IMPROVING RISK MANAGEMENT IN DEPARTMNET OF DEFENSE GOVERNMENT CONTRACTING: ESTABLISHING A CYBER SECURITY GRANT PROGRAMI. IntroductionII. Background: The Current Cybersecurity RegimeA. A Framework for Risk Management: The DFARS and the NIST SP 800-171B. Cybersecurity as an Evaluation Criteria: Syneren and IP Keys TechIII. Improving Small Business Cybersecurity A. Potential Solutions B. Establishing a Cybersecurity Grant ProgramIV. ConclusionI. INTRODUCTION In 2013, Target experienced a massive data breach[1] which left up to 70 million customer’s personal information vulnerable to hackers.[2]  Information such as personal phone numbers, addresses, and credit card information was compromised after a phishing email allowed a bot access to company log in credentials.[3]  Not only was the CEO of Target forced to resign after the incident[4]—a first for a major company suffering a data breach—but the company became the subject of multistate litigation stemming from its failure to protect customer data.[5] Interestingly, the hackers did not gain access to Target’s systems directly, but through a small vendor it contracted with for HVAC services, Fazio Mechanical Services Inc.[6]  A third-party vendor, Fazio’s only defense against malicious software was the free version of Malwarebytes Anti-Malware.[7] The free version does not scan for real-time threats and was not even licensed for corporate use.[8]  Once Fazio’s vendor credentials were obtained, hackers used malware to access billing and invoicing systems, and Target’s own software spread the malware to virtually all of Target’s Point of Sale systems.[9]Target’s vulnerability through a small, third party vendor which was not even involved in its billing systems is an illustrative example of how targets can be compromised through a small business. Criminals are increasingly using small businesses as a backdoor into larger organization, as their cybersecurity systems tend not to be as sophisticated.[10] Smaller businesses are less likely to have thorough cybersecurity systems in place, and are more likely to be unprepared for the costs of losses when a data breach occurs.[11]  For small government contractors who deal with sensitive information crucial to national security, the stakes are even higher. In 2011, a Chinese citizen who was living in Canada hacked into Lockheed Martin’s networks and gained access to info about several military aircraft.[12] Given other recent breaches of government computer systems[13], the executive branch has recognized the importance of strict cybersecurity compliance as a cornerstone of national security.  The Federal Modernization Security Act (FISMA) of 2002, which was amended in 2014, was passed by Congress in order to protect defined categories of information and information systems in order to provide a “comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets” and to “provide for development and maintenance of minimum controls required to protect Federal information and information systems.”[14]Although small government contractors have limited resources, they are still subject to the same cybersecurity requirements that larger contractors with more resources must abide.[15] Recently, the Department of Defense has employed the Defense Federal Acquisition Regulation Supplement (DFARS), to institute uniform cybersecurity requirements for all covered DOD contractors and subcontractors, regardless of size.[16]Additionally, the DOD has specified the inclusion of small businesses in its federal contracting process in order to support local economic development, offer opportunities to disadvantaged socio-economic groups, and gain access to new ideas that small businesses provide.[17] The DoD aimed to award at least 22 percent of small-business-eligible prime-contract spending to small businesses in fiscal year 2017.[18]The impetus of the Small Business Act of 1953, was to establish the Small Business Administration, and to “aid, counsel, assist and protect, insofar as is possible, the interests of small business concerns.”[19]  Included in the SBA’s mandate was the assurance that it would give small businesses a “fair proportion”; of government contracts and sales of surplus property.[20]  In short, the DOD is required to ensure that a significant portion of its contracts are awarded each year to small businesses, all of whom must comply with the DFARS cybersecurity standards.  This represents a significant challenge for both the government and small government contractors, as the percentage of federal contract dollars set aside for small businesses is likely to grow.[21]“One of the major impediments to changing how cybersecurity is addressed in Federal acquisitions is the differing priorities of cyber risk management and the Federal Acquisition System. The Acquisition Workforce is required to fulfill numerous, sometimes conflicting, policy goals through their work, and cybersecurity is but one of several competing priorities in any given acquisition.”[22]  The government must attempt to allocate its target amount of contracts to small businesses while making sure to not compromise its cybersecurity goals at the same time.  