The Cybersecurity Framework: Administration, Congress move to incentivize private-sector cooperation, strengthen federal acquisition process

The White House has announced its eight preliminary incentives to encourage private sector owners and operators of critical infrastructure (CI) to adopt the final Cybersecurity Framework, now under development by the Administration.

And in the meantime, a report from the Department of Defense and the General Services Administration, still in draft form, addresses incentives and other cybersecurity issues in the federal acquisition process.

These are among the latest developments around the ongoing implementation of President Barack Obama’s cybersecurity Executive Order (EO), which aims to broadly improve cybersecurity within organizations that operate CI and their contractors. 

The EO requires the National Institute of Standards and Technology (NIST), an agency of the Commerce Department, to closely coordinate with owners and operators of CI in developing a voluntary risk-based Cybersecurity Framework which will provide standards and guidelines on how to improve cybersecurity and reduce cybersecurity risks to information technology and operational technology. The deadline for the Framework is February 2014; however, NIST released a draft of the Preliminary Framework in September this year in advance of the Preliminary Framework’s deadline of October 12.  We will have a further alert on the Preliminary Framework in the coming weeks.

Today we focus on the incentives being created to prompt cooperation with the Framework.

1.         THE EIGHT INCENTIVES TO ENCOURAGE ADOPTING THE FRAMEWORK

The EO, released in February 2013,  requires the Secretaries of Homeland Security, Commerce and Treasury to provide recommendations on incentives that federal agencies can offer to encourage CI owners and operators to adopt the final Cybersecurity Framework. Once the Framework is finalized, DHS will develop a Voluntary Program to encourage CI owners and operators and other entities to adopt the Framework, including by offering incentives.

These incentives are a key feature of the Executive Order to drive adoption in the absence of regulatory authority and, if successful, could prove more effective than regulation at driving better cyber security practices. The incentives initially recommended by DHS, Commerce and Treasury varied. In August, the White House selected eight incentives that will be the focus of further development by the Administration, the appropriate federal agencies and CI owners and operators and other private sector entities. The White House incentives were released in the form of a blog post available here by Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, with the caveat that these incentives are not final and will continue to be refined as implementation of the EO proceeds.

Depending on how the incentives evolve and whether Congress acts on legislation that authorizes incentives that require a change in law, the incentives could be a key mechanism for reducing the costs of Framework adoption for organizations that decide to comply with it - or the incentives could be largely symbolic due to limited utility to a significant portion of the CI sectors. Cost effectiveness was a key requirement for the Framework under the EO.  While it appears that the Framework will avoid imposing proscriptive mandates, by the same token, it will likely leave it to individual entities to figure out how to implement the Framework in a cost effective manner.

As Mr. Daniel discusses in his blog post and as highlighted in the three departments’ recommendations, some of the incentives can be implemented by agencies using the agencies’ existing authority, while other incentives will require legislation or “further maturation” of the Framework before the precise parameters can be established.

Cybersecurity insurance and liability protection incentives

Cybersecurity insurance is at the top of the White House incentives list.  It reflects the Administration’s growing interest in fostering a robust cybersecurity insurance market to address risk, especially in the absence of Congressional action on liability protections.  The White House and NIST hope to engage the insurance industry in discussions during development of the Framework in order to promote risk reducing practices and risk-based pricing.  As noted above, the Administration hopes the availability of a robust cybersecurity insurance and risk management market (primarily through the private insurance market)  will be one of the many tools available in promoting cost effective adoption  of the Framework.

DHS’s recommendations to the White House in this area provide some insights into the potential segue between cyber insurance and liability protection by tying a statutorily created liability protection to adoption of the Framework and purchase of cybersecurity liability insurance - both actions that should mitigate the effects of cyber risk.  However, the White House presented liability protection and cybersecurity insurance as separate and distinct incentives.

The White House liability incentive identifies reduced tort liability, limited indemnity, higher burdens of proof or creation of a federal legal privilege that preempts state disclosure requirements as potential levers.  The White House discussion notes that the federal agencies providing input on the incentive indicated that more information is needed on whether liability protection would lead to broader adoption of the Framework.

The White House liability limitation incentive is significantly narrower than the liability protections included in many other earlier proposals: the Lieberman-Collins bill (112th Congress), CISPA (112th and 113th Congresses), SECURE IT Act (Representative Marsha Blackburn, R-TN, in 113th Congress; Senators John McCain, R-AZ, and Kay Bailey Hutchison, R-TX, and Representative Mary Bono Mack, R-CA, in 112th Congress), the Whitehouse-Kyle draft compromise (112th Congress) and the House Homeland Security Committee Discussion Draft (113th Congress).

The Department of Treasury has proposed further study of statutory protections, including a rebuttable presumption that an entity had exercised duty of care that could be established in a civil lawsuit for an entity that adopted the Framework. 

The Department of Commerce has recommended a study of the legal and financial risks CI owners and operators face from tort liability.  It also called for a determination of whether cyber insurance or statutory liability protections for an entity that has adopted the Framework or portions of it could provide adequate protection in the event that a cyber incident causes damage.

Make compliance easier by streamlining regulations

Consistent with explicit requirements under the EO to reduce regulatory duplication and burdens, the White House included recommendations from agencies to make compliance with the Framework easier by eliminating overlap among existing laws and regulations.  Although adding this incentive is largely symbolic , the elimination of legal and regulatory duplication and conflict remains a top priority for the private sector.

