Embed Size (px)
Citation preview
5/7/2018
1
Cyber and Supply Chain ComplianceWho and What Are Covered?
May 4, 2018
Susan Warshaw Ebner Fortney & Scott, LLC
Agenda
• Emerging Supply Chain Risk Areas
• Shifting Roles In The Supply Chain
• Examples Of Supply Chain Provisions
• Who’s Covered By These Provisions
• What Needs To Be Protected
• What You Need To Think About Moving Forward
5/7/2018
2
Emerging Supply Chain Risk Areas• Traditional Supply Chain Concerns
• MILSPEC v. Commercial Item Requirements
• Responsibility and Quality Assurance
• Emerging Threats Global Nature of the Supply Chain
The Trump National Security Strategy
The Internet of Things
• Coverage and Ongoing Compliance
Shifting Roles
Addressing Threats Through Better Risk Management• Establishing Risk Management Requirements
• Including Appropriate Solicitation and Evaluation Criteria
• Determining Responsibility
• Selecting A Trusted Supply Chain
• Applying Flow Down and Flow Up Correctly
• Supply Chain Quality Assurance and Maintenance
5/7/2018
3
• Examples of Supply Chain Risk Management Provisions Buy “American”
Expanded Reporting of Nonconforming Items Detection and Avoidance of Counterfeit Parts Safeguarding Covered Defense Information and Cyber
Incident Reporting Supply Chain Risk Export/Import Controls Other
Example ‐ Updating “Traditional” Rules• Using Buy “American” Laws, Policies, Regulations
DFARS Buy American Act and Trade Agreements Act Provisionso Revised Definition of “Qualifying Country” o Contract Price Includes Duties That Are Not Exempt
Toughening Domestic Nonavailability Determinations Increasing Use Of Products/Services From U.S. Allies Import Controls
o Using U.S. trade enforcement tools, e.g., Anti‐Dumping, Tariffs, Prohibited Parties and U.S. Sanctions Lists, etc.
Export Controls
5/7/2018
4
Examples ‐ Implementing “New” Rules
• Supply Chain Risk rules, including Expanded Reporting of Nonconforming Items
Detection and Avoidance of Counterfeit Parts Safeguarding Defense Information and Cyber Incident Reporting
Supply Chain Risk Insider Threat
Examples – Implementing “New” Rules• Supply Chain Risk Rule, DFARS 252.239‐7012
Applies to Acquisition of Information Technology Services or Supplies, Including Acquisition of CI, For A Covered System, Or In Support Of A Covered System
“Supply chain risk” means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a national security system (as that term is defined at 44 U.S.C. 3542(b)) so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.
Use Supply Chain Risk As An Evaluation Factor For Award Authority To Exclude Contractors Due To Risk Related To National Security Systems
5/7/2018
5
Examples – Implementing “New” Rules • Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS 252.204‐7012
All Contractors That Sell Supplies or Services To DoD, Including Commercial Items (CI), But Not Commercial Off The Shelf (COTS) Covered Entities Must Provide Adequate Security
o Comply With NIST SP 800‐171 As Amendedo Establish SSP and POAM o Perform Ongoing Work To Provide Adequate Securityo DFARS Guidance (FAQs and Proposed Guidance re SSP & POAM Reviews)
Carve Outs o Certain Cloud Services Providers o Who Else?
Covered Entities Must Report Cyber Incidents, Preserve Data/Media, Follow Up As Needed
AND DFARS 252.204‐7008 Compliance With Safeguarding Covered Defense Information Controls
• Shifting Role of the Prime Contractor/Higher Tier Subcontractor Perform contract Responsibility for Subcontractors
Flow Down of Applicable Requirements Supply Chain Traceability (OEM to Government) Supply Chain Integrity Detection and Reporting for Prime and Subcontractors, and “Similar Agreement Holders”
Taking compliance programs to the next level o Quality Assurance o Auditing o Reporting o Codes of Conducto Compliance Training
5/7/2018
6
• Expansion and Ambiguity in Applicability of the Rules • Prime Contractors
• Subcontractors
• Similar Agreement Holders
• How Low Must A Prime/Subcontractor Go? • Express Terms of Contract, “Subcontractor”, “Lower‐Tier”, “Any Tier”, “Vendor”, “Similar Contractual Instrument” Holder
• What about providers of general inventory items, financing, human resources, …?
Who’s Covered• Variety of Terms You Need To Parse Through, E.g., DFARS Cyber Rule Coverage:
Who Has “Subcontracts, Or Similar Contractual Instruments”o For Operationally Critical Support, Or For Which Subcontract Performance Will Involve Covered
Defense Information” Flow Down Through The Supply Chain
o Sellers (Prime Contractors)o “Subcontractors” o “Similar Contractual Instrument” Holders o Original Manufacturers, Channel Partners, Resellerso Financing Entities, Human Relations, Accounting, … o How Can The Prime Enforce The Provision? Flow Down and Privity
5/7/2018
7
Who’s Covered• Divergent Or Missing Definitions Raise Questions
FAR 2.101 “Contract” FAR Subpart 4.4 Safeguarding National Security Data Within Industry FAR Subpart 4.19 and FAR 52.204‐21, Basic Safeguarding of Covered Contractor Information
Systems FAR Parts 8, 12, 14, 15 FAR 44.101 Terms, Include “Contractor,” “Subcontract” and “Subcontractor”
• Divergent Or Missing Definitions Raise Questions
Who’s Covered
41 USC 1906(c)(1) – “Subcontract” Under A Commercial Item Procurement National Defense Authorization Act for FY 2018, P.L. No. 115‐91, Sec. 820 (12/2017) “Change to
Definition of Subcontract in Certain Circumstances”: o “The term does not include agreements entered into by a contractor for the supply of commodities that
are intended for use in the performance of multiple contracts with the Federal Government and other parties and are not identifiable to any particular contract.”
How Does This Impact Things?
5/7/2018
8
What’s Covered • “Covered Defense Information” (CDI) Includes:
“Controlled Technical Information” (CTI) “Controlled Unclassified Information” (CUI)
• Who Defines It? At The Government Level
o Contracting Officer, CISO, Program Managero PWS/SOW, CDRL, DD 254, Other
At The Contractor, Subcontractor, or Similar Instrument Holder Levelso ???
• What Is It? What It Isn’t It?• When You Don’t Know, Seek Clarification
What’s Covered
• If There Is CDI, What Systems Are Covered? Is There A Covered Contractor Information System?
• Is It Part Of An Information Technology Service Provided To Government?• Is it Part Of A System Operated On Behalf Of The Government?• Does It Involve A Cloud Service?
What About HR, Financial, Other Functions?
5/7/2018
9
What Do You Do Next?
• Does The “Subcontractor” Meet Requirements? Seek Exemption? Seek To Provide Alternate System? If Subcontractor Does, What Next?
• Supply Chain Compliance Requires Certifications, Questionnaires, Audits Consider Other Issues, Such As Contracting, Indemnifying, Training, Managing, Reporting, Ongoing Oversight
What To Watch For Moving Forward• Procurement Requirements and Evaluation Criteria• Protests and Non‐Responsibility • Supply Chain Risk • Performance Issues
What Is Required and What Is “Adequate Security” Cyber Incident Investigation and Mandatory Reporting (Prime/Sub/Govt’) Directed/Not Directed Contract Changes Following Cyber Incident Directed Removal Of Questionable Products Govt/Contractor Claims, Third Party Liability, False Claims Act Issues
• Other, e.g., Increasing Scrutiny of Deals by Committee on Foreign Investment in the United States (CFIUS)
5/7/2018
10
Questions?
