© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
Part One: What are the “7012” regulations? Defense Acquisition Regulation Supplement 252.204-7012 In   November   2013,   the   US   Department   of   Defense   issued   final   rules   to   its   defense   acquisition   regulations.   Defense Acquisition   Regulation   Supplement   (DFARS)   section   252.204-7012   now   requires   contractors   to   safeguard   information that   is   deemed   Unclassified,   but   controlled   (called   UCTI),   within   their   IT   systems   in   a   manner   compliant   with   standards issued earlier in 2013 by the National Institute of Standards and Technology (NIST). The   7012   regulations   also   require   immediate   reporting   of   any   incident   or   threat   to   UCTI   that   is   carried   on   or   held   in   an IT   system.   The   NIST   is   the   cognizant   agency   for   Classified   standards   and   operational   regulations.   The   regulations themselves   are   a   part   of,   and   a   driver   to,   a   set   of   complex   problems   for   industry   —   presently,   with   risk   being transferred   away   from   DoD   to   its   contractors   who   will   find   risk   rebounding   to   them   via   their   “cyber”   insurance   policies. This    two-part    article    isn’t    intended    to    fan    the    flames,    but    rather    to    give    the    context    behind    the    regs,    provide meaningful   definitions   for   practical   use,   offer   probable   implications   for   industry,   and   set   out   why   the   seemingly   most reasonable solution for businesses may be the most dangerous to them. No   law   firm,   consultancy,   proprietary   software   solution,   or   cyber-insurance   policy   has   a   magic   solution   that   will ensure   compliance.   Businesses   are   encouraged   to   understand   the   playing   field,   proceed   conservatively,   employ consultants   or   use   external   resources   and   partners   as   part   of   their   due   diligence   to   understand   and   comply   with   the requirements,   articulate   an   operational   plan,   document   copiously,   communicate   generously   with   their   subcontractors, and remember to build and maintain bridges between IT functionality and general operations. Onions, and Ogres, have layers Like   the   famous   ogre,   Shrek,   the   7012   regulations   have   a   layered   history   and   an   unfriendly   disposition,   with   good intention   at   base.   Understanding   and   applying   them   requires   an   understanding   of   regulatory   context,   and   current market   forces   at   work.   We’ll   start   by   peeling   back   the   onion   layers   around   the   regulations   themselves.   In   the   second part   of   this   article,   we’ll   look   at   why   implementation,   compliance,   and   risk   transference   strategies   are   on   a   collision course with private cyber insurance, with the critical functionality providers (that’s you) wedged in the middle.
7012    REGULATIONS    AND    CYBER    INSURANCE    ARE    ON    A COLLISION COURSE WITH SMALL BUSINESS   5/25/2015 By Larisa Breton, MPS President of FullCircle Communications, LLC
CLICK FOR LARGER IMAGE Threat Intelligence Blog CRITICAL INFORMATICS INC.
The 7012 requirement is the surface layer to a complex problem set because: Unclassified   but   Controlled   Technical   Information,   UCTI,   drives   grey-area   compliance   issues   on   programs   that are neither Classified nor fully open to the enterprise. Relative   novelty   of   the   NIST   regulatory   schema   creates   ambiguity   through   legacy   compliance   and   auditing methodologies. And a Mandelbrotian scope issue for the smallest businesses. The   requirement   is   fanged   with   a   72-hour   fuse   for   reporting   observed   incidents,   and   a   90-day   records   retention requirement for subsequent DoD investigation. The   7012   regulations   are   a   “flowthrough”   to   the   smallest   businesses   holding   Defense   contracts,   as   well   as academia. Responsibility for compliance, documentation, and incident reporting flows down and up the chain. First of all, what is UCTI? What is it not? UCTI   is   material   that   is   Unclassified,   but   designated   by   the   DoD   as   “controlled.”   In   other   words,   in   and   of   itself,   UCTI may   not   be   directly   related   to   national   security,   but   its   release   could   compromise   operations,   R&D,   or   manufacture within   military   and/or   aerospace   programs.   Examples   of   UCTI   could   include:   technical   drawings,   software   code, manufacturing   processes   [see   sidebar].   However,   program   criticality   does   not   necessarily   imply   that   all   Unclassified information   held   therein   is   UCTI   —   the   DoD   customer   must   declare   it   so.   For   businesses   working   in   the   Unclassified realm,    safeguarding    UCTI    drives    complexity    within    their    security    paradigms.    