Removing barriers to threat information sharing

In the aftermath of the events of 9/11, the independent 9/11 Commission found that federal agencies were not sufficiently sharing potential threat information that might have allowed law enforcement to stop the attacks. The commission recommended a significant overhaul of intelligence and law enforcement agencies to remedy this weakness. This also included policies about sharing information regarding cybersecurity threats.

The Executive Order on Improving the Nation’s Cybersecurity, issued May 12, expands the information sharing environment to include government contractors. To implement Section 2 and remove barriers to sharing information, the EO mandates changes to the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement to allow contractors to report cyber threats and incidents to the Cybersecurity and Infrastructure Security Agency, the FBI and other elements of the Intelligence Community.

“It’s because the threat landscape has escalated,” said Karen Evans, the former administrator of e-government and IT at the Office of Management and Budget during the George W. Bush administration. “And [our] security … was built on an older model.”

Michael Daniel, former special assistant to the President and cybersecurity coordinator, now the president and CEO of the Cyber Threat Alliance, noted that agencies should not, for the most part, be responsible for their own cybersecurity. So it makes sense to include the contractors who are best suited to provide that service.

“If you wind the clock back to the ’90s and Clinger-Cohen, every agency was responsible for its own cybersecurity, because we treated cybersecurity as an extension of IT,” Daniel said. “We’ve been on a journey the past 25 years of slowly but steadily centralizing certain parts of IT [and] certain parts of cybersecurity. This executive order pushes the government further down this path. The truth is, for most agencies cybersecurity is not their core competency.”

The EO directs that changes to the FAR and DFARS require information and communications technology (ICT) service providers to collect, preserve and share information relevant to “cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control,” both with their customer agencies and federal cybersecurity investigative agencies designated by the director of the Office of Management and Budget. This includes collaborating on investigations of and responses to cyber incidents or potential incidents on government IT and OT systems.

Equally important, the ICT service providers “must promptly report” to all these agencies when they discover a cyber incident either involving their own software or service, or a support system for software or a service they are providing to client agencies. Federal law enforcement and intelligence agencies are to develop a “graduated scale of severity” for cyber incidents; reporting on the highest-level incidents must be done within three days of initial detection.

Evans said this is, in part, a response to the SolarWinds hack that the company told the Securities and Exchange Commission could affect 18,000 of its customers, including multiple federal agencies and many Fortune 500 companies. The hack appears to have happened in March 2020, but wasn’t discovered until December of that year – not by SolarWinds, but by one of its clients, the cybersecurity firm FireEye. Experts have raised questions about when SolarWinds discovered the hack, after company executives sold much of their holdings before the news became public.

CISA later stated in January that “a much smaller number” than the 18,000 customers who could potentially have been affected were actually compromised, including “fewer than 10 U.S. government agencies that fall into this category.” Similarly, SolarWinds itself stated in May that the number of customers who were actually hacked was fewer than 100.

Evans said this part of the EO will encourage corporate boards of directors and service providers with government customers to reassess their own risk profiles.

This also will have ripple effects on “critical infrastructure industries,” she said. While other hacks, such as the exfiltration of veterans’ personal information from the Department of Veterans Affairs, affected many thousands, the Colonial Pipeline ransomware attack was the first to demonstrate on a large scale the potential to harm the general public.

Table of Relevant Deadlines Set in Section 2

Section 2 sets several deadlines for immediate action, with other deadlines following their completion.

Deadline             Action Required by                                                                         Outcome

60 days Director of OMB

Secretary of Defense

Secretary of DHS

Attorney General

DNI

Review FAR, DFARS and recommend updates to contract language for IT/OT service providers, to FAR Council
120 days Secretary of DHS

Director of OMB

Take “appropriate steps” to ensure sharing data with agencies, CISA, FBI, to respond to cyber risks, threats, incidents
45 days Secretary of DHS

Secretary of Defense/NSA

Attorney General

Director of OMB

Recommend to FAR Council contract language that specifies the kinds of incidents, types of data, time periods, types of contractors and service providers covered, among other measures
90 days Secretary of Defense/NSA

Attorney General

Secretary of DHS

DNI

Jointly develop procedures for ensuring cyber incident reports are promptly and appropriately shared among agencies
60 days Secretary of DHS/CISA

Secretary of Defense/NSA

Director of OMB

Administrator of GSA

Review agency-specific cybersecurity requirements and recommend to FAR Council standardized contract language for appropriate cybersecurity requirements

 

Related Stories

Comments

Sign up for breaking news alerts