Federal policy is shifting to impose tighter cybersecurity requirements on government contractors and Congress appears poised to impose new standards throughout the private sector.
SAN FRANCISCO — There may soon come a day when it will be nearly impossible for companies to do business with the federal government, defense or civilian agencies, without first providing binding assurances that certain cybersecurity measures have been met.
Right now, there are two trends that could have a long-term impact on companies: the Defense Department’s ongoing implementation of a unified cybersecurity standard for contractors and the burgeoning regulatory efforts targeting the private sector and how companies secure consumer data and privacy.
For the latter, it could mean increased scrutiny from federal watchdog agencies like the Securities and Exchange Commission and Federal Trade Commission. For the former, it means companies that want to work with the Pentagon will have to meet specific standards of the Cybersecurity Maturity Model Certification (CMMC) program.
Participation in that program will eventually become a part of all contracts and requires companies to attest or be evaluated by an approved third party organization. Failure to comply could simply mean a company loses a customer but that might not be good for business.
Vendor cybersecurity at DOD
Kelly Fletcher, the Defense Department’s principal deputy chief information officer, said part of the preparedness starts with embracing the idea of cybersecurity-as-a-service so that medium-sized and smaller companies can meet CMMC standards even as they change to keep pace with new threats.
“I'm really hopeful that as folks buy cybersecurity as a service from true cyber experts, this is a chance for those experts to change what they provide to them or to make sure that the most current threats are accounted for and what is being provisioned as this turnkey service,” she said at the RSA conference in San Francisco in June.
But not taking early steps could mean ceding business to companies that got an earlier start, potentially shrinking the Defense Department’s already dwindling contractor pool.
“When these [requirements] first hit contracts, which is summer of next year, I think in the end, we're gonna get everybody over the line. I think everybody who wants to pursue CMMC certification is going to get there,” Fletcher said. “But I do think there might be a little bit of time where not everyone is there. And so those companies that do have that certification done, I think they're going to be in a little bit less competition.”
Fletcher said the DOD is “at an inflection point” where it’s a priority to fix things like technical debt, and that shift will be more visible across the federal government within the next few years.
“It is a priority for us and that's across the board not just for the [defense industrial base], but also for our own systems. And I think that I'm seeing this throughout the federal government to some degree, but absolutely within DOD,” Fletcher said. “I think [in] the next year or two, we're gonna see a big shift in how we apply resources and what we prioritize.”
Drew Bagley, Crowdstrike’s vice president and counsel for privacy and cyber policy, told FCW that expectations of cybersecurity measures were coming from legal requirements directly applicable to certain sectors, or potentially certain data types, “while simultaneously getting an expectation that in order for companies to compete fairly, then they really have a duty to pay attention and heed those warnings to use the best information possible to fix vulnerabilities.”
CISA in the mix
Thanks to the Biden administration’s cybersecurity executive order, that means practices like endpoint detection and response, zero trust, threat hunting, logging are now directly applicable to federal agencies, he said.
“Something that I think is really important for raising the bar with DOD cybersecurity is really enhancing cybersecurity in the DIB. Related to legal requirements, what we've seen over the past few months is the new requirement for organizations that are deemed critical infrastructure, including DIBs, to report cyber incidents to CISA and to report ransomware payments to CISA,” Bagley told FCW during the RSA conference.
Bagley said the Cybersecurity and Infrastructure Security Agency’s reporting requirements were important because it “creates incentives for organizations to enhance their cybersecurity so that they're not in a position to have to do breach reporting. But similarly, there needs to be actions taken to incentivize the use of managed service providers.”
And it’s also important to have flexibility with respect to enforcement.
“Because if you think about how diverse the DIBs companies are in terms of size, scope and resources, you have obviously these supply chains in which you have very, very small providers who may be making very critical parts, especially if we're talking about military hardware, and yet, maybe very small in and of themselves, and not able to fully deploy a mature security program, like a large defense contractor. And nonetheless, they can still use all the same technologies and methods that are called for in the executive order that are expected from federal agencies now by using managed service providers,” he said.
“So it's really important for DOD to be flexible in the way in which those requirements trickle down to the entire ecosystem, by focusing on those end means of getting the technologies, tools and methods deployed, rather than focusing squarely on who does it.”
Michael Baker, the vice president and IT chief information security officer at DXC Technology, said one of the things companies should do in the face of cyber standards like CMMC is be honest when they’re not doing well – and then ask for help.
“You're given the gift of the prioritization of the requirements in the DoD assessment methodology, they have a scoring mechanism, right, use it. Use it to your advantage. And honestly, if your score is low, ask for help,” Baker, who was previously a CISO at GDIT, said during an RSA conference panel on CMMC.
“That was one of the things that dawned on me when in my previous role: [how] most people hid those scores. Don't hide them. Bring him to the front. Let's solve it together.”
Baker said it’s easy to get swept up in “a blame game” in the cyber world where if “you get breached and you point a finger and say, A-ha!” But to get ahead, companies, large contractors in particular, should prioritize making sure their critical subcontractors are in good cyber shape.
