7012 Regulations and Cyber Insurance Are on a Collision Course with Small Business

Part One: What are the “7012” regulations?

Defense Acquisition Regulation Supplement 252.204-7012

In  November  2013,  the  US  Department  of  Defense  issued  final  rules  to  its  defense  acquisition  regulations.  Defense Acquisition  Regulation  Supplement  (DFARS)  section  252.204-7012  now  requires  contractors  to  safeguard  information that  is  deemed  Unclassified,  but  controlled  (called  UCTI),  within  their  IT  systems  in  a  manner  compliant  with  standards issued earlier in 2013 by the National Institute of Standards and Technology (NIST).

The  7012  regulations  also  require  immediate  reporting  of  any  incident  or  threat  to  UCTI  that  is  carried  on  or  held  in  an IT  system.  The  NIST  is  the  cognizant  agency  for  Classified  standards  and  operational  regulations.  The  regulations themselves  are  a  part  of,  and  a  driver  to,  a  set  of  complex  problems  for  industry  —  presently,  with  risk  being transferred  away  from  DoD  to  its  contractors  who  will  find  risk  rebounding  to  them  via  their  “cyber”  insurance  policies. This   two-part   article   isn’t   intended   to   fan   the   flames,   but   rather   to   give   the   context   behind   the   regs,   provide meaningful  definitions  for  practical  use,  offer  probable  implications  for  industry,  and  set  out  why  the  seemingly  most reasonable solution for businesses may be the most dangerous to them.

No  law  firm,  consultancy,  proprietary  software  solution,  or  cyber-insurance  policy  has  a  magic  solution  that  will ensure  compliance.  Businesses  are  encouraged  to  understand  the  playing  field,  proceed  conservatively,  employ consultants  or  use  external  resources  and  partners  as  part  of  their  due  diligence  to  understand  and  comply  with  the requirements,  articulate  an  operational  plan,  document  copiously,  communicate  generously  with  their  subcontractors, and remember to build and maintain bridges between IT functionality and general operations.

Onions, and Ogres, have layers

Like  the  famous  ogre,  Shrek,  the  7012  regulations  have  a  layered  history  and  an  unfriendly  disposition,  with  good intention  at  base.  Understanding  and  applying  them  requires  an  understanding  of  regulatory  context,  and  current market  forces  at  work.  We’ll  start  by  peeling  back  the  onion  layers  around  the  regulations  themselves.  In  the  second part  of  this  article,  we’ll  look  at  why  implementation,  compliance,  and  risk  transference  strategies  are  on  a  collision course with private cyber insurance, with the critical functionality providers (that’s you) wedged in the middle.

CLICK FOR LARGER IMAGE

The 7012 requirement is the surface layer to a complex problem set because:

  • Unclassified  but  Controlled  Technical  Information,  UCTI,  drives  grey-area  compliance  issues  on  programs  that are neither Classified nor fully open to the enterprise.
  • Relative  novelty  of  the  NIST  regulatory  schema  creates  ambiguity  through  legacy  compliance  and  auditing methodologies. And a Mandelbrotian scope issue for the smallest businesses.
  • The  requirement  is  fanged  with  a  72-hour  fuse  for  reporting  observed  incidents,  and  a  90-day  records  retention requirement for subsequent DoD investigation.
  • The  7012  regulations  are  a  “flowthrough”  to  the  smallest  businesses  holding  Defense  contracts,  as  well  as academia. Responsibility for compliance, documentation, and incident reporting flows down and up the chain.

First of all, what is UCTI? What is it not?

UCTI  is  material  that  is  Unclassified,  but  designated  by  the  DoD  as  “controlled.”  In  other  words,  in  and  of  itself,  UCTI may  not  be  directly  related  to  national  security,  but  its  release  could  compromise  operations,  R&D,  or  manufacture within  military  and/or  aerospace  programs.  Examples  of  UCTI  could  include:  technical  drawings,  software  code, manufacturing  processes  [see  sidebar].  However,  program  criticality  does  not  necessarily  imply  that  all  Unclassified information  held  therein  is  UCTI  —  the  DoD  customer  must  declare  it  so.  For  businesses  working  in  the  Unclassified realm,   safeguarding   UCTI   drives   complexity   within   their   security   paradigms.   Businesses   working   with   Classified information   may   have   the   opportunity   to   pull   UCTI   under   its   secured   information/operational   framework,   but because  the  information  is  Unclassified,  simply  pulling  controlled  information  over  to  the  secured  side  will  not  be feasible  operationally.  With  both  scenarios,  UCTI  drives  grey-area  vulnerabilities  involving  personnel  and  Unclassified networks.

