Vendors prep for new cyber rules of the road

Getty Images

Lauren C. Williams By Lauren C. Williams,
Senior Editor

By Lauren C. Williams

|

Federal policy is shifting to impose tighter cybersecurity requirements on government contractors and Congress appears poised to impose new standards throughout the private sector.

SAN FRANCISCO — There may soon come a day when it will be nearly impossible for companies to do business with the federal government, defense or civilian agencies, without first providing binding assurances that certain cybersecurity measures have been met. 

Right now, there are two trends that could have a long-term impact on companies: the Defense Department’s ongoing implementation of a unified cybersecurity standard for contractors and the burgeoning regulatory efforts targeting the private sector and how companies secure consumer data and privacy. 

For the latter, it could mean increased scrutiny from federal watchdog agencies like the Securities and Exchange Commission and Federal Trade Commission. For the former, it means companies that want to work with the Pentagon will have to meet specific standards of the Cybersecurity Maturity Model Certification (CMMC) program. 

Participation in that program will eventually become a part of all contracts and requires companies to attest or be evaluated by an approved third party organization. Failure to comply could simply mean a company loses a customer but that might not be good for business.

Vendor cybersecurity at DOD

Kelly Fletcher, the Defense Department’s principal deputy chief information officer, said part of the preparedness starts with embracing the idea of cybersecurity-as-a-service so that medium-sized and smaller companies can meet CMMC standards even as they change to keep pace with new threats.

“I'm really hopeful that as folks buy cybersecurity as a service from true cyber experts, this is a chance for those experts to change what they provide to them or to make sure that the most current threats are accounted for and what is being provisioned as this turnkey service,” she said at the RSA conference in San Francisco in June.

But not taking early steps could mean ceding business to companies that got an earlier start, potentially shrinking the Defense Department’s already dwindling contractor pool. 

“When these [requirements] first hit contracts, which is summer of next year, I think in the end, we're gonna get everybody over the line. I think everybody who wants to pursue CMMC certification is going to get there,” Fletcher said. “But I do think there might be a little bit of time where not everyone is there. And so those companies that do have that certification done, I think they're going to be in a little bit less competition.”

Fletcher said the DOD is “at an inflection point” where it’s a priority to fix things like technical debt, and that shift will be more visible across the federal government within the next few years. 

“It is a priority for us and that's across the board not just for the [defense industrial base], but also for our own systems. And I think that I'm seeing this throughout the federal government to some degree, but absolutely within DOD,” Fletcher said. “I think [in] the next year or two, we're gonna see a big shift in how we apply resources and what we prioritize.”

Drew Bagley, Crowdstrike’s vice president and counsel for privacy and cyber policy, told FCW that expectations of cybersecurity measures were coming from legal requirements directly applicable to certain sectors, or potentially certain data types, “while simultaneously getting an expectation that in order for companies to compete fairly, then they really have a duty to pay attention and heed those warnings to use the best information possible to fix vulnerabilities.”

CISA in the mix

Thanks to the Biden administration’s cybersecurity executive order, that means practices like endpoint detection and response, zero trust, threat hunting, logging are now directly applicable to federal agencies, he said. 

“Something that I think is really important for raising the bar with DOD cybersecurity is really enhancing cybersecurity in the DIB. Related to legal requirements, what we've seen over the past few months is the new requirement for organizations that are deemed critical infrastructure, including DIBs, to report cyber incidents to CISA and to report ransomware payments to CISA,” Bagley told FCW during the RSA conference.

Bagley said the Cybersecurity and Infrastructure Security Agency’s reporting requirements were  important because it “creates incentives for organizations to enhance their cybersecurity so that they're not in a position to have to do breach reporting. But similarly, there needs to be actions taken to incentivize the use of managed service providers.”

And it’s also important to have flexibility with respect to enforcement. 

“Because if you think about how diverse the DIBs companies are in terms of size, scope and resources, you have obviously these supply chains in which you have very, very small providers who may be making very critical parts, especially if we're talking about military hardware, and yet, maybe very small in and of themselves, and not able to fully deploy a mature security program, like a large defense contractor. And nonetheless, they can still use all the same technologies and methods that are called for in the executive order that are expected from federal agencies now by using managed service providers,” he said. 

“So it's really important for DOD to be flexible in the way in which those requirements trickle down to the entire ecosystem, by focusing on those end means of getting the technologies, tools and methods deployed, rather than focusing squarely on who does it.”

Michael Baker, the vice president and IT chief information security officer at DXC Technology, said one of the things companies should do in the face of cyber standards like CMMC is be honest when they’re not doing well – and then ask for help. 

“You're given the gift of the prioritization of the requirements in the DoD assessment methodology, they have a scoring mechanism, right, use it. Use it to your advantage. And honestly, if your score is low, ask for help,” Baker, who was previously a CISO at GDIT, said during an RSA conference panel on CMMC. 

“That was one of the things that dawned on me when in my previous role: [how] most people hid those scores. Don't hide them. Bring him to the front. Let's solve it together.”

Baker said it’s easy to get swept up in “a blame game” in the cyber world where if “you get breached and you point a finger and say, A-ha!” But to get ahead, companies, large contractors in particular, should prioritize making sure their critical subcontractors are in good cyber shape. 

