There is a considerable number of discussions around the Cybersecurity Maturity Model Certification (CMMC). The majority of topics covered range from how the CMMC Accreditation Body (AB) is rolling out its training or how much will a certification cost an Organization Seeking Certification. Lest we forget the interim rule that threw in requirements to upload a self-scoring artifact to measure against the NIST SP:800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations”.
Also noteworthy is a large number of comments posted by a few disgruntled stakeholders that desire to throw shade on the CMMC ecosystem at large. But what is also noteworthy is a recently proposed piece of legislation under the Biden administration. Under this proposal, U.S. Government Contractors (GovCons) would be required to report breaches to the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA).
This approach has merit because of the footprint and charter that CISA has with industry at large. But there could be tangential matters to consider that may directly impact GovCons. If clause 252.204-7012 is applicable to your agreement with the Department of Defense, then you have a statutory reporting requirement in the face of a cyber incident.
““Cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” – DFARS
According to the Bradley law firm, there are multiple forms of cybersecurity incidents, including physical intrusions and network/system breaches. A physical intrusion can include direct access by an unauthorized person to controlled facilities, documents or computers. This can include criminal break-ins or theft of equipment.
A network/systems breach is typically a remote online intrusion, often conducted for the purpose of economic espionage, insertion of malicious software, cloud-based attack or market disruption. Some nation states engage in political espionage and virtual trade disputes. Others actively engage in cyberwar against geopolitical targets.
When a cybersecurity incident is identified, the GovCon has 72 hours to notify the Department of Defense. Okay, but what about CISA? Will the DFARS be amended to include? Will the CMMC-AB amend its training to ensure assessors look for CISA in the incident response plans?
So now you have notified DoD and potentially DHS, is your scope of responsibility over? Not even close (potentially). Did the breach impact files associated with your employees, client or business partners (names, addresses, emails, telephone numbers, etc.)? Other questions GovCons should be asking themselves. “Do I have 1st and 3rd party cyber liability insurance?” If yes, are they part of your incident response plan process? Are those that are helping U.S. citizens only? Have background investigations been executed on any responding personnel? Imagine the joy of communicating with your DoD TPOC or COTR that personnel not approved by them just accessed a system with FCI and/or CUI.
Did you know that the fact a contract with DoD (or any federal department/agency) does not specifically call out actions to notify beyond the DIBNET portal does not alleviate your legal obligation to notify State Attorney Generals? Each state has its own “trigger” that requires a duty to notify the affected citizens and/or the Attorney General for each state. To better understand what is required for each State, the law firm Foley and Larder has assembled a cheat sheet.
So, when you consider who you must notify, who is first, and the impacts of using resources provided by insurance companies, it reminds me of the Abbot and Costello routine of “Who’s on First?”.