Category Archives: Cybersecurity

Subscribe to Cybersecurity RSS Feed

Achieving Cyber-Fitness In 2017: Part 2—Looking Beyond The FAR And DFARS— Other Safeguarding And Reporting Requirements

Reprinted from The Government Contractor, with permission of Thomson Reuters. Copyright © 2017. Further use without the permission of West is prohibited. For further information about this publication, please visit http://legalsolutions.thomsonreuters.com, or call 800.328.9352. In Part 1, we discussed the cybersecurity requirements applicable to federal contract information under Federal Acquisition Regulation 52.204-21(b)(1) and covered defense information … Continue Reading

Achieving Cyber-Fitness In 2017: Part 1—Planning For Compliance

Reprinted from The Government Contractor, with permission of Thomson Reuters. Copyright © 2017. Further use without the permission of West is prohibited. For further information about this publication, please visit http://legalsolutions.thomsonreuters.com, or call 800.328.9352. It is a new year, which means New Year’s resolutions for roughly 50 percent of Americans. Most vow to lose weight … Continue Reading

New York State Department of Financial Services Cybersecurity Regulation Poised to Reshape Existing Regulatory Landscape

In late December, New York State’s Department of Financial Services (“DFS”) released its revised proposed cybersecurity regulation (the “DFS Rule”).  While the revisions pare back some of the DFS Rule’s original requirements and add some much needed flexibility, the regulation will still impose many new obligations upon a wide array of financial institutions doing business … Continue Reading

New York State Department of Financial Services Proposes Cybersecurity Regulations for Financial Services Companies

If the New York State Department of Financial Services (“DFS”) has its way, come January 1, 2017, financial services companies that require a form of authorization to operate under the banking, insurance, or financial services laws (“Covered Entities”) will be required to comply with a new set of comprehensive cybersecurity regulations aimed at safeguarding information … Continue Reading

Insider Threat Programs – A New Challenge for Cleared Contractors

On May 18, 2016, the Department of Defense issued Conforming Change 2 of the “National Industrial Security Operating Manual” (“NISPOM”).   NISPOM Change 2 requires all U.S. government contractors who require access to U.S. classified information to implement an Insider Threat Program (“ITP”) that will gather, integrate and report relevant information related to potential or actual … Continue Reading

SEC Steps Up Cybersecurity Enforcement with $1 Million Fine Against Morgan Stanley

The Securities and Exchange Commission’s (“SEC”) recent $1 million settlement with Morgan Stanley Smith Barney LLC (“MSSB”) marked a turning point in the agency’s focus on cybersecurity issues, an area that the agency has proclaimed a top enforcement priority in recent years.  The MSSB settlement addressed various cybersecurity deficiencies that led to the misappropriation of … Continue Reading

It’s Arrived! FAR Final Rule Addressing “Basic Safeguarding of Contractor Information Systems”

After nearly four years of planning and comments, DoD, GSA, and NASA issued a final rule today amending the Federal Acquisition Regulations (“FAR”) with a new Subpart 4-19 and a new contract clause 52.204-21 addressing the basic safeguarding of contractor information systems.  Applicable to all acquisitions, including commercial items other than commercial off-the-shelf items (“COTS”), … Continue Reading

To Share or Not to Share (with the Government)? That is the Question: DHS Announces Interim Guidelines for Sharing Cyber Threat Indicators

On February 16, 2016, Secretary of Homeland Security Jeh Johnson announced interim guidelines and procedures for sharing cyber threat indicators under the Cybersecurity Information Sharing Act of 2015 (“CISA”). Because the guidelines are voluntary, the next question is, should your company share information with the Government?… Continue Reading

DoD Reveals its Cybersecurity Discipline Implementation Plan (or How 1940s War Department VD Training Can Help Your 21st Century Cyber Hygiene)

“If our country is to successfully defend our right to live the American way, it needs every one of you, and requires you in the best possible condition. Any [company] who willfully, or through neglect fails to maintain [their systems] in this condition is a ‘shirker’ who is throwing an extra burden on his comrades … Continue Reading

Department of Defense Provides Government Contractors a Grace Period for Compliance with Key Cybersecurity Requirements

In response to industry concerns and comments, on December 30, 2015, the Department of Defense issued a new interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules promulgated in August.  Specifically focusing on provision 252.204–7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204–7012, Safeguarding Covered Defense Information and Cyber Incident … Continue Reading

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

Cutting-edge research institutions need cutting-edge cybersecurity to protect their IP and critical personal and financial data.  Universities hold vast repositories of valuable information, including student healthcare information, patient information from academic medical centers, and financial and personal data from applicants, donors, students, faculty, and staff. So it’s no surprise hackers have been targeting universities lately—in … Continue Reading

