractor Purchasing System Administration,” in order to:
“Review Contractor procedures to ensure contractual DoD requirements for marking and distribution statements on DoD CUI flow down appropriately to their Tier 1 Level Suppliers;” and
“Review Contractor procedures to assess compliance with their Tier 1 Level Suppliers with DFARS Clause 252.204-72 and NIST SP 800-171.”
As the memorandum explains, DFARS Clause 252.204-7012 “requires contractors to implement” NIST SP 800-171 “as a means to safeguard the [DoD’s CUI] that is processed, stored or transmitted on the contractor’s internal unclassified information system or network.” Federal contractors, in turn, “are required to flow down this clause in subcontracts for which subcontract performance will involve DoD’s CUI.”
In light of this new development, federal contractors would be wise to review and document their compliance with the subject requirements set forth in DFARS Clause 252.204-7012 and NIST SP 800-171.
Republished with permission. Originally published by Bradley Arant Boult Cummings LLP. Copyright 2019.
A bipartisan group of senators has reintroduced legislation that would make it easier for cyber specialists in the federal government to detail at other agencies and lend their expertise.
Senators Gary Peters (D-MI) and John Hoeven (R-ND) are sponsors, and Ron Johnson (R-WI) and Maggie Hassan (D-NH) are cosponsors. Johnson and Peters are the chair and ranking Democrat (respectively) of the Senate Homeland Security and Governmental Affairs Committee, which has reported on the bill favorably.
The legislation would empower the Office of Personnel Management to develop an operational plan for the program, and put together a list of open rotational cyber workforce positions where agencies have identified a need. Federal employees would be able to apply for a detail to another office or agency for up to 14 months, pending approval from their managers.
A report by SecurityScorecard assessed 128 federal agencies in three categories related to their overall cyber posture during the 35-day government shutdown: network security, patching cadence, and endpoint security. While network security scores dipped slightly during the shutdown, agencies improved their grades in the other two categories, apparently due to general inactivity within their departments.
The researchers attributed the drop in network security to a spike in expired SSL certificates. Feds must consistently renew the protocols, which enable web browsers to securely connect to the internet, but they were unable to do so when agencies were shuttered.
Though agencies let a handful online security protocols lapse during the shutdown, many cybersecurity workers continued to work without pay while agencies were closed, and researchers speculate they took advantage of the decreased internal traffic to catch up on overdue patching.
Likewise, agencies significantly improved endpoint security during the shutdown, largely because there were so few endpoints in use as furloughed employees were forced to stay offline.
The Defense Department has unveiled plans to audit contractors’ supply chain compliance with the DFARS Safeguarding Clause 252.204-7012. Under the auspices of 252.244-7001, Contractor Purchasing System Administration, Under Secretary of Defense Ellen Lord has directed the Defense Contract Management Agency (DCMA) to review contractors’ purchasing systems with the intent of verifying compliance with the Safeguarding Clause’s flowdown requirements. Notably though, the scope of DCMA’s review appears broader than the Clause’s textual requirements. Specifically, DCMA will review contractor procedures to:
- Ensure that Tier 1 Level Suppliers are receiving properly marked Covered Defense Information (CDI), or instructions on how to do so; and
- “Assess compliance” of Tier 1 Level Suppliers with both the Clause and NIST SP 800-171.
The memorandum is the latest signal from the DoD that it views the Safeguarding Clause’s flowdownrequirements as more than a check-the-box exercise and an increasingly important piece of its overall cybersecurity.