October 13, 2021
Good morning, everyone!
Cyber incident reporting and the importance of candor
Shortly after I wrote that newsletter, this bombshell came out:
In a groundbreaking initiative announced by the Department of Justice this week, federal contractors will be sued if they fail to report a cyber attack or data breaches. The newly introduced "Civil Cyber-Fraud Initiative" will leverage the existing False Claims Act to pursue contractors and grant recipients involved in what the DOJ calls "cybersecurity fraud." Usually, the False Claims Act is used by the government to tackle civil lawsuits over false claims made in relation to federal funds and property connected with government programs.
The initiative will hold entities, such as federal contractors or individuals, accountable when they put US cyber infrastructure at risk by knowingly "providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.
Now, the DoD has been making noises about using the False Claims Act to go after contractors who claim to have implemented NIST SP 800-171 when they actually haven’t, and they have even done it a few times recently, but this is the first I’ve heard of the DoJ going after contractors who aren’t meeting ALL the requirements of DFARS 7012, including all the stuff in there (other than 800-171) that most people don’t pay much attention to.
Remember, even when the CMMC becomes applicable to all DoD contracts, it is a requirement in addition to, not in place of, the 7012 clause. So maybe we need to talk about some of that other stuff today.
If you read the full text of the 7012 clause, you will see that NIST 800-171 is covered only in paragraph (b) “Adequate security, which is followed by paragraph (c) ”Cyber incident reporting requirement.”:
(1) When the Contractor discovers a cyber incident [...], the Contractor shall—
(i) Conduct a review for evidence of compromise of covered defense information […] and
(ii) Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.
Raise your hand if you knew about this already? Eh, that’s what I thought. It surprises a lot of people when I talk about this in my workshops.
So what exactly qualifies as a “cyber incident” worthy of reporting? Paragraph (a) “Definitions” states:
“Cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
Okay, what is a "compromise" exactly?
“Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
Paragraph (d) of the 7012 clause specifically addresses “Malicious Software” and how to handle it, so we know that is reportable. But when? Any time your antivirus software flags something suspicous? No, only if a "compromise or an actual or potentially adverse effect" has occurred. So in the case of ransomware, yes, definitely, you need to report that. It is well-known that ransomware gangs routinely copy all your data before encrypting it (and defense contractors have been hit with this already). A known back-door has been installed on one of your computers? I would investigate for sure. Do your firewall logs show that the backdoor has been accessed? Do they show any other suspicious activity? You need this information to file your report. How about if somebody in the marketing department installed a shopping toolbar that's classified as spyware? Hmmmm, does that person have access to controlled information? How does that toolbar work exactly? You might want to investigate that to determine whether it's reportable.
What else might qualify? A compromised email account? Accidentally sending an email with controlled information to someone outside your organization? Losing a thumb drive containing controlled information? Evidence that someone outside your organization has been tampering with internal resources? (like that strange account on the server that doesn’t belong to any known employee) Now sounds like a good time for some tabletop exercises.
The 7012 clause has additional useful and very specific information about your obligations to report cyber incidents. Subcontractors, you have an obligation to report incidents to your primes also. The full clause is well worth a read.