Businesses    working    with    Classified information    may    have    the    opportunity    to    pull    UCTI    under    its    secured    information/operational    framework,    but because   the   information   is   Unclassified,   simply   pulling   controlled   information   over   to   the   secured   side   will   not   be feasible   operationally.   With   both   scenarios,   UCTI   drives   grey-area   vulnerabilities   involving   personnel   and   Unclassified networks. What is the scope of an event triggering the 7012 reporting requirements? The   regulations   are   unambiguous:   reporting   is   required   within   72   hours   of   the   contractor   discovering   “actions   taken through   the   use   of   computer   networks   that   result   in   an   actual   or   potentially   adverse   effect   on   an   information   system and/or   the   information   residing   therein.”   In   short,   unless   you   conduct   all   of   your   business   using   index   cards,   graph paper   and   filing   cabinets   and   haven’t   yet   decided   to   invest   in   a   newfangled   telephone,   it   is   likely   that   you   will   be required to comply with the 7012 regulations on any defense/aerospace contract involving UCTI. Next, why does the 7012 requirement carry so much baggage to small and large contractors to DoD? Smalls:   The   NIST’s   regulatory   schema   is   relatively   recent,   with   very   limited   small   business   inputs   to   the   public/private working   groups   that   developed   a   more   holistic   approach   to   compliance   for   the   largest   businesses,   most   of   whom have    a    Classified    practice.    Thus,    the    small    businesses    most    likely    to    experience    difficulty    with    scaling    up    to compliance   for   UCTI   are   also   most   likely   to   outsource   —   do-able,   if   Unclassified,   but   adding   a   layer   of   risk   and   a   layer of    complexity    for    auditing.    These    are    the    same    small    businesses    which    form    the    small    moving    parts    in    larger defense/aerospace   contracts   that   are   attractive   to   bad   actors   seeking   to   infiltrate   the   supply   chain   in   order   to   acquire passwords, permissions, outsourced pieces of code, organizational charts for spearing executives, and the like. Bigs:   Large   contractors   have   both   their   own   compliance   to   consider,   and   are   responsible   for   sub-contractor   oversight as    well    as    facilitating    the    reporting    chain    if    there    is    a    triggering    event,    and    then    cooperating    with    DoD auditors/investigators. Read   that   again.   This   reg   flows   all   the   way   through   the   chain,   not   stopping   at   first-tier   and   not   limited   by   size   of   award. While   many   large   primes   have   published   flowthrough   guidance   for   their   subcontractors,   it   is   important   to   note   that 7012   is   applicable   on   contracts   of   any   dollar   amount.      In   the   author’s   opinion,   the   smallest-dollar   contracts;   and   the smallest   companies,   likely   drive   the   highest   risk   under   the   7012   regs.   Commercial   tech   startups   entering   via   SBIR, small    service-    and    training-    oriented    firms,    etc.,    are    the    least    likely    to    be    aware    of    the    7012    requirements    and conversely   the   most   likely   to   be   unknowingly   breached   absent   robust   IT   and   personnel   security   controls   usually resident   in   larger   organizations.   Smalls   may   be   held   liable   for   their   own   breaches   that   result   in   larger   program compromise   (analogous   to   the   Target   breach).   Consequences   could   include   rescission   of   payments   from   DoD   to   the prime   contractor;   or   even   legal   liability.   Thus,   it   pays   the   large   primes   in   deferred   risk   to   generously   dialogue   with their    subcontractors:    publish    a    policy,    share    operational    methodologies    where    appropriate,    and    perhaps    most importantly,    listen    in    conversation.    It    may    not    be    the    smalls’    vulnerability    that    you    pick    up    on,    but    your    own, highlighted   to   you   in   an   operational   issue.   Smalls   can   be   the   canary   in   a   coalmine   with   rolloff   benefits   to   the   entire chain. Part   Two   will   cover   why   the   seemingly   most   reasonable   solution   for   businesses   may   be   the   most   dangerous   to   them, and how contractors may be playing with fire as they attempt to transfer risk with insurance instruments. Ms.    Larisa    Breton,    MPS,    is    President    of    FullCircle    Communications,    LLC,    a    consultancy    focused    on    integrated communication;   as   well   as   a   published   academic   whose   work   has   appeared   in   the   Small   Wars   Journal   and   the Journal of Information Warfare.
(206) 687-9100
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100