DHS went even farther than the White House in specifically recommending streamlining information security requirements, both domestically and internationally.  The specific focus on streamlining data security rules again goes beyond the general White House incentive for streamlining regulations.  We plan to watch the developments in this space, especially on the international level, in the context of the US-EU trade negotiations and the proposed EU Cybersecurity Directive.

Further, the Department of Treasury recommended clarifying the rules and guidelines on information sharing in order to assuage private sector concerns about the reputational, legal or competitive consequences of cyber-threat information sharing.

Process preferences incentive

The White House incentives also include providing preferences to entities that adopt the Framework. The precise form of these preferences will be further examined by the Administration and existing programs where preferences may be helpful to drive adoption of the Framework will be identified. The White House has concluded that agencies have adequate authority under existing law to use the preferences incentive.  One form of preference the White House did specifically mention: agencies would provide prioritized technical assistance to companies that adopt the Framework in addressing non-emergency cybersecurity incidents.

Although not specifically mentioned in the White House incentive, DHS recommended including a requirement for Framework adoption for federal IT and communications technology providers and for other contracts including for essential services. Similarly, in June DOD and GSA recommended baseline cybersecurity requirements in acquisitions, which are discussed in Part 2 of this update, below.

Cybersecurity R&D incentive

As the Framework has developed, it has become clear that some problems cannot be addressed because defensive cybersecurity technical solutions are not sufficiently developed. The White House, therefore, has included an incentive to promote R&D to seek commercial solutions for such gaps. The Department of Commerce recommendations included a fast-track patent pilot for R&D intensive critical infrastructure companies who have adopted the Framework.

Other White House incentives

The final two White House incentives are of more limited applicability. They are:

  • tying federal grant programs to adoption of the Cybersecurity Framework and
  • allowing price regulated utilities to recover cybersecurity investments through their rates

The White House will continue a dialogue on rate recovery with federal, state and local regulators and sector-specific agencies.

2.         CYBERSECURITY IMPROVEMENTS TO THE FEDERAL ACQUISITION PROCESS

Another deliverable under the EO that was due in June of this year was for DOD and GSA to issue a report on improving cybersecurity through the federal acquisition process. The report (still in draft form) identifies very basic security protections such as “updated virus protection, multi-factor logical access, methods to ensure confidentiality of data, current software patches . . .” as baseline technical requirements that should be conditions of contract awards for acquisitions that present cyber risks, not only in the services and information and communications technology (ICT) products sold to the government but also by contractors in their own operations. The recommendations are to be “harmonized” with the ongoing Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) rulemakings on information systems.

As background, the Proposed Rule on Basic Safeguarding of Contractor Information Systems, published in the Federal Register on August 24, 2013, seeks to amend the FAR to add a new subpart – 4.17, Basic Safeguarding of Contractor Information Systems – and a new contract clause for the basic safeguarding of contractor information systems that contain information provided by, or generated for, the government (other than public information) that will be resident on or transiting through contractor information systems.

However, as we noted in our March 2013 Cybersecurity Alert, Cybersecurity and US federal public procurements: what contractors need to know, the GSA already has one of the most comprehensive contract clauses addressing cybersecurity. The GSA clause, GSAAR 552.239-71, imposes significant obligations upon contractors by requiring contractors to afford the GSA access to the contractor’s and subcontractors’ facilities, installations, operations, documentation, databases, IT systems and devices, and personnel used in performance of the contract, regardless of the location. Such access is to be provided to the extent required in the judgment of the GSA in order to conduct an inspection, evaluation, investigation or audit (including vulnerability testing), to safeguard against threats and hazards to the integrity, availability and confidentiality of GSA data and to preserve evidence of computer crime.

Contractors, as a practical matter, are well advised to become familiar with the April 30, 2013, NIST Special Publication 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations. This 457-page report continues to be the most comprehensive update on core information security controls, and addresses cybersecurity standards for mobile and cloud computing technology as well as supply chain protection, advanced persistent threats and privacy controls for federal agencies and contractors. Notably, this NIST report was favorably received by both the Department of Defense and the Office of the Director of National Intelligence, a good indicator that federal contractors can expect FAR and DFARS rulemaking to implement the new and expanded security standards outlined by NIST.

The DOD and GSA report also recommended using standardized government-wide cybersecurity requirements for similar types of acquisitions. Consistent with recent Congressional hearings on the federal supply chain, the report recommends a limitation across the federal government to allow purchases only from “OEMs, their authorized resellers, or other trusted sources” in order to provide protection against inauthentic or counterfeit products, which increase cyber risk. Implementation of this recommendation may not be easy, though, because the mandates of the Competition in Contracting Act (“CICA”) require the federal government to balance this legitimate concern against the requirements for full and open competition.

In this regard, the federal government is compelled to avoid imposing overly restrictive requirements which unreasonably operate to limit competition and reduce the competitive field, particularly when there are other methods to verify that an offeror’s products are authentic and meet required cybersecurity standards. 

Finally, the DOD and GSA report notes that demand for more secure ICT products and services in the broader market will have a greater impact on the nation’s cybersecurity than changes to the FAR.

In the coming weeks we will report on other developments around the Cybersecurity Framework. Please watch for our next alert.