Comments on Cyber Incident Reporting (ABA Section of Public Contract Law)

[ABAPCLS]

American Bar Association Section of Public Contract Law
Comments on OMB’s Draft Guidance
“Improving Cybersecurity Protections in Federal Acquisitions”
Cyber Incident Reporting

The Section of Public Contract Law (“Section”) of the American Bar Association ("ABA") understands the need for and supports the draft guidance’s requirement that contractors provide reports to the Government of cyber incidents on systems being operated on behalf of the Government and, to the extent controlled unclassified information (“CUI”) is affected, cyber incidents on contractors’ internal systems. The limitation of the reporting obligations for internal systems to those incidents affecting CUI is consistent with the preexisting DFARS clause.¹ The Section believes, however, the draft guidance could be clarified in a number of areas.

The draft guidance does not define CUI or identify the marking requirements for CUI.² For contractors to protect CUI appropriately in accordance with National Institute of Standards and Technology Special Publication 800-171 and to ascertain effectively whether a cyber incident affects CUI within mandatory reporting timeframes, it is essential for the Government to identify and mark covered information as CUI. The Government needs not only to mark any CUI before it is shared with contractors, but also to provide clear direction to contractors who will generate information containing CUI. The Section encourages the Office of Management and Budget to clarify in the draft guidance that the reporting obligation applies only when appropriately marked CUI is affected.

The draft guidance also does not specifically address subcontractor reporting. The Section recommends that subcontractors be given the flexibility to report cyber incidents directly to the Government rather than through their prime contractors or higher-tiered subcontractors. Permitting this streamlined reporting function will avoid unnecessary delays in reporting up through contracting levels, and mitigate potential concerns about disclosure of proprietary information to prime and higher-tier contractors.

The Section recognizes that although tailored reporting requirements may be necessary to reflect varying priorities of particular agencies, agencies should nonetheless be strongly encouraged to comply with a common, streamlined reporting process to the extent practicable so that valuable time is not focused on ascertaining applicable requirements rather than mitigating any potential threat. Candidates for standard processes include timelines for reporting breaches, contents of reports, and designations of where to file reports. In particular, the draft guidance appears to require notices to multiple officials on every contract affected, which may provide little or no value while generating cost and reporting delays. The Section would encourage, to the extent available and feasible, that the agencies leverage existing centralized reporting mechanisms such as the Defense Industrial Base reporting system to minimize the costs and confusion associated with duplicative reporting. The Section believes that centralized reporting would promote coordinated response activities, whereas reporting to every potentially interested government official will delay and disperse the efforts to investigate, mitigate, and correct cyber incidents.

The Section would also encourage the final guidance to recognize that reporting should be an iterative process. The initial report should notify the Government of the cyber incident with follow-up as necessary to address the results of an assessment of the scope of the incident, mitigation of the disclosure, and corrective action to prevent reoccurrence.

Finally, the Section notes that some categories of CUI (e.g., information subject to the International Traffic in Arms Regulations (“ITAR”)) may not as a matter of law be governed or managed by the customer agency itself. Consequently, we recommend that the final guidance specify that any assessment of the consequences of a disclosure of such categories of CUI should remain the province of the agency responsible by law for the information (in the case of the ITAR, the State Department) and should be an independent matter for the contractor to assess and report upon as appropriate to that agency. In addition, mandatory cyber incident reporting should not obviate any protections afforded by such regulating agency’s voluntary disclosure programs.

¹ See DFARS 252.204-7012(d)(1).
² A pending rule from the National Archives and Records Administration (“NARA”), discussed in our separately posted comments on security controls, does identify a process for identifying and marking CUI.

The Section’s complete comments on OMB’s draft guidance are available in a consolidated pdf at http://www.americanbar.org/groups/public_contract_law/resources/prior_section_comments.html under the topic “Cybersecurity; Access to and Protection of Information.” The views expressed herein have not been approved by the ABA House of Delegates or the Board of Governors of the ABA and, therefore, should not be construed as representing the policy of the ABA. Mary Ellen Coster Williams, Section Delegate to the ABA House of Delegates, and Heather K. Weiner and Anthony N. Palladino, members of the Section’s Council, did not participate in the Section’s consideration of these comments and abstained from the voting to approve and send this letter.

[BSATheSoftwareAlliance]

BSA| The Software Alliance Comments on Incident Reporting Section of the Proposed Guidance:

Definition of cyber incident. The Proposed Guidelines define cyber incidents as “actions taken through the use of computer networks that result in a compromise or actual or potentially adverse effect on an information system and/or the information residing therein.” This definition is overly broad and applies to every situation regardless of the circumstances. We believe that a risk-based approach should be applied to determine what is an “incident” for the purpose of incident reporting. To ensure that agencies are not inundated with notices regarding immaterial attempts to compromise networks, the notification obligation should be defined on a case-by case basis.

Required timeline. According to the Proposed Guidelines, contractual language must include a required timeline for first reporting to agency. To ensure that agencies receive meaningful notifications in the event of an incident, it is critical that contractors are afforded adequate time to perform a thorough assessment to determine the scope of the security risk and prevent future disclosure. A reasonable timeframe should be given to contractors so that they can investigate the potential breach and report it, if appropriate. We strongly recommend that agencies be advised to refrain from establishing a specific timeframe to report incidents, as the uniqueness of the circumstances involved in each incident should be considered on a case-by-case basis. We suggest that contract language be required to include provision stating that reporting should occur in a “reasonable time according to the circumstances” without reference to specific deadlines, e.g., a specific number of days.

Reporting on suspected incidents. The last paragraph of the section on “Reporting Cyber Incidents” is ambiguous and we would appreciate if it could be clarified. The language in the beginning of that paragraph seems to create an obligation to report on “suspected incidents” but further down the same paragraph there is mention that “contractor does not have to report all known or suspected cyber incidents.” Reporting on suspected incidents would be counterproductive as agencies would be overwhelmed by immaterial notices causing action on actual incidents to be delayed and resources to be use inefficiently. We, therefore, recommend that language referring to suspected incidents be removed and that a “reasonable timeline” is given to contractors to report on incidents.

Thus, we recommend the paragraph to be amended as follows:

At a minimum, contractual language shall ensure that all known cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within a reasonable timeline . All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system.