As a Government Contracts consultant I frequently interact with clients concerning various requirements in their contracts. Often this means interpreting the requirement(s) and advising my client with respect to what they are contractually obligated to do so as to comply with various requirements. Often this leads me down rabbit holes – and as Lewis Carrol once described – an entirely new reality. Nowhere has this been as true as it is – and continues to be – in the realm of what is broadly termed #Cybersecurity.

First of all let me say I am no newcomer to the overall goals of cybersecurity which – in turn borrows on two concepts I am intimately familiar with: risk management and classified (or limited distribution) information. After all, when I retired from the Air Force some years ago it was from the position of Chief, Plans Division and I wrote classified war plans for a living. So for me to wrap my head around the basics of cybersecurity has not been a huge stretch except for the incessant tendency of people to make up new words to describe existing concepts see my article “The Tyranny of the Cybersecurity Lexicon”

What is the threat/risk?

When the government published rules concerning cybersecurity I was naturally interested in the topic. The overarching risk to be abated was clear – loss of critical technology to adversaries. But as a risk manager I needed to drill down to identify specific risks that could be catalogued, quantified, and assessed. It his here where the #cybersecurity people miss a step in the process – they simply assume a certain set of risks for all without actually addressing the underlying central pillar of security which is to identify and guard against specific threats as opposed to all threats.

It is virtually impossible to live in a risk free environment and even were it possible the costs – both financial and procedural would be unacceptable.

One need look no further than current attempts to stem the spread of COVID to see that the safeguards sometimes extract unacceptable social and economic costs. Therefore the time honored solution is to achieve a reasonable (and acceptable) level of risk e.g., a risk appetite at an ‘affordable’ price. Doing so we recognize the trade-offs involved in the process and can make intelligent and informed decisions.

It is in this realm where the current Cybersecurity construct is (in my opinion) most seriously flawed as we simply are asked to dive in head first into NIST 800-171 and begin the 110 item assessment without context to our environment. So, perhaps it is time to put the cart back in front of the horse and take a business oriented vs. a technocratic approach to addressing the problem.

Standards Without Context

The Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) both establish certain cybersecurity requirements for potential government contractors. They booth seek to protect the inadvertent disclosure of government data although they lack a certain congruence that would help remove many of the ambiguities that I as a contracts person find so hard to deal with.

The FAR and DFARS address protection of two ‘separate’ but interrelated classes of information.

The FAR discusses protection of Contractor Information Systems ‘Federal Contract Information’ i.e., information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. While this seems pretty clear the FAR sidesteps the related issue of Controlled Unclassified Information (CUI), sensitive information that laws, Federal regulations, or Government-wide policies require or permit executive branch agencies to protect. The DFARS on the other hand specifically addresses CUI in their clause 252.204.7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

Where this gets messy is that one definition of CUI “is information that the government creates or possesses, or that an entity creates or possesses for or on-behalf of the government. It also needs to fit into a category that the United States Federal Government identifies as needing special safeguarding or dissemination controls.” (see article here: https://www.cmmcaudit.org/dfars-252-204-7012-assessment-800-171/) so now we see the first of many potential ambiguities – Federal Contract Information (FCI) is called out in the FAR for special treatment to protect it from unauthorized disclosure but fails to label it as “CUI”. So is FCI a sub-class of CUI and if so why does the FAR only require 17 of the 110 NIST 800-171 requirements for its protection?

The above is separate and distinct in my estimation from what the National Archives (who is the CUI Office of Primary Responsibility) designates as CUI//SP-PROCURE which is defined as: “Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates.” Included in this category is proprietary technical data included in contractor proposals and requiring protection from release as discussed in FAR 3.104-4 Disclosure Protection and Marking of contractor bid or proposal information and source selection material.

What do I protect and from what risks?

Now we get to the quintessential nexus of the Cybersecurity rats’ nest. That being:

1. What specific information or type of information must I protect
2. To what standard must I protect it e.g., “best efforts”
3. What threats (or risks) must I protect against?

In other words I have limited resources and an unlimited universe of potential bad actors, miscreants, and opportunists who might want to obtain this information for their own purposes, vandalize my system, or hold my data for ransom. With unlimited threats what then is reasonable from my or the government’s point of view in looking to protect my information system and its contents?

This is the Risk Management approach that underpins the NIST standards and this is the approach that should be driving compliance. Because if the costs of protecting the system or the data exceed a certain threshold then small businesses will be excluded from participation – and the loss will be to the Government and the taxpayer.

What Should I Protect?

As discussed above the what to protect question is complex. In simple terms (and this is not professional or legal advice mind you) I see two distinct classes of information that will require protection.

Essential business information.

This class includes the day to day operations of your business and spans everything from Human Resources (privacy information), payroll, finance, accounting, purchasing, and intellectual property. This information exists in multiple forms and formats – everything from emails and text messages to spreadsheets, presentations, and databases. These data are the lifeblood of your company and if they are compromised your business will suffer.