“I would really prioritize that if you have the resources to get ahead of it and make sure that you're fulfilling the obligations because not only is it the right thing to do, but it's also the right thing to do for business because you don't want to have a vulnerability in your supply chain. That then you have to answer to the DOD for in the long run because you weren't doing what you needed to do.”
When regs proliferate
But business groups are concerned about the potential ramifications of having to meet multiple – and possibly overlapping – reporting requirements. And whether it’s a privacy law or DOD’s CMMC, those cyber requirements could end up in contracts.
“You'll still have these privacy laws likely touching most of the significant organizations in that time. And interestingly enough, analogous to what we were talking about with DoD contracts, and the entire supply chain ecosystem and how those requirements flow down, many of these privacy laws actually impose requirements that end up being applied via contract to the entire ecosystem of service providers,” Bagley said.
“So for example, if you take cybersecurity requirements in California's [California Privacy Rights Act] those are requirements that end up not just affecting entities that are serving California consumers, but end up flowing down to their service providers, and in many instances, those service providers, service providers and so on. So I think you're going to just see a lot of natural legal concern and awareness as a result of this even if we don't see, to your point, laws keeping up with every type of cyber incident.”
For the private sector, Bagley laid out the current cyber law landscape, describing the emergence of state level breach notification laws for private sector companies, such as encryption compliance required for personal health records held by businesses and vendors as part of the HITECH Act.
“What you see is that you have a duty to report a breach, if there is a breach. But the other trend we've also seen over the past couple of decades, that is also codified in these sector specific federal regulations, is a requirement to protect data to begin with. So you see that in financial services, again with HIPAA, and what you see is a requirement that is principles based: you must protect data in a manner that's reasonable to the risk, is usually how these obligations are worded.”
Some states have adopted privacy laws that carry cyber requirements, including the CPRA. And those cybersecurity requirements serve a dual purpose.
“With CPRA, even though it's built naturally as a privacy law, it has these cybersecurity requirements. And so that means where you see organizations that provide goods and services to customers they're going to have an obligation for cybersecurity, but lots of those same companies provide services to the government,” Bagley said.
“So you're already seeing a trend where there is, in essence, a standard of cybersecurity that's being raised by a law that's not even directly applicable in the public sector context. And yet is naturally incentivizing these companies.”
There's momentum in Congress behind a federal data privacy standard to pre-empt the patchwork of state rules. The American Data Privacy and Protection Act was advanced by a subcommittee of the House Committee on Energy and Commerce on June 23.
Bagley said the law’s debate should extend beyond whether or not the U.S. should have a federal privacy law and could have ramifications as it relates to federal contractors that also sell directly to consumers.
“You're going to see that cybersecurity is a part of the current draft. And even though parts of the current draft may change, for sure,” he said, “one thing I expect that will remain, probably similar, are the security requirements that are in this draft.”
The version of the bill that passed the subcommittee requires covered companies to "maintain reasonable administrative, technical, and physical data security practices and procedures to protect and secure covered data against unauthorized access and acquisition.
That standard of "reasonableness" will shift with time, Bagley said.
“Whatever is reasonable in 2022 is not going to be reasonable in 2025. What is very interesting from a cyber law perspective, is that we've already seen that where you have the federal government being very active with trying to get information out to those best equipped to fix vulnerabilities, for example, you then see the [Federal Trade Commission] taking note and essentially further defining what an unfair trade practice may be in today's era,” he said.
For example, when the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) disclosed vulnerabilities related to Log4j and instructions for companies to patch them, the FTC then issued a notice saying that failure to patch could have legal implications.
“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the notice states.
Moving the front lines
But cyber is tricky because technology, threats, and vulnerabilities are constantly changing, while laws and regulations can take years to make and even longer to change or strike down. So the question remains: How will cyber law and standards be able to keep up? And what’s to come?
For Matthew Travis, the CEO of the Cyber AB, the organization in charge of standing up CMMC, it could mean the eventual adoption of the single standard at least in federal acquisitions. Travis said the organization has been approached by other federal agencies, entities across infrastructure sectors, and nations “who see the value of a third party certification conformance regime” because “it lowers risk and it gives you more fidelity into who you're doing business with and what's in your supply chain.”
And while it’s not appropriate to scale CMMC while it’s still in the beginning stages, he said during the panel, it’s unlikely that other federal agencies will come up with their own standard for contractors.
“There needs to be a unifying standard for federal acquisition, these companies who support not only DOD, but they're supporting [Department of Energy] and [Department of Homeland Security] and, and others,” Travis said during the panel.
“Ultimately, this is a journey and I think there'll be a confluence of smart folks who realize that the federal acquisition community needs a unifying standard. I think CMMC is it, as NIST 800-171 continues to evolve.”
Then he added: “anytime we're spreading cybersecurity hygiene, it's good for the nation.”
Meanwhile, Bagley thinks more “ pure-play cybersecurity requirements” are coming, most likely in the form of data breach notification and privacy laws.
“I think that you are naturally going to see legal teams, compliance teams, and privacy teams, assisting security teams, and working together with security teams to really raise the bar whether or not you see an evolutionary development in national cybersecurity laws in the United States.”