For small businesses, they must strategically allocate limited resources while remaining in step with the myriad and increasing security goals mandated by the government.  The Director of the Kansas University Small Business Development Center, stated “America’s small businesses have not made a dedicated effort to build cybersecurity into their P&Ls [Profits and Losses]. That lack of funding on the small business side has been noticed by hackers. Small businesses are the backdoor into big business. A Fortune 500 company or the U.S. Government can throw as many dollars as they want at the threat of a cybersecurity breach, but all it takes is one small business vendor to take down the whole thing.”[23] Although several government entities have implemented programs to assist small businesses which contract with the DOD by focusing on outreach and education efforts[24], they have fallen short. These attempts typically centered more on creating broad initiatives and policy advice than concrete solutions.  These programs are no doubt helpful, but they have not targeted the underlying issue which small government contractors face when attempting to comply with cybersecurity mandates—allocation of limited financial resources.  This note argues that congress should pass legislation giving the Small Business Administration the authority to establish a federally funded grant program for cyber security in which eligible small business defense contractors will be directly provided with funds which can be used for internal cyber security improvements.  Congress should give the SBA authority to make cybersecurity grants to assist small businesses with Department of Defense contracts in order to meet their DFARS and NIST 800-171 SP cybersecurity requirements.  This will help the DOD achieve its cybersecurity objectives, which include expanding cyber cooperation with the private sector, and securing DOD information on non-DOD owned networks.[25]  Putting the power of compliance in the hands of individual businesses who are most equipped to know where to allocate their resources would help alleviate inefficiency and the funding of duplicate resources.Part II of this note lays out a brief overview of the DOD’s current cybersecurity mandates, providing a look at the origins of the DFARS cybersecurity initiatives and the Department of Commerce’s National Institute of Standards and Technology, and their increasing emphasis on standardization among all contractors.  It will also take a look at two recent cases in which cybersecurity was used as an evaluation criteria by agencies.  Part III will analyze ongoing efforts to ameliorate the unique difficulties faced by small federal contractors.  It will then argue that establishing a cyber security grant program for eligible small government contractors who are subject to DFARS requirements would assist individual contractors in completing the three main tasks of DFARS 252.294-7012 and the NIST SP 800-171—figuring out what information is covered, implementing cyber incidence reporting requirements, and developing a security system and plan of action.II. Background: The Current Cybersecurity Regime The Department of Defense protects sensitive information held by contractors through rules known as the “Federal Acquisition Regulation” (FAR), and the “Defense Federal Acquisition Regulation Supplement” (DFARS) which provides DOD specific acquisition regulations for the procurement process[26]. In 2016 the DFARS supplement published a final ruling[27], which was clarified by the DOD’s Frequently Asked Questions (Network Penetration Reporting and Contracting for Cloud Services FAQ).   As of Dec. 31st, 2017, all Department of Defense (DoD) contractors that store, process, or transmit covered defense information (CDI) are subject to DFAR 252.204-7012.[28]  This clause requires that all contractors implement the security requirements in the NIST SP 800-171 standards for cybersecurity.[29]Cybersecurity regulations which govern government contracts require increasing levels of compliance across multiple categories in order for firms to remain competitive in the bidding process, placing placed major emphasis on requiring government contractors to adhere to stringent cybersecurity rules.  The DOD also issued feedback on how a small business could approach meeting the requirements of NIST SP 800-171.  It stated that most requirements could be met by instituting policy/process changes or by adjusting the configuration of existing IT systems.[30]While the FAR rules create a baseline of protection,[31] the final DFARS rule applies to all contractors and subcontractors which safeguard “covered defense information” (CDI) residing in or transiting through “covered contractor information systems”[32].  Previously, this rule only applied to “cleared” and “operationally critical” contractors.  The following highlights additional important changes to the final DFARS ruling.CoverageThe final DFARS rule expands coverage.[33] Unless a solicitation or contract is for the acquisition of COTS items[34], the clause must be required in all subcontracts for any “operationally critical support”[35] provided, or if performance of the contract will require “covered defense information.”