Cyber Risk Part 2: Growing Cyber Regulations
As discussed previously, the risks associated with cyber come in many different forms. This blog is dedicated to looking at the growth of #cyberregulations.
FEDERAL REGULATIONS AND STANDARDS FOR CYBERSECURITY
Bills are flowing through both state and federal assemblies and are becoming law. Further, These laws and regs are being updated and modified frequently. Take for example the cyber DFARS (Defense Federal Acquisition Regulations Supplement) and the FAR (Federal Acquisition Regulation) requirements. They started in earnest with the passing of the Federal Information Security Management Act (FISMA) in 2002. NIST developed the Federal Information Processing Standard (FIPS) in that same year. The security work performed was confined to the federal government. However, in 2010 an Executive Order (EO 13556) was issued directing the protection of all sensitive yet unclassified information within and outside of the government. This sensitive but unclassified information is now referred to as Covered Defense Information (CDI) within DoD and Controlled Unclassified Information (CUI) elsewhere. CUI is the term universally recognized by all government organizations.
Including the EO, there were 3 significant publications of laws or standards from 2002 up to and through 2010. As you can see in the list below, a total of 12 have been published in the 8 plus years since 2010. The cyber race is on.
- Dec. 2002: Federal Information Security Management Act (FISMA)
- Dec. 2002: FIPS (Federal Information Processing Standard)
- Nov. 2010: EO 13556 Controlled Unclassified Information
- Nov. 2013: First cyber DFARS published (51 controls- 800-53)
- Jun. 2015: NIST (SP) 800-171 published
- Sept. & Dec. 2015: DFARS modified and deadline postponed 2 years until December 31, 2017
- Aug. 2015: Cloud Computing Clarified
- Jun. 2016: FAR 4.19 / 52.204-21
- Dec. 2016: NIST (SP) 800-171 Rev. 1 Draft
- Nov. 2017 NIST-HB-162 Published
- Jun. 2018: NIST (SP) 800-171 Rev. 1 Final
- Jun. 2018 NIST (SP) 800-171A Draft
- Jun. 2019 NIST (SP) 800-171B Draft
- Jun. 2019: NIST (SP) 800-171 Rev. 2 Draft
- Jan. 2020: DoD CMMC (Cybersecurity Maturity Model Certification)
Federal Cybersecurity Related Regulation or Standards Published Between …
2000 and 2010
2011 and 2020
The risk presented by the Federal regulations and standards is in an organization not meeting them and becoming ineligible to compete and obtain government contracts and business. Working as a subcontractor is not a workaround as the same clauses contained in the prime contractor's contract must be flowed down to all subcontractors handling sensitive data or CUI. So, to be eligible contractors should be in compliance with NIST 800-171r1, or at least have a good System Security Plan (SSP) and Plan of Action & Milestones (POA&M) that can be provided to the procurement personnel.
Of particular note, DoD has announced that they will require 3rd party certification of contractors starting in 2020. Further, they stated that the new requirement will be the CMMC (Cybersecurity Maturity Model Certification) which will retain all of NIST 800-171 requirements and add 800-53 and NAS 9933 controls to the mix. There will be 5 levels within the maturity model. Getting to the first level of maturity may not be enough either, the AIA (Aerospace Industry Association) states that the minimum acceptable maturity level within NASS 9933 is level 3.
The growth and change of the DFARS give credence to the statement that cybersecurity is a journey, a never-ending process. Contractors should start this process in the near future if they have not done so already.
PRIVACY REGULATIONS: US STATES AND ABROAD
The same trend can be observed in other areas of the economy. The term ‘Privacy’ has become a central concern of governments at all levels. The first major privacy regulation was established in Europe and is known as the General Data Protection Regulation or GDPR. It applies to any companies doing work with European entities such that personal information is being recorded, stored, or used. The principle tenants of GDPR are listed below.
- May 2018 GDPR (General Data Protection Regulation) Principles
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
- Accountability and compliance
- Right to be informed
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to Object
- Rights related to automated decision making (incl. profiling)
Many businesses have taken the position that they will decline federal business in response to the cyber FAR and DFARS. Fewer are taking the position that they will not participate in federal work and international work because the market is greatly reduced. But even the decision to avoid both the federal and international market will not solve their cyber problem. There is more coming!
States are now very active passing privacy bills. According to Hogan Lovells of iapp:
‘At least 31 states have already established laws regulating the secure destruction or disposal of personal information. And at least 12 states—Arkansas, California, Connecticut, Florida, Indiana, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas and Utah—have imposed broader data security requirements.’
Lovells goes on to describe legislation being considered by the New York State Assembly, specifically A.10190, that will, if passed, prescribe cybersecurity requirements to include:
- Secure user authentication protocols
- Secure access control
- Encryption of personal information in transit
- Monitoring systems to identify unauthorized access attempts
- Encryption of data on portable devices
- Implementing appropriate firewall protections
- Patching of operating systems
- Security software with regular updates
- Security education and training
State laws apply to all businesses – period. They focus on protecting consumer rights and identifying business obligations as summarized below:
- The right to access personal information collected
- The right of access to personal information shared with a third party
- The right to correct or rectify incorrect or outdated personal data
- The right for a consumer to delete personal information
- The right to restrict processing of personal data
- The right to data portability
- The right to Opt-Out of the sale of personal data
- The right against automated decision making
- The right of consumer legal action for recovery of damages
- A strict opt-in for the sale of personal information
- Notice / transparency requirements
- Data breach notification
- Mandated risk assessment
- Prohibition on discrimination against consumers exercising rights
- Purpose limitation
- Processing limitation
The following matrix published by the International Association of Privacy Professionals (iapp) shows current legislative activity in a number of states. It is a lot of activity, but it raises another concern. If many or all states write their own privacy laws, it will become a patchwork of varying requirements that will be difficult to follow. As a result, the US Senate Committee on Commerce, Science and Transportation has held hearing to investigate national regulations for privacy which would at least provide a single standard to follow. Ironically, if the federal government defines privacy regulations, they will mist likely return to the NIST standards – full circle!
All the regulations discussed above in aggregate represent a tsunami heading straight for businesses. So, what is the right approach? Start and have a plan.
As previously stated, cybersecurity is a process that will be with your company for all of its days. The important thing is to start with a basic program that covers the major defense issues. At Imprimis, we refer to this as the Cyber Start Package. It includes both technical and non-technical elements. The technical will include a next generation firewall – properly configured – with an intrusion detection system (IDS), very strong and capable endpoint protection (EPP), strong access control preferably using multi-factor authentication (MFA). data encryption, vulnerability management and patching and an effective and redundant backup system round up the minimum technical requirements.
The non-technical requirement will include policies & procedures or at least a start, defining a management organization for the network and its configuration management, and training for all.
You will still be doing these things when you become an advanced, mature cybersecurity operation, so we are talking in degrees. Start with the basics and add to them. One thing that will be important for risk management is cybersecurity insurance. It is a must from the beginning.
And as always … It is time for everyone to #CyberUpAmerica. We all need to access the benefits of the cyber domain but to do so we all need to learn how to #CyberDeny the bad guys.