Anticipated CMMC 2.0 cybersecurity guidelines a reminder to government contractors to implement cybersecurity and incident response plans
Industry foresight
With the anticipated publication of the Defense Department’s Cybersecurity Maturity Model Certification program 2.0 (CMMC 2.0) later this month, it is important for all government contractors to start planning and developing the appropriate compliance mechanisms. Inadequate cybersecurity can lead to hefty fines and penalties, as demonstrated by the recent $9 million payment by Aerojet Rocketdyne. As a safety measure against these fines and penalties, prime contractors are regularly including 72- to 24-hour notification requirements and flowdown clauses.
The anticipated release of CMMC 2.0 and recent headlines are a strong reminder of why it is critical that government contractors understand their liability and implement an adequate notification strategy and incident response plan.
Business Cybersecurity Framework:
The National Institute of Standards and Technology (NIST) has developed guidance for all entities in any sector or community that provide a strong basis to build cybersecurity compliance. While CMMC 2.0 has not been implemented, the NIST requirements are still required under federal regulations included in all government contracts. Accordingly, it is important to utilize the available tools to create a secure virtual environment.
Below are abbreviated descriptions from the NIST for five functions of an effective cybersecurity framework.
- Identify - The Identify Function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Document information flows – It’s important to not only understand what type of information your enterprise collects and uses, but also to understand where the data is located and flows, especially where contracts and external partners are engaged.
- Protect - The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Protect sensitive data – If your enterprise stores or transmits sensitive data, make sure that this data is protected by encryption both while it’s stored on computers as well as when it’s transmitted to other parties. Consider utilizing integrity checking to ensure only approved changes to the data have been made. Securely delete and/or destroy data when it’s no longer needed or required for compliance purposes.
- Detect - The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Know the expected data flows for your enterprise – If you know what and how data is expected to flow for your enterprise, you are much more likely to notice when the unexpected happens – and unexpected is never a good thing when it comes to cybersecurity. Unexpected data flows might include customer information being exported from an internal database and exiting the network. If you have contracted work to a cloud or managed service provider, discuss with them how they track data flows and report, including unexpected events.
- Respond - The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident. Ensure response plans are tested – It’s even more important to test response plans to make sure each person knows their responsibilities in executing the plan. The better prepared your organization is, the more effective the response is likely to be. This includes knowing any legal reporting requirements or required information sharing.
- Recover - The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident. Manage public relations and company reputation – One of the key aspects of recovery is managing the enterprise’s reputation. When developing a recovery plan, consider how you will manage public relations so that your information sharing is accurate, complete, and timely – and not reactionary.
The NIST has additional information regarding cybersecurity and even a detailed Quick Start Guide.
Prime contractor requirements
According to a recent investigation, 87% of defense contractors have failed to implement basic cybersecurity measures. With these staggering numbers in the industry, prime contractors have begun to contractually obligate sub-contractors to notify within an increasingly narrow timeframe. Contractors have introduced contract clauses that include versions of the below language:
“notification within 24-hours of a cybersecurity incident that MAY have occurred”
“notification of any POTENTIAL cybersecurity incident shall be sent to the contracting officer, databreach@Prime.com, cyberincident@Prime.com, and ITARviolation@Prime.com.”
“the Contractor shall implement NIST SP 800-171, and provide notification within 48-hours of any EXPECTED cybersecurity incident.”
“the Contractor agrees that any NON-LISTED and required FAR/DFAR clauses are deemed INCORPORATED by reference into, and are fully integrated part of this contract.”
With the language “may,” “potential,” and/or “expected,” these clauses require notification to the government and prime contractor prior to any forensic determination regarding a cybersecurity incident. Prime contractors are also creating obligations through incorporation, as noted by the last clause. Even without the proper language in the document, these incorporated FAR and DFAR clauses include a notification within 72-hours to the government and prime. Certain contractors are beginning to require written consent prior to notifying any other third party (excluding law enforcement).
Consequently, in order to meet all notification requirements, it is imperative to develop the appropriate notification strategy and implement it at the lowest levels within the defense industrial base.
Why use an incident response plan
Notification requirements are growing and room for error is narrowing. With notice times decreasing, it is even more important to have a plan in place that best suits your needs and data. The recent VA Final Rule best demonstrates this industry trend.
Generally, defense contractors handle CUI/CDI, but with increasing demand manufacturing ITAR/EAR controlled data is becoming more prevalent. This data requires specific notification procedures that are difficult to navigate. Consequently, a cybersecurity incident may involve the potential ITAR/EAR violation as a “disclosure,” even if unauthorized – which is why it is important to identify which notifications are mandatory and which are voluntary.
Having a detailed incident response plan will provide a concise message complying with all regulatory mandates. A quick and transparent message, signifying cooperation is the most efficient path to a successful resolution.
When to engage counsel during a data breach and what to expect:
While yesterday is the optimal answer, today is the next best option. If you have already experienced a data privacy incident and did not have the opportunity to implement the plans noted above, counsel can still assist. Any communication regarding the incident will likely be protected under the attorney-client privilege. While these reports are essential, counsel can also likely assist in creating plans and procedures necessary to ensure the smooth implementation of compliance strategies and safeguards.
If engaged prior to an incident, data privacy counsel will be able to analyze all contractual obligations, implement the appropriate compliance vehicles, and provide the necessary documentation and notification strategy to comply with all requirements. In the event the incident involves encryption, it is important that your business has paper copies of all government contracts. These documents will provide the roadmap regarding notification and allow counsel to determine the most appropriate plan.
Five key takeaways for government contractors:
- Prime Contractor Notification – Increasingly narrow notification timeframe.
- Concerns Over Inadequate Cybersecurity – Potential fines and penalties.
- NIST Guidance – Cybersecurity Framework: Five Functions.
- ITAR/EAR Violation – Cybersecurity incidents involve potential export violations.
- Cybersecurity Consultation – Protected under Attorney-Client Privilege.
Cybersecurity is and will continue to be a concern. With growing regulations, more contractors are being held accountable for protecting sensitive data – which is why proactively engaging with counsel that has experience handling defense contracts and national security data is increasingly important.
With the new responsibilities and reporting requirements, the McDonald Hopkins’ national Data Privacy and Cybersecurity Practice Group can help you develop the appropriate policies, procedures, and best practices. If you are interested in more general business and legal counsel information concerning government contracting, our attorneys in the Government Contracting and Procurement Practice Group are available to help or contact Michelle Kantor (mkantor@mcdonaldhopkins.com or 216.642.6482). If you have any questions or would like to discuss these obligations please reach out to our team or contact Stephen Robison (srobison@mcdonaldhopkins.com or 216.348.5707).