[36] The old clause only applied to “cleared” and “operationally critical” contractors as specified in the 2013 and 2015 National Defense Authorization Act (NDAA).Incidence reporting:In addition, the new DFARS requires a contractor to report any cyber “incidents” within 72 hours of discovery.[37]  Some public comments complained that reporting within 72 hours was too burdensome because it was highly likely that they have all the information required by the clause within 72 hours.  But the DOD has issued clarification that contractors should report “whatever information is available to the DIBNet portal[38] within 72 hours of discovery. When more information becomes available, the contractor/subcontractor should submit a follow-on report with the added information.”[39]Sharing of malwareWhen malicious Malware is discovered, it should be submitted to the DoD Cyber Crime Center “in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.”[40] Previously, contractors were required to “submit the malicious software in accordance with instructions provided by the Contracting Officer”. [41]   Contractor network access The DoD’s is now allowed access to contractor information and systems in the event of a cyber incident.[42]  Although this has been criticized as allowing the government to have too much access to contractor information, the DoD has stated in commentary to the rule that access is limited to “determining if DoD information was successfully exfiltrated… and, if so, what information was exfiltrated.”[43]Subcontractor Reporting Obligations When a subcontractor provides operationally critical support, or the execution of the contract involves covered defense information, they must report the cyber incident to the DOD.[44]  Additionally, the subcontractor must notify the prime when requesting a divergence from the NIST SP 800-171 security control requirements.[45]Cloud service providers  Cloud Service Providers that are being operated on behalf of the government, and those that are not, receive different treatments. Cloud Service Providers which operate on behalf of the government must comply with the Cloud Computing Security Requirements Guide (SRG), also known as the FedRAMP+[46] rules. Otherwise, Cloud Service Providers must meet the FedRAMP Moderate baseline[47] requirements and comply with the Final Rule’s “cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment”.[48] Most covered contractor information systems are not operated on behalf of the government and must abide by the security requirements in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.[49]  The National Institute of Standards and Technology (NIST) is charged with “developing information security standards and guidelines, including minimum requirements for federal information systems”.[50]  NIST developed this publication to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014.[51] The requirements contractors adhere to in the NIST SP 800-171 are complex and expansive. As an example of the technical complexity contractors must grapple with, NIST SP 800-171 details 14 different “Families” of requirements for protecting the confidentiality of information: Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Risk Assessment; Security Assessment; System and Communications Protection; and System and Information Integrity.[52] Each of these requirements need to be “applied to the nonfederal organization’s internal systems processing, storing, or transmitting CUI”.[53]The measures needed to implement the requirements of the NIST SP 800-171 can be quite burdensome and may require continuous monitoring efforts.[54] Compliance is demonstrated through having a robust system security plan alongside a plan of action describing how any non-compliant practices can be rectified.[55] Any contractors new to the arena may acquire significant upfront costs that make it all but impracticable to thoroughly comply with all the guidelines set forth in the NIST publication. This is important for small businesses, which may find it challenging to comply with so many requirements, especially if their previous contracts with the DOD were limited.  Some contractors may even decide that compliance is too costly and are willing to risk non-compliance. However, noncompliance is not an option for government contractors looking to mitigate their risks and avoid potential negative outcomes from bid protestors.  DFARS 252.204-7008 provides that “[b]y submission of this offer, the Offeror represents that it will implement the security requirements specified by [NIST SP 800-171] . . . that are in effect at the time the solicitation is issued or as authorized by the contracting officer not later than December 31, 2017.”[56] However, there is some relief for contractors who feel they cannot meet the full burden of the NIST up-front.  In some cases, contractors are permitted to ask for deviances from the requirements after they have been awarded the contract if they believe they can offer an “equally effective security measure in its place”.[57] Contractors can begin this process by submitting a written request to the Contracting Officer which will then be considered by the DOD Chief Information Officer.