This is the first in a series of blogs on the theme of the transformative nature of “cyber.” In this installment, we will begin setting the baseline for a dynamic discussion of a wide range of cybersecurity issues, starting with the definition of “cyber.” We will also provide a briefly annotated list of the statutes that most relate to the cybersecurity issues we will address. In future blogs, we will cover other sources of U.S. cyber law and policy, and then will turn to the transformative nature of cyber. Although cybersecurity affects everyone, not just government contractors, and we will address the effects of cyber issues on society, generally, we will always maintain a focus on the effects on government contractors, in particular. Later parts of the blog will cover DFAR 252.204-7012.
To begin with, we need a working definition of “cyber,” and we derive ours from the National Institutes of Standards and Technology (NIST) definition of “cyberspace.” Although the term “cyber” is usually used as a prefix in conjunction with words such as attack, incident, security, space, and threat, we will use the term “cyber” broadly, with or without a suffix, to refer to information technology (IT) that is used in connection with “the interdependent network of information systems infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” See NIST, Glossary of Key Information Security Terms, NISTIR 7298 (Rev. 2, 2013) (adapted from definition of “cyberspace”).
Now that we have a working definition of “cyber,” we turn to the current state of U.S. law relating to cyber, which can only be described as a “patchwork.” Since there is nothing in the Constitution about cyber, and even though the courts have recognized a constitutional right to privacy, starting with Griswold v. Connecticut, 381 U.S. 479 (1965), the primary source of cybersecurity law is statutory.
Unfortunately, there is no single, comprehensive, remotely up-to-date Federal cybersecurity statute. In that light, the following is a list, albeit an idiosyncratic one, of statutes that establish or affect significant Federal cybersecurity requirements. However, there is a DFARS clause in the form of DFAR 252.204-7012. Since they were passed in response to successive, evolving cyber threats of differing magnitudes, but without having a harmonized statutory scheme as an organizing principle, it is illuminating to list the selected statutes in chronological order.
- Counterfeit Access Device & Computer Fraud & Abuse Act of 1984, Pub. L. No. 98-473 (codified as amended at 18 U.S.C. § 1030) (prohibits attacks on Federal computers and bank networks in interstate and international commerce)
- Computer Fraud and Abuse Act of 1986 (CFAA), Pub. L. No. 99-474 (codified at 18 U.S.C. §§ 1001 note, 1030) (expanded scope of CFAA of 1984; carved out exemption for Intelligence Community (IC) and law enforcement agencies)
- Electronic Communications Privacy Act of 1986 (ECPA), Pub. L. No. 99-508 (codified at scattered sections of 18 U.S.C.) (bans unauthorized electronic eavesdropping) (includes the Stored Communications Act, 18 U.S.C. §§ 2701-2712, which proscribes illegal access to stored communications, which now include “cloud” storage of emails)
- Computer Security Act of 1987, Pub. L. No. 100-235 (codified at 15 U.S.C. §§ 278g-3 & 278g-4, 40 U.S.C. § 759) (directed NIST to develop cybersecurity policies for Federal civilian agency networks, except for national security systems used for DoD and the IC)
- Paperwork Reduction Act of 1995, Pub. L. No. 104-13 (codified as amended at 44 U.S.C. §§ 3501-3520) (directed OMB to develop Federal cybersecurity policies) (superseded in part by Homeland Security Act, infra)
- Clinger-Cohen Act of 1996 (a/k/a Federal Acquisition Reform Act (FARA) & Information Technology Management Reform Act of 1996 (ITMRA)), Pub. L. No. 104-106) (repealed portions of Brooks Act by giving agency heads authority to acquire IT; established CIO position at each agency; required agency heads to ensure adequacy of agency cybersecurity policies; exempted national security systems from most provisions)
- Health Insurance Portability & Accountability Act of 1996 (HIPPA), Pub. L. No. 104-191 (codified in scattered sections of 29 and 42 U.S.C.) (amended in pertinent part by the HITECH Act, infra) (required HHS to establish technical standards for protection of Personal Health Information)
- Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102 (codified at 15 U.S.C. §§ 6801-6827) (requires financial institutions to protect customers’ personal information)
- Sarbanes-Oxley Act of 2002 (Public Company Accounting Reform and Investor Protection Act), Pub. L. No. 107-204 (codified at scattered sections of 15 & 18 U.S.C.) (requires public companies to report on internal financial controls, including cyber attacks that result in loss of protected information)
- Homeland Security Act of 2002, Pub. L. No. 107-296 (codified at scattered sections of 6 U.S.C.) (established Department of Homeland Security (DHS); included Cybersecurity Enhancement Act of 2002, Pub. L. No. 107-296, Title II, § 225 (codified at 6 U.S.C. § 145 & scattered sections of 18 U.S.C.) and original Federal Information Security Management Act of 2002 (FISMA), Pub. L. No. 107-296, Title X; transferred many cybersecurity functions from other agencies to DHS; directed DHS to provide information on cyber threats to State and local authorities and private entities and assist them in protecting critical infrastructure)
- Federal Information Security Management Act of 2002 (FISMA), Pub. L. No. 107-347, Title III (a/k/a E-Commerce Act of 2002) (codified at 44 U.S.C. §§ 3541-3549) (established broad framework of standards and requirements for Federal IT networks and services; last overarching Federal cybersecurity statute)
- Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), Pub. L. No. 108-458 (codified at scattered sections of 42 and 50 U.S.C.) (created post of Director of National Intelligence; established cyber responsibilities for certain entities in the IC, homeland security and national security communities; and created a Privacy and Civil Liberties Board)
- Health Information Technology for Economic and Clinical Health Act (HITECH Act), Pub. L. No. 111-5 (2009) (codified at scattered sections of 42 U.S.C.) (updated and expanded HIPAA cybersecurity and privacy requirements for health-care providers)
To be sure, other statutes (and lists of statutes) contain provisions that are related to cyber, see, e.g., Eric A. Fisher, Cong. Research Serv., R42114, Federal Laws Relating to Cybersecurity: Overview and Discussion of Proposed Revisions (2013), but this list and the blog series will focus more on those sources of law and policy that affect or potentially affect government contractors.
In addition, DFAR 252.204-7012 imposes significant cybersecurity requirements on defense contractors. DFAR 252.204-7012 must be flowed down to subcontractors.
With that in mind, future blogs will cover Executive Order 13536, Improving Critical Infrastructure Cybersecurity, which the President issued in February 2013 to address the growing cyber threat to critical infrastructure, which “represents one of the most serious national security challenges we must confront.” 76 Fed. Reg. 11739 (Feb. 19, 2013). We will also cover the cyber aspects of the interim DFARS rule on requirements relating to Supply Chain Risk, DFARS Subpart 239.73; the final DFARS rule on Safeguarding Unclassified Controlled Technical Information, DFARS Subpart 204.73; and the final DFARS rule on Detection and Avoidance of Counterfeit Electronic Parts, DFARS Subpart 246.8. Then, having covered most of the sources of cybersecurity law relating to government contractors, we will turn to U.S. cyber policy, as set forth in, e.g., the NIST Framework and the various National Strategies regarding cyberspace.
Ira E. Hoffman is, in addition to being a Principal in Cybersecurity, Government Contracts and International Law at the Offit Kurman law firm, is a member of the CyberMaryland Advisory Board, and the Board of the Public Contracting Institute. The views expressed here and in future blogs are his own, and do not represent the views of any of those organizations. He can be reached at email@example.com.
Posted on September 8, 2014 by Ira E. Hoffman, Principal in Cybersecurity, Government Contracts and International Law at Offit Kurman, P.A.
Cyber policy is also governed by DFAR 252.204-7012. Join PCI’s high-quality government contracts training, and read out blog to learn more about DFAR 252.204-7012.