Government “Work Products”

In general terms this is the CUI or FCI the FAR and DFARS seek to protect. In essence your company is being paid to create or deliver a work product under contract that fulfills a government need. The work product could be services or it could be data. But that work product has a distinct intrinsic and extrinsic value and based on that value it should be protected. These data include studies, analyses, designs, technical data, etc. Many of the work products are related to specific government systems where compromise of the data will either reduce the system’s effectiveness, render it obsolete, or allow others to replicate those systems. All of which are undesirable outcomes.

What Must I Protect Against?

We live at the intersection of the physical and virtual worlds. Consequently we must be like Janus and face not one but both directions simultaneously.

Physical Threats

Protecting against physical threats is more instinctive than protecting against virtual or cyber threats and is something both tangible and reflective of life-long experiences. We all have known families who have been burgled and their valuables taken. We have all seen or known of people who were robbed, conned, defrauded, or lost their homes and businesses to fire, flood or natural disaster.

Consequently we understand locking our doors, installing alarm systems, storing valuables in fireproof safes and doing background checks and due diligence before we enter into business deals. There are a number of ‘controls’ among the 110 controls in NIST 800-171 that deal with physical threats but like the owner of a pawn shop in a sketchy part of town the level and complexity of our precautions are generally driven by the likelihood of the risk (probability it will happen), the likely loss we would sustain, and the selection and cost of protective measures.

The most likely physical threats are related to loss or damage of the equipment or data through theft, misplacement (e.g., loss), or damage – all of which are quantifiable through insurance statistics and all of which can be controller by proven methods.

Virtual (Cyber) Threats

Cyber threats are generally less well known and the techniques for coping with them are often the subject of speculation by internet ‘authorities’ with little or no substantive training, experience or expertise – only access to a computer. This is not to say the threats are not real … they are very much a threat and there is virtually an encyclopedia of dirty tricks. The number and variety of these threats is constantly expanding as new vulnerabilities are uncovered and new techniques to take advantage of them are developed. Here are some of the more common cyber threats:

1. Unauthorized access to company networks or servers which, in turn, can result in a host of other issues
2. Data theft. Information that resides on your network is stollen or lost and found by someone who will use that data in a way that disadvantages you
3. Ransomware. A specific type of malware encrypts all the data on your network and renders it inaccessible unless a hefty ransom is paid.
4. Viruses and malware. Generally these threats tend to damage data or compromise the network such that data is unusable or unauthorized persons can access your system bypassing your security controls
5. Worms and Trojans. Similar to viruses but often use your system as a means to access other systems for illegal purposes or to intercept passwords etc.
6. Bots. Malware that allows individuals outside your network to perform tasks without your knowledge or authorization such as flooding spam emails to contacts, generating multiple requests to access a site thus overloading it and causing it to either crash or crawl to a near stop.

How do I Protect Myself?

Protecting against these threats is the purpose of the Cybersecurity program. But before we get started we need to recognize that Cybersecurity is not simply a ‘fill-in-the-boxes’ approach whereby running an assessment or checklist and implementing some procedures ‘fixes’ the problem.

Executive Order (E.O.) 13800 … requires agency heads to manage risk at the agency level and across the Executive Branch using the Framework for Improving Critical Infrastructure Cybersecurity (also known as the Cybersecurity Framework) developed by NIST. … the Cybersecurity Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes.

Thus once we have identified the threats (cyber risks) we need to quantify each risk using standard risk management tools and procedures. Risks should be quantified using either qualitative or quantitative methods to develop a risk score for each. The risk score will then permit sorting and prioritizing such that the most critical risks are addressed first.

For each risk we need to decide a relevant strategy. We can adopt any number of strategies to control these risks. Indeed the simplest method is to simply avoid government contracts in total or contracts with CUI requirements. But the cost of doing that in terms of lost business revenue would be prohibitive for most businesses.

We can elect to mitigate risks through various measures including training, procedures, anti-malware software, access requirements, etc. The mitigation strategy is largely expressed in the 110 controls in NIST SP 800-171.

We can elect to transfer risks through measures whereby others take on the risk on our behalf. This is often the case whereby a third party provides the network infrastructure or network management expertise to offload large portions of the cybersecurity workload onto specialists. We can also see this at work with various insurance coverages to compensate the business for any losses incurred.

Finally we can accept those risks we cannot control. This is a trade off whereby we knowingly make an informed decision to do nothing or very little because the costs of fixing the problem outweigh the benefits to be received. For example, in adding certain ‘protections’ we also incur additional – hidden costs. Do the bars on the windows to keep burglars out make it more difficult for us to evacuate in case of a fire? Does an obvious and comprehensive ‘loss management’ program in the form of a uniformed security guard at the door intimidate customers and cause lost business.