The COVID-19 pandemic has disrupted operations across the globe as government agencies and corporations grapple with the implications of remote work, workforce and workplace limitations, and employee health and safety. But while this worldwide crisis has introduced new complexities and challenges, it also has presented an opportunity for hackers seeking to capitalize on the pandemic to maximize the impact of cyber attacks on government and private sector infrastructure. We expect nation states’ and criminal groups’ activity to increase as they target newly vulnerable remote employees and IT teams distracted by the dramatic increase in usage.
For example, the U.S. Health and Human Services Department recently suffered a cyber attack from what it suspects was a foreign nation state seeking to undermine the U.S. response to COVID-19. Similarly, the Brno University Hospital in the Czech Republic experienced a cyber attack that forced the hospital to shut down its entire information technology network temporarily.
In light of these and other cyber incidents, we have identified five “best practices” for government contractors navigating these uncharted waters. Given the significant impact that COVID-19 has already had on business continuity, government contractors should take the time now to assess their cyber preparedness and their plan to respond to and report a cyber incident. Although contractors may not be able to eliminate the risk of a cyber attack, through proactive measures designed to facilitate expeditious and efficient cyber incident reviews and disclosures, contractors can at least ensure that they have procedures in place to respond swiftly to cyber incidents, even during these challenging times.
1. Know your disclosure obligations. Although there is no universal federal law requiring government contractors to disclose cyber attacks or cyber incidents, government contractors performing contracts with the U.S. Department of Defense (DoD) generally are required to comply with DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause requires contractors to provide “adequate security” for information technology systems, defined as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” It also requires contractors to “rapidly report” – e., within 72 hours – any “cyber incident” which is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein” after conducting a review for evidence of compromise.
In addition to this DoD requirement, many other federal agency contracts include cyber reporting requirements. Government contractors should be familiar with all such disclosure obligations in their federal contracts and subcontracts. In addition, contractors should review disclosure requirements at the state level to determine their relevance and applicability. All fifty states have data protection laws in place, and they generally all require disclosure when cyber incidents compromise personally identifiable information (e.g., Social Security numbers).
2. Investigate cyber incidents carefully and deliberately before disclosure.
DFARS 252.204-7012 requires cyber incident reviews to, at a minimum: (1) identify “compromised computers, servers, specific data, and user accounts”; and (2) analyze “covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support.” Conducting such detailed reviews can be time-consuming and difficult to accomplish within the DFARS’ 72-hour disclosure window. This is especially true during global crises such as the COVID-19 pandemic, when workforce and workplace limitations increase the difficulty of mobilizing resources and rapid communication and responses.
Fortunately, the 72-hour disclosure window in DFARS 252.204-7012 is triggered only after the “discovery of any cyber incident.” Thus, while still moving quickly and deliberately, contractors can (and should) take the time necessary to complete a reasonably diligent investigation to determine whether a cyber incident, as defined in the clause, has actually occurred, before any disclosure obligation arises.
3. Obtain a Medium Assurance Certificate. In the event a cyber attack occurs and the ensuing cyber incident review results in a determination that disclosure is legally required, government contractors must report the cyber incident to DoD by completing the form at https://dibnet.dod.mil. Before a contractor can make such a disclosure, however, it must have a Medium Assurance Certificate issued by one of the External Certification Authorities approved by DoD (https://public.cyber.mil/eca/). Contractors with active facility security clearances are likely to already have this capability but, in any event, it is prudent for all contractors to check. For those without the certificates in hand, it would be prudent to obtain the required certification in advance of a cyber incident, to avoid unnecessarily delaying submission of a cyber incident report.
4. Compile inputs in advance for cyber incident reports. When submitting a cyber incident report to DoD, contractors must provide certain information for each affected contract and subcontract, including: contract and subcontract numbers, clearance levels, contracting officer contact information, and government program manager contact information. Compiling such information can be difficult under ordinary circumstances, but may be especially difficult during crises such as the COVID-19 pandemic due to workplace and workforce limitations and communication impediments. Contractors should maintain a database of contract and subcontract information that they can easily leverage in the event of a cyber incident.
5. Revisit communication and cyber response protocols. Government contractors should maintain standard operating procedures for communications, including disclosures, and decision-making related to cyber incidents. These procedures should identify specific individuals with responsibility for particular actions, identify required approvals, and otherwise provide sufficient detail to ensure the company can respond swiftly to a cyber incident. Given the impact that the COVID-19 pandemic has already had on business continuity and operations, government contractors should revisit their existing procedures to ensure that they remain feasible in light of remote work, workforce and workplace limitations, and employee health and safety precautions.
Please contact any of the authors for more information about cyber incident reporting obligations.