Inside Cybersecurity

Debate begins on Obama’s cyber guidance for federal contractors

August 13, 2015 | Christopher J. Castelli

The Obama administration’s newly released draft guidance on improving cybersecurity for the federal acquisition process is already drawing both praise and concern from legal experts and business advocates.

The proposed guidance – released Monday at – is spurring private-sector organizations to draft formal comments to submit to the White House’s Office of Management and Budget by the Sept. 10 deadline. The administration has said it will use the open-source platform GitHub to collect the comments.

Attorneys and industry groups contacted this week by Inside Cybersecurity offered a range of initial views on the draft memorandum, which discusses security controls, cyber incident reporting, information security assessments, information security continuous monitoring and business due diligence.

Harvey Rishikof, a co-chair of the American Bar Association’s Cybersecurity Task Force, said the proposed guidance marks an “important start” of a dialogue between the government and the private sector. Federal officials want more control of both unclassified and classified information due to the risk that adversaries might steal and combine various kinds of data to assemble a mosaic of sensitive information, he said.

OMB’s guidance, which Inside Cybersecurity first reported was in the works in June, comes as the administration is grappling with the fallout of the massive breach of the Office of Personnel Management’s systems, linked by the top U.S. intelligence official to Chinese hackers, as well as breaches of White House and Pentagon systems reportedly by Russian hackers.

Brian Finch, a partner with the law firm Pillsbury Winthrop Shaw Pittman, praised OMB’s effort to develop cybersecurity rules for federal contractors.

“I think this is an excellent step forward with respect to securing a vital link in the government's cybersecurity perimeter,” Finch said. “It only makes sense to have its vendors be subject to a relatively consistent baseline and set of obligations with respect to security controls, incident reporting, security assessments and continuous monitoring.”

“I also like how there is some flexibility built into this so that contractors are not subjected to unduly burdensome security requirements when the situation does not call for it,” he added.

But Susan Booth Cassidy, a partner with the law firm Covington & Burling, said the guidance raises many questions.

“Despite an intention to try and make agency approaches to cybersecurity consistent, the guidance leaves many questions unanswered,” she said. “Even with this guidance, contractors will continue to face inconsistent requirements for what constitutes a cyber incident, how quickly it must be reported, and what security controls are considered adequate just to name a few.”

“The most significant issue may be that once again the government is operating outside the normal requirements for promulgating regulations,” Cassidy said. “It is helpful that the government is seeking comments on this guidance. But going forward, if OMB decides to modify this guidance, no such notice is required.” In other federal efforts to promulgate regulations, changes are subject to notice and comment, she said.

Although OMB's guidance aims to create some uniformity across the government, it will be up to individual agencies to create unique contract clauses and approaches to cybersecurity, Cassidy said. Further, the guidance does not seek to reconcile existing or proposed regulations and guidance in this area, including those issued by the Defense Department and the Department of Homeland Security, she said.

“For example, there are now multiple definitions of what controls are adequate for safeguarding government information, what constitutes a cyber incident, and when those incidents must be reported,” Cassidy continued. Rishikof also cited a lack of consensus on definitions for key terms.

A key theme of the guidance is the need to alert the government sooner to potential looming cybersecurity problems. “Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity or availability of data is critical to the government’s ability to determine appropriate response actions and minimize harm from incidents,” the proposed guidance states.

“Although not explicit in the guidance, it is clear that the government is concerned with timely reporting of incidents so that it can react more quickly and avoid future breaches like those at OPM,” said Cassidy. Such prompt notification to the government might also allow U.S. authorities to use denial and deception operations against hackers inside the system, Rishikof said.

The guidance would require contractors to report not only confirmed breaches but also any suspicious activity that might turn out to have an “adverse effect" on an information system or the data therein. This is similar to the broad definition in DOD’s rule on unclassified controlled technical information, which includes the “possible exfiltration, manipulation, or other loss or compromise,” Cassidy said.   

“But it is unclear how the obligations would differ under each approach,” she said. Like DOD’s rule, OMB’s guidance states that only breaches of internal contractor systems where controlled unclassified information is impacted are reportable, she said.

“Making that determination, however, may be difficult in contractor information systems where government and commercial customer data are commingled,” Cassidy added.
Contractors who operate information systems on behalf of the government will be required to comply with continuous monitoring requirements.

Further, the guidance says the General Services Administration will develop a “business due diligence information shared service that gives agencies a holistic view of organizations doing business with the government,” including a look at the cyber risks facing particular contractors.

Contractors are starting to scrutinize OMB’s draft memorandum. Aerospace Industries Association spokesman Daniel Stohr said the group is reviewing the proposed guidance in conjunction with its members to build a consensus position that it will submit in formal comments for the record.

“Some members have expressed concerns with the draft language,” Stohr said.

Lisa Dezzutti, president of the not-for-profit Women in Technology, applauded OMB’s intent to “provide clarity and consistency to cyber security guidelines and the uniform enforcement of these guidelines for the contractor community.” The OPM breach brought into sharp focus the need to mitigate cyber risks, she said.

“However, intent and impact are often two very different things,” Dezzutti added. “A balanced approach is needed so that compliance with these guidelines does not become overly burdensome at a time when government budget pressures are still a top challenge for federal employees and contractors alike.”

Dezzutti argued the investment in time and systems must not outweigh the actual impact. She also warned against creating rules that make the cost of compliance a barrier to entry for innovative high-tech companies, particularly those owned by women. – Christopher J. Castelli ([email protected])

(c) Inside Washington Publishers