Have DoD Contractors and Subcontractors Been Drafted? Once Voluntary Defense Industrial Base CS/IA Regulations Now Mandatory and Aligned With New DFARS Cybersecurity Rules

When last we left the Department of Defense, it had issued a rather wide-reaching interim DFARS rule addressing cybersecurity practices, data retention, and cloud services purchasing guidance. Now, effective October 2, 2015, before the ink can dry on those nascent rules (comments are due October 26, 2015), the DoD has applied them to all DoD … Continue Reading

DoD Addresses Cybersecurity Preparedness, Incident Reporting, and Cloud Computing Acquisitions with new DFARS interim rule

Announced and effective today, August 26, 2015, DoD has issued an interim rule that significantly expands existing DFARS provisions and clauses requiring contractors and subcontractors to report cyber incidents.  The interim rule will apply “to all contractors with covered defense information transiting their information systems,” an estimated 10,000 contractors.  Additionally, in an effort to ensure … Continue Reading

Ransoming Sensitive Personal Information: Will OPM’s Data Breach Trigger Your Insider Threats?

Perhaps it’s the books I’ve been reading or the television shows I’ve been watching, but my mind can’t seem to stop linking the recent barrage of cybersecurity attacks with those ne’er-do-wells that plagued the Caribbean from 1650 through the 1730s.  Yes, I’m talking about pirates, but not the Errol Flynn/Johnny Depp-style buccaneer, more the Edward … Continue Reading

ALERT: NIST Issues Final Guidance on Federal Contractor Cybersecurity Standards for Controlled Unclassified Information

On June 19, 2015, the National Institute of Standards and Technology (“NIST”) published the final version of guidance for federal agencies to ensure sensitive information remains confidential when stored outside of federal systems.  The guidelines, Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, apply to nonfederal information systems and organizations … Continue Reading

Another Prologue to Cybersecurity Regulations: Controlled Unclassified Information (“CUI”) – What Contractors Need to Know and Why They Should Care

Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized.  The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known … Continue Reading

Department of Defense Updates Its Instruction for Acquisitions of Software and Weapons Systems

On January 7, 2015, the U.S. Department of Defense (“DoD” or “the Department”) released an update for DoD Instruction 5000.02, on the “Operation of the Defense Acquisition Service.”  The new Instruction is designed to assist acquisition personnel in tailoring the acquisition process to the specific item or system being purchased and to further the Department’s … Continue Reading

Cyber-Breach & NISPOM Conforming Change 2 – It’s What’s on the Inside That Counts

Most companies are worried about external threats – things that are coming at their people, their group, their company, their government, all from an outside actor.  Like government’s with an eye on counter-intelligence, however, savvy businesses also realize that their employees can also pose a very real, internal threat.  While an insider breach is not … Continue Reading

Shopping for the Cloud Made Easy – GSA’s Special Item Number Project for Cloud Computing and Request for Comments

On November 18, 2014, the General Services Administration (“GSA”) hosted an Industry Day seeking feedback on its proposal to add a Cloud Computing Special Item Number (“SIN”) on  its IT Multiple Award Schedule 70 (“MAS IT-70”).  A SIN is GSA’s categorization method that groups similar products, services, and solutions together to make the acquisition process … Continue Reading

The Cybersecurity Race: Executive Branch Takes The Lead While Congress Watches From The Bleachers

The federal government sector has been abuzz lately with whispers and shouts about pending cybersecurity regulations, frameworks, and requirements. This attention is not particularly surprising, especially given the recent high-profile data breaches, the litigation threats surrounding those breaches, the recent identification of the encryption-disabling, consumer data threatening “Heartbleed SSL” OpenSSL vulnerability, and recent reports that … Continue Reading

Robert Frost and Cybersecurity – Two Roads Diverging

Like Frost’s nameless traveler in “The Road Not Taken,” our Government finds itself confronted with two diverging roads in the cybersecurity realm. The first offers moderation, deliberation, and evolution. The second, speed. Frost expressed regret that he could travel but one road. Armed with taxpayer dollars, our Government is not so constrained and, devoid of … Continue Reading

New Laws and Firewalls – Summer 2013 Cyber Security Round-up

Over the first half of the year there has been a lot of activity surrounding government efforts to confront growing concern over “Cybersecurity.” This flurry of activity comes in the wake of two years during which lawmakers have been unable to define legislatively what, exactly, “cybersecurity” is, what it means, and how it should be … Continue Reading
LexBlog