2014 Intelligence Authorization Act Imposes New Cybersecurity Requirements-And Anticipates New Regulations-For IC Contractors
Congress has placed significant new network and system security requirements upon federal intelligence community (IC) contractors with the passage of the 2014 Intelligence Authorization Act.1 The Act imposes new requirements for internal controls, security planning, and breach disclosure. Contractors must be aware of these new requirements as they are implemented through regulation.
First, the Act requires that the Director of National Intelligence (DNI) develop procedures for the reporting by contractors of any “penetration” of IC networks or information systems. Second, the Act mandates that, going forward, all IC contracts and contract renewals contain a clause requiring the development and operation of a network and information security plan by each cleared contractor with access to classified information.
These requirements parallel similar regulations the Department of Defense (DoD) is developing for DoD contractors.2 Previous DoD regulations regarding the security of networks that process unclassified controlled technical information raised several challenging implementation issues, most notably in their vague definition of what constitutes “adequate” cybersecurity measures.3 For the IC community, however, such regulations have yet to be written. Thus, IC contractors will have an opportunity to offer comments on any DNI proposal and may be able to help construct clearer, more concrete standards than those offered by DoD thus far.
Cyber Incident Reporting
Section 325 of the Intelligence Authorization Act requires each cleared IC contractor, under procedures to be established by DNI, “to rapidly report to an element of the intelligence community... each successful penetration of the network or information systems of such contractor” that meet criteria established under the new procedures. A “covered network” under this rule is any “network or information system of a cleared intelligence contractor that contains or processes information created by or for an element of the intelligence community with respect to which such contractor is required to apply enhanced protection.” The statute does not define what “system penetrations” must be reported, but the Act’s description of what must be reported offers some guidance. The Act requires that each penetration report must contain: (1) a description of the method or technique used in the penetration; (2) a sample of the malicious software, if it is discovered; and (3) a summary of any information that has potentially been compromised.
The provision also requires that the DNI establish mechanisms by which IC personnel can obtain access to contractor equipment or information to conduct a forensic analysis. In an apparent attempt to limit exposure of the contractor’s proprietary information, however, the contractor must only provide access for the purposes of “determin[ing] whether information created by or for an element of the intelligence community in connection with any intelligence community program was successfully exfiltrated from a network or information system of such contractor and, if so, what information was exfiltrated.” The access provision requires that the DNI procedures provide for the protection of trade secrets, commercial and financial information, and personally identifying information. The procedures also must prohibit the dissemination of information obtained in the course of responding to any cyber incident outside of the intelligence community, except with the approval of the contractor, or to specific Congressional committees, or to law enforcement in connection with the investigation of a specific breach.
Network and Information Security Planning
In addition to the disclosure procedures, Section 502 of the Act requires that DNI, in consultation with the elements of the intelligence community, ensure that any contractor with access to “a classified network or classified information” develop and operate a security plan. The provision does not offer any substantive requirements for such a plan, but only requires that DNI establish security planning standards “for intelligence community networks.” The provision does, however, require that “insider threat detection capabilities and insider threat policies of the [IC] apply to facilities of contractors with access to a classified network.” Once established, the Act also requires that DNI conduct periodic assessments of each security plan to ensure they comply with the relevant standards. The security planning requirement is prospective—it affects only future contracts or contract renewals entered into after enactment. But, going forward, any IC contract or contract renewal must contain a provision requiring that the contractor comply with DNI’s security and planning standards.
DNI Development of Procedures and Standards Under the Act
Overall, the procedures and requirements contemplated by the Act contain little detail. Most of the work is yet to be done. DNI now must craft both the cyber incident reporting procedures and the security planning standards contemplated by the Act. The reporting procedures must be established by DNI within 90 days after enactment (by the first week in October). However, DNI will not necessarily be starting from a blank slate. The Act recognizes that Section 941 of the 2013 National Defense Authorization Act contained a similar requirement for DoD contractors. The rule implementing that requirement is due on August 13, 2014.4 The Intelligence Act requires that, within 180 days after enactment, DoD and DNI, together, establish procedures by which a cleared IC contractor and cleared DoD contractor may submit a single report to satisfy both reporting requirements.
The 2014 Intelligence Authorization Act does not otherwise require coordination between DNI and DoD. Accordingly, DNI’s proposed security standards for intelligence community networks and for contractor planning and operations need not parallel any security standards offered by DoD, or any other agency. Furthermore, IC contractors will have an opportunity, pursuant to DNI’s administrative process, to comment on any proposed standards.
See Case No. 2013-D018 (implementation of Section 941 of the NDAA for FY 2013), DFARS Open Cases Report at 8 (July 11, 2014), available here.
See Charles Blanchard, Ronald Lee, and Nicholas Townsend, “A Closer Look at the Department of Defense’s Cybersecurity Rule on Adequate Security and Cyber Incident Reporting,” Bloomberg BNA’s Privacy and Security Law Report (Mar. 17, 2014), available here; see also Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information (DFARS Case 2011-D039), 78 Fed. Reg. 69,273 (Nov. 18, 2013), available here (implementing DoD rule on network security for “unclassified controlled technical information”).