What is the scope of an event triggering the 7012 reporting requirements?

The  regulations  are  unambiguous:  reporting  is  required  within  72  hours  of  the  contractor  discovering  “actions  taken through  the  use  of  computer  networks  that  result  in  an  actual  or  potentially  adverse  effect  on  an  information  system and/or  the  information  residing  therein.”  In  short,  unless  you  conduct  all  of  your  business  using  index  cards,  graph paper  and  filing  cabinets  and  haven’t  yet  decided  to  invest  in  a  newfangled  telephone,  it  is  likely  that  you  will  be required to comply with the 7012 regulations on any defense/aerospace contract involving UCTI.

Next, why does the 7012 requirement carry so much baggage to small and large contractors to DoD?

Smalls:  The  NIST’s  regulatory  schema  is  relatively  recent,  with  very  limited  small  business  inputs  to  the  public/private working  groups  that  developed  a  more  holistic  approach  to  compliance  for  the  largest  businesses,  most  of  whom have   a   Classified   practice.   Thus,   the   small   businesses   most   likely   to   experience   difficulty   with   scaling   up   to compliance  for  UCTI  are  also  most  likely  to  outsource  —  do-able,  if  Unclassified,  but  adding  a  layer  of  risk  and  a  layer of   complexity   for   auditing.   These   are   the   same   small   businesses   which   form   the   small   moving   parts   in   larger defense/aerospace  contracts  that  are  attractive  to  bad  actors  seeking  to  infiltrate  the  supply  chain  in  order  to  acquire passwords, permissions, outsourced pieces of code, organizational charts for spearing executives, and the like.

Bigs:  Large  contractors  have  both  their  own  compliance  to  consider,  and  are  responsible  for  sub-contractor  oversight as   well   as   facilitating   the   reporting   chain   if   there   is   a   triggering   event,   and   then   cooperating   with   DoD auditors/investigators.

Read  that  again.  This  reg  flows  all  the  way  through  the  chain,  not  stopping  at  first-tier  and  not  limited  by  size  of  award. While  many  large  primes  have  published  flowthrough  guidance  for  their  subcontractors,  it  is  important  to  note  that 7012  is  applicable  on  contracts  of  any  dollar  amount.    In  the  author’s  opinion,  the  smallest-dollar  contracts;  and  the smallest  companies,  likely  drive  the  highest  risk  under  the  7012  regs.  Commercial  tech  startups  entering  via  SBIR, small   service-   and   training-   oriented   firms,   etc.,   are   the   least   likely   to   be   aware   of   the   7012   requirements   and conversely  the  most  likely  to  be  unknowingly  breached  absent  robust  IT  and  personnel  security  controls  usually resident  in  larger  organizations.  Smalls  may  be  held  liable  for  their  own  breaches  that  result  in  larger  program compromise  (analogous  to  the  Target  breach).  Consequences  could  include  rescission  of  payments  from  DoD  to  the prime  contractor;  or  even  legal  liability.  Thus,  it  pays  the  large  primes  in  deferred  risk  to  generously  dialogue  with their   subcontractors:   publish   a   policy,   share   operational   methodologies   where   appropriate,   and   perhaps   most importantly,   listen   in   conversation.   It   may   not   be   the   smalls’   vulnerability   that   you   pick   up   on,   but   your   own, highlighted  to  you  in  an  operational  issue.  Smalls  can  be  the  canary  in  a  coalmine  with  rolloff  benefits  to  the  entire chain.

Part  Two  will  cover  why  the  seemingly  most  reasonable  solution  for  businesses  may  be  the  most  dangerous  to  them, and how contractors may be playing with fire as they attempt to transfer risk with insurance instruments.

Ms.   Larisa   Breton,   MPS,   is   President   of   FullCircle   Communications,   LLC,   a   consultancy   focused   on   integrated communication;  as  well  as  a  published  academic  whose  work  has  appeared  in  the  Small  Wars  Journal  and  the Journal of Information Warfare