- Posted on: Nov 3 2022
By: Lawrence L. Muir, Jr. [11/4/22]
Lawyers, who are not particularly known for their sense of humor, joke that the reason they attended law school was to avoid doing math. A variation of the joke involves having to understand information technology. But lawyers must serve their clients, answer their questions, give advice, and even take on appeals to the government, and understanding technical cybersecurity assessments will be a part of that client advocacy. As cybersecurity takes on more importance to companies, the lawyers representing these companies must learn more about the technical aspects of that field and how it impacts their clients. This is particularly true for government contracts lawyers whose clients will soon be required to show technical compliance with cybersecurity provisions in contracts. This article should help lawyers understand what their clients should receive during and after a thorough cybersecurity assessment and how those assessments will be used in government contracting.
DFARS 252.204.7020 has a provision that suggests lawyers should participate in their government contracting clients’ cybersecurity preparations. And clients would be wise to bring their attorneys into the process well in advance to needing them to take actions under a deadline. Because of the assessment rebuttal provision in 7020(e) enabling companies to provide additional documentation to challenge assessments and scoring decisions, government contracting lawyers will have to understand the mechanics of an assessment and how to argue the technical points of assessment findings.
Lawyers first must understand that assessments are done against a cybersecurity standard, using a framework produced by the National Institute of Standards and Technology (NIST). This framework is called the NIST 800-171. The document is on its second revision and will soon have a third version promulgated. The 800-171 is a list of controls, organized into 14 control families and consisting of 110 separate controls. An assessor compares the text of a control to actions taken, and documentation recorded, by a company to see if the control is implemented or not. Controls can be partially implemented, and companies can plan to implement a control. On a contract-by-contract basis, some of these controls may not be applicable to a company, but companies should expect all 110 controls to be required.
There are three levels of assessments: basic, medium, and high. Basic assessments, described in 7020 and the preceding regulation (7019) allow for an organization to perform a self-assessment of the implementation of these controls on their network. This is a more affordable option, but it is both less than fully reliable and can be biased because the assessor is assessing his or her own work. A proper cybersecurity assessment should be done by an outside party and have deliverables designed to improve the cybersecurity hygiene of a company.
A proper 800-171 assessment should incorporate a corollary NIST document, the NIST 800-171A. This document prescribes the methodology for giving a proper assessment, and if used properly, will help a company systematically improve its internal cybersecurity capabilities. The document takes each of the 110 controls and lays out the methods for assessing the control. It begins with the methodology used to gather the information to make a proper assessment of that control. Each control has a list of suggested documents that should be gathered to validate the control, such as whether the company has an access control policy. The other two methods are which people should be interviewed about the control and what technical measures should be tested. The company will help itself and its assessor by organizing this documentation into one place, and by doing so the company will create its own improved internal processes and record keeping.
The next section contains a list of assessment objectives for each control. An assessment objective must be marked as either satisfied or not satisfied. Most controls contain multiple assessment objectives. If each assessment objective listed for an individual control is satisfied, then the control is implemented and the company receives full credit. If any or all assessment objectives are not satisfied, then the company has not implemented the control and the assessor must score it as either partially or not implemented.
If a control is implemented, then the company receives full credit in the SPRS system for the value of the control. Which means it receives zero points. That is because the SPRS system starts with a full value of 110 points. When a control is implemented, the company receives no points. If a control is not fully implemented, the company loses the value of the points for the control, meaning a company can have a negative SPRS score. The lower the SPRS score, the less competitive the company will be for government contract awards.
At this point, the reader may have a nagging question: does a small government contractor really have to go through all this? After all, medium assessments don’t even require the 800-171A, and only high assessments for the most important government defense contractors require it. That’s true. And misleading. Medium assessments involve the government performing an independent assessment of the NIST 800-171, which means the basic self-assessment done by the company must be done properly. And a proper assessment uses the assessment objectives to properly assess controls. So, if a company subject to a medium assessment truly wants to be prepared for the medium assessment, its self-assessment should have the procedural rigor of an assessment done with the 800-171A methodology. Relying upon a basic assessment, especially a self-assessment, will be an illusory promise to any company that must have a medium assessment or a high assessment.
Further, regulation 7020(e) allows a company that has undergone a medium or high assessment from a government assessor to rebut the government determinations and argue for SPRS score enhancements. DoD will provide medium and high assessment summary level scores to the contractor and offer the opportunity for rebuttal and adjudication of assessment summary level scores prior to posting the summary level scores to SPRS. This rebuttal must be made within 14 days and requires the contractor to provide additional information showing that controls have been implemented.
This is the reason why attorneys should be included early in a company’s cybersecurity assessment. The attorney should work with the company and the assessor to organize a document management system. The attorney should understand the controls and assessment objectives, and the strengths and weaknesses for determining whether a control is implemented. The attorney will quickly, and with a technical understanding, articulate how the government’s assessors either missed critical information (hence the need for organized document management) or improperly interpreted the requirements given the evidence presented.
Finally, the company and the lawyer should require three documents. First, the company should get a report on the implementation status of each of the 110 controls. Second, the company should receive a System Security Plan (SSP), a document that lays out the controls, the statuses, and the operation of the network and the controls. Finally, the company should receive a Plan of Actions & Milestones (POAM) document. The POAM will list the deficient controls and the remedial actions that must be taken to improve the control to implemented status. These POAMs should be effectively managed, and as the recommendations are implemented, the documentation for the actions should be kept with the control to prove the implementation status should be fully credited.
Lawyers must understand these three documents and should work with the contracting client to organize a system that can prove, through evidence and regulatory language, that a control has been implemented. Being a technically-capable lawyer may just help your client win contracts that they otherwise would not be eligible to win. And that, not avoiding math and IT, is the reason lawyers went to law school all along.