“I would really prioritize that if you have the resources to get ahead of it and make sure that you're fulfilling the obligations because not only is it the right thing to do, but it's also the right thing to do for business because you don't want to have a vulnerability in your supply chain. That then you have to answer to the DOD for in the long run because you weren't doing what you needed to do.”

When regs proliferate

But business groups are concerned about the potential ramifications of having to meet multiple – and possibly overlapping – reporting requirements. And whether it’s a privacy law or DOD’s CMMC, those cyber requirements could end up in contracts. 

“You'll still have these privacy laws likely touching most of the significant organizations in that time. And interestingly enough, analogous to what we were talking about with DoD contracts, and the entire supply chain ecosystem and how those requirements flow down, many of these privacy laws actually impose requirements that end up being applied via contract to the entire ecosystem of service providers,” Bagley said. 

“So for example, if you take cybersecurity requirements in California's [California Privacy Rights Act] those are requirements that end up not just affecting entities that are serving California consumers, but end up flowing down to their service providers, and in many instances, those service providers, service providers and so on. So I think you're going to just see a lot of natural legal concern and awareness as a result of this even if we don't see, to your point, laws keeping up with every type of cyber incident.”

For the private sector, Bagley laid out the current cyber law landscape, describing the emergence of state level breach notification laws for private sector companies, such as encryption compliance required for personal health records held by businesses and vendors as part of the HITECH Act. 

“What you see is that you have a duty to report a breach, if there is a breach. But the other trend we've also seen over the past couple of decades, that is also codified in these sector specific federal regulations, is a requirement to protect data to begin with. So you see that in financial services, again with HIPAA, and what you see is a requirement that is principles based: you must protect data in a manner that's reasonable to the risk, is usually how these obligations are worded.”

Some states have adopted privacy laws that carry cyber requirements, including the CPRA. And those cybersecurity requirements serve a dual purpose. 

“With CPRA, even though it's built naturally as a privacy law, it has these cybersecurity requirements. And so that means where you see organizations that provide goods and services to customers they're going to have an obligation for cybersecurity, but lots of those same companies provide services to the government,” Bagley said. 

“So you're already seeing a trend where there is, in essence, a standard of cybersecurity that's being raised by a law that's not even directly applicable in the public sector context. And yet is naturally incentivizing these companies.”

There's momentum in Congress behind a federal data privacy standard to pre-empt the patchwork of state rules. The American Data Privacy and Protection Act was advanced by a subcommittee of the House Committee on Energy and Commerce on June 23. 

Bagley said the law’s debate should extend beyond whether or not the U.S. should have a federal privacy law and could have ramifications as it relates to federal contractors that also sell directly to consumers. 

“You're going to see that cybersecurity is a part of the current draft. And even though parts of the current draft may change, for sure,” he said, “one thing I expect that will remain, probably similar, are the security requirements that are in this draft.” 

The version of the bill that passed the subcommittee requires covered companies to "maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.

That standard of "reasonableness" will shift with time, Bagley said. 

“Whatever is reasonable in 2022 is not going to be reasonable in 2025. What is very interesting from a cyber law perspective, is that we've already seen that where you have the federal government being very active with trying to get information out to those best equipped to fix vulnerabilities, for example, you then see the [Federal Trade Commission] taking note and essentially further defining what an unfair trade practice may be in today's era,” he said. 

For example, when the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) disclosed vulnerabilities related to Log4j and instructions for companies to patch them, the FTC then issued a notice saying that failure to patch could have legal implications. 

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the notice states. 

Moving the front lines

But cyber is tricky because technology, threats, and vulnerabilities are constantly changing, while laws and regulations can take years to make and even longer to change or strike down. So the question remains: How will cyber law and standards be able to keep up? And what’s to come?

For Matthew Travis, the CEO of the Cyber AB, the organization in charge of standing up CMMC, it could mean the eventual adoption of the  single standard at least in federal acquisitions. Travis said the organization has been approached by other federal agencies, entities across infrastructure sectors, and nations “who see the value of a third party certification conformance regime” because “it lowers risk and it gives you more fidelity into who you're doing business with and what's in your supply chain.” 

And while it’s not appropriate to scale CMMC while it’s still in the beginning stages, he said during the panel, it’s unlikely that other federal agencies will come up with their own standard for contractors. 

“There needs to be a unifying standard for federal acquisition, these companies who support not only DOD, but they're supporting [Department of Energy] and [Department of Homeland Security] and, and others,” Travis said during the panel. 

“Ultimately, this is a journey and I think there'll be a confluence of smart folks who realize that the federal acquisition community needs a unifying standard. I think CMMC is it, as NIST 800-171 continues to evolve.” 

Then he added: “anytime we're spreading cybersecurity hygiene, it's good for the nation.”

Meanwhile, Bagley thinks more “ pure-play cybersecurity requirements” are coming, most likely in the form of data breach notification and privacy laws. 

“I think that you are naturally going to see legal teams, compliance teams, and privacy teams, assisting security teams, and working together with security teams to really raise the bar whether or not you see an evolutionary development in national cybersecurity laws in the United States.”

NEXT STORY: Round 8: Air Force signs more companies up to JADC2 networking effort

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.