[58]  Contractors can also request a pre-award adjudication[59] if they feel a security requirement is not consistent with the requirements of the contract, or they have “an alternative, but equally effective security measure that may be implemented in its place”.[60]B. Cybersecurity as an Evaluation Criteria: Syneren and IP Keys Tech  Revision 1 of the NIST SP 800-171 states that agencies have the right to inspect any system security plans (SSP) and plan of actions and milestones (POAM) from government contractors.[61]  Additionally, these SSP and POAM may be used by agencies to as evaluation criteria in awarding contracts which require the processing, storing, or transmission of Covered Defense Information (CDI).[62]  The DOD can determine “whether it is an acceptable or unacceptable risk to process, store, or transmit” CDI on any individual’s system.[63]  Two recent cases help illustrate how cybersecurity has been used as an evaluation criteria for contractors.Syneren Tech Corp.On Feb. 10, 2016, The Department of the Navy issued an RFP asking contractors to provide support to the Sea Warriors Program[64] for the “design, development, implementation and sustainment of IT systems and software supporting enterprise business services, personnel and pay, position management, recruiting and accessions, workforce development, and distance support.”  The solicitation was an indefinite-delivery, indefinite-quantity (IDIQ) contract and had the following five evaluation factors:“(1) software development experience; (2) first sample task (net recruiting placement and alignment (NetRPA)[65] development/modernization); (3) second sample task (Department of Defense (DOD) IT portfolio repository/database management system sustainment); (4) cost; and (5) past performance.”[66]Because the contract had work that was to be performed at a government site in New Orleans, Louisiana, and involved Department of Defense and Department of the Navy information, the winning contractor had to comply with both DOD and Navy cybersecurity requirements.[67] Among them was the requirement that some of the software in use by the contractor meet certain accreditation standards.[68]  In addition, it was the bidder’s responsibility to clearly show its ability to satisfy these requirements.[69] The proposal received 20 offers, including Syneren’s.[70]  Unfortunately, the software it proposed to use for the second evaluation factor, the Net Recruiting Placement and Alignment (NetRPA), was not accredited for use by the Navy.[71] Additionally, Syneren offered no explanation of how it planned to become accredited.[72] Syneren’s proposal was ultimately rejected and it subsequently filed a protest of the Navy’s decision.[73]  Syneren protested that the Navy should not have evaluated its proposal as unacceptable for its use of an unaccredited software.[74]  In reference to its rejection, Syneren asserted that “There was no requirement for Syneren to address the accreditation process prior to award or to explain in its proposal how it would attain accreditation.”[75] The GAO ultimately rejected this argument and sided with the Navy.[76]  The decision explained “because performance will occur in a government facility and involve DOD and Navy data, the solicitation provided that the contractor’s system must comply with multiple cybersecurity requirements…more importantly, that Syneren’s proposal failed to address in any meaningful way how compliance would be achieved”.[77]  The Navy concluded that “Syneren’s proposal failed to reflect an adequate understanding of both the time and costs associated with Syneren’s successful contract performance, specifically including compliance with the solicitation’s cybersecurity requirements.”[78]  In short, Syneren was on notice of the Navy’s cybersecurity requirements, and the Navy did not believe the Syneren fully understood what steps it needed to take to perform the work in the solicitation in order to remain complaint within the agency’s cybersecurity requirements.[79]  It is likely that agencies will increasingly look to incorporate cybersecurity[80] into their bidding process, and that those who fail to do so may be disqualified if they cannot meet the applicable qualifications.IPKeys Tech.Another decision by the GAO highlights the use of cybersecurity as a technical evaluation factor.  IPKeys Technologies, LLC, a small business, challenged the Defense Information Systems Agency’s (DISA) evaluation of By Light Professional IT Services, Inc.’scybersecurity solution.[81]  By Light, also a small business, submitted a proposal which was higher-priced than that of IPKeys.[82]  The RFP was for “engineering, transition, implementation, sustainment, and cybersecurity monitoring support services for DISA’s Global Video Service (GVS).”[83] The request only considered two evaluation factors, “(1) technical/management approach; and (2) cost”, with the technical/management approach to be more important than the cost, and cost to be evaluated for completeness, reasonableness, and realism.[84]  As to the technical/management approach factor, it was to be evaluated by four equally weighted factors.[85]