7012 Regulations & Cybersecurity Insurance Are on a Collision Course with Small Business

Part One: What are the “7012” regulations?

Defense Acquisition Regulation Supplement 252.204-7012

In November 2013, the US Department of Defense issued final rules to its defense acquisition regulations. Defense Acquisition Regulation Supplement (DFARS) Section 252.204-7012 now requires contractors to safeguard the information that is deemed Unclassified but controlled (called UCTI), within their IT systems in a manner compliant with standards issued earlier in 2013 by the National Institute of Standards and Technology (NIST).

The 7012 regulations also require immediate reporting of any incident or threat to UCTI that is carried on or held in an IT system. The NIST is the cognizant agency for Classified standards and operational regulations. The regulations themselves are a part of, and a driver to, a set of complex problems for the industry — presently, with the risk being transferred away from DoD to its contractors who will find risk rebounding to them via their cybersecurity insurance premiums. This two-part article isn’t intended to fan the flames, but rather to give the context behind the regs, provide meaningful definitions for practical use, offer probable implications for industry, and set out why the seemingly most reasonable solution for businesses may be the most dangerous to them.

No law firm, consultancy, proprietary software solution, or cyber-insurance policy has a magic solution that will ensure compliance. Businesses are encouraged to understand the playing field, proceed conservatively, employ consultants or use external resources and partners as part of their due diligence to understand and comply with the requirements, articulate an operational plan, document copiously, communicate generously with their subcontractors, and remember to build and maintain bridges between IT functionality and general operations.

Onions, and Ogres, have layers

Like the famous ogre, Shrek, the 7012 regulations have a layered history and an unfriendly disposition, with good intentions at base. Understanding and applying them requires an understanding of the regulatory context and current market forces at work. We’ll start by peeling back the onion layers around the regulations themselves. In the second part of this article, we’ll look at why implementation, compliance, and risk transference strategies are on a collision course with private cyber insurance, with the critical functionality providers (that’s you) wedged in the middle.

The 7012 requirement is the surface layer to a complex problem set because:

• Unclassified but Controlled Technical Information, UCTI, drives grey-area compliance issues on programs that are neither Classified nor fully open to the enterprise.
• The relative novelty of the NIST regulatory schema creates ambiguity through legacy compliance and auditing methodologies. And a Mandelbrotian scope issue for the smallest businesses.
• The requirement is fanged with a 72-hour fuse for reporting observed incidents, and a 90-day records retention requirement for subsequent DoD investigation.
• The 7012 regulations are a “flowthrough” to the smallest businesses holding Defense contracts, as well as academia. Responsibility for compliance, documentation, and incident reporting flows down and up the chain.

First of all, what is UCTI? What is it not?

UCTI is material that is Unclassified, but designated by the DoD as “controlled.” In other words, in and of itself, UCTI may not be directly related to national security, but its release could compromise operations, R&D, or manufacture within the military and/or aerospace programs. Examples of UCTI could include: technical drawings, software code, manufacturing processes [see sidebar]. However, program criticality does not necessarily imply that all Unclassified information held therein is UCTI — the DoD customer must declare it so. For businesses working in the Unclassified realm, safeguarding UCTI drives complexity within their security paradigms. Businesses working with Classified information may have the opportunity to pull UCTI under its secured information/operational framework, but because the information is Unclassified, simply pulling controlled information over to the secured side will not be feasible operationally. With both scenarios, UCTI drives grey-area vulnerabilities involving personnel and Unclassified networks.

What is the scope of an event triggering the 7012 reporting requirements?

The regulations are unambiguous: reporting is required within 72 hours of the contractor discovering “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” In short, unless you conduct all of your business using index cards, graph paper and filing cabinets and haven’t yet decided to invest in a newfangled telephone, it is likely that you will be required to comply with the 7012 regulations on any defense/aerospace contract involving UCTI.

Next, why does the 7012 requirement carry so much baggage to small and large contractors to DoD?

Smalls: The NIST CSF’s regulatory schema is relatively recent, with very limited small business inputs to the public/private working groups that developed a more holistic approach to compliance for the largest businesses, most of whom have a Classified practice. Thus, the small businesses most likely to experience difficulty with scaling up to compliance for UCTI are also most likely to outsource — do-able, if Unclassified, but adding a layer of risk and a layer of complexity for auditing. These are the same small businesses which form the small moving parts in larger defense/aerospace contracts that are attractive to bad actors seeking to infiltrate the supply chain in order to acquire passwords, permissions, outsourced pieces of code, organizational charts for spearing executives, and the like.

Bigs: Large contractors have both their own compliance to consider, and are responsible for sub-contractor oversight as well as facilitating the reporting chain if there is a triggering event, and then cooperating with DoD auditors/investigators.

Read that again. This reg flows all the way through the chain, not stopping at first-tier and not limited by size of award. While many large primes have published flowthrough guidance for their subcontractors, it is important to note that 7012 is applicable on contracts of any dollar amount. In the author’s opinion, the smallest-dollar contracts; and the smallest companies, likely drive the highest risk under the 7012 regs.

Commercial tech startups entering via SBIR, small service- and training- oriented firms, etc., are the least likely to be aware of the 7012 requirements and conversely the most likely to be unknowingly breached absent robust IT and personnel security controls usually resident in larger organizations. Smalls may be held liable for their own breaches that result in larger program compromise (analogous to the Target breach). Consequences could include rescission of payments from DoD to the prime contractor; or even legal liability. Thus, it pays the large primes in deferred risk to generously dialogue with their subcontractors: publish a policy, share operational methodologies where appropriate, and perhaps most importantly, listen in conversation. It may not be the smalls’ vulnerability that you pick up on, but your own, highlighted to you in an operational issue. Smalls can be the canary in a coal mine with roll off benefits to the entire chain.

Part Two will cover why the seemingly most reasonable solution for businesses may be the most dangerous to them, and how contractors may be playing with fire as they attempt to transfer risk with insurance instruments.

Ms. Larisa Breton, MPS, is President of FullCircle Communications, LLC, a consultancy focused on integrated communication; as well as a published academic whose work has appeared in the Small Wars Journal and the Journal of Information Warfare