The lawyers, who aren’t particularly known for their sense of humor, joke that the reason they attended law school was to avoid doing math. A variant of the joke involves having to understand information technology. But lawyers must serve their clients, answer their questions, give advice and even appeal to the government, and understanding technical cybersecurity assessments will be part of that client defense. As cybersecurity becomes increasingly important to businesses, lawyers who represent these companies need to learn more about the technical aspects of this area and its impact on their clients. This is especially true for government contract lawyers whose clients will soon be required to demonstrate technical compliance with cybersecurity provisions in contracts. This article should help lawyers understand what their clients should receive during and after an in-depth cybersecurity assessment and how these assessments will be used in government contracts.
DFARS 252.204.7020 contains a provision that suggests attorneys should participate in the cybersecurity preparations of their government contract clients. And clients would be wise to involve their attorneys in the process long before they need them to take action on a deadline. Due to the rating rebuttal provision in 7020(e) allowing companies to provide additional documentation to challenge ratings and rating decisions, government contract attorneys will need to understand the mechanics of a rating and how to argue the technical points of the evaluation results.
Lawyers should first understand that assessments are performed against a cybersecurity standard, using a framework produced by the National Institute of Standards and Technology (NIST). This framework is called NIST 800-171. The document is in its second revision and will soon have a third version promulgated. The 800-171 is a list of commands, organized into 14 command families and made up of 110 distinct commands. An assessor compares the text of a control to the actions taken and documentation recorded by a company to see whether or not the control is implemented. Controls can be partially implemented and companies can plan to implement a control. On a contract-by-contract basis, some of these checks may not apply to a business, but businesses should expect all 110 checks to be mandatory.
There are three rating levels: Basic, Medium, and High. Baseline assessments, described in Regulation 7020 and the previous Regulation (7019) allow an organization to perform a self-assessment of the implementation of these controls on its network. This is a more affordable option, but is both less reliable and can be biased because the reviewer is evaluating their own work. A proper cybersecurity assessment should be performed by an external party and have deliverables designed to improve a company’s cybersecurity hygiene.
A proper 800-171 assessment should incorporate a corollary document from NIST, NIST 800-171A. This document prescribes the methodology for giving an appropriate assessment and, if used correctly, will help a company to systematically improve its internal cybersecurity capabilities. The document covers each of the 110 controls and specifies the control assessment procedures. It starts with the methodology used to gather the information in order to make a proper assessment of that control. Each control has a list of suggested documents that should be gathered to validate the control, for example if the company has an access control policy. The other two methods concern the people to be interviewed about the control and the technical measures to be tested. The company will help itself and its appraiser by organizing this documentation in one place, and in doing so, the company will create its own improved internal processes and record keeping.
The following section contains a list of assessment objectives for each control. An assessment objective should be marked as met or not met. Most controls contain multiple assessment objectives. If each assessment objective listed for an individual control is met, the control is implemented and the company receives full credit. If any or all of the assessment objectives are not met, the company has not implemented the control and the assessor should rate it as partially or not implemented.
If a control is implemented, then the business receives full credit in the SPRS system for the value of the control. Which means he gets no points. This is because the SPRS system starts with a total value of 110 points. When a control is implemented, the company does not receive any points. If a control is not fully implemented, the company loses the point value for the control, meaning a company may have a negative SPRS score. The lower the SPRS score, the less competitive the company will be for government contract awards.
At this point, the reader may have a nagging question: does a small government contractor really have to go through all of this? After all, medium valuations don’t even require 800-171A, and only high valuations for the largest government defense contractors do. It’s true. And misleading. Average ratings imply that the government performs an independent assessment of NIST 800-171, which means that the basic self-assessment performed by the company must be done correctly. And a proper assessment uses the assessment objectives to properly assess controls. Thus, if a company subject to an average assessment really wants to prepare for the average assessment, its self-assessment must have the procedural rigor of an assessment carried out with the 800-171A methodology. Relying on a baseline rating, especially a self-assessment, will be an illusory promise for any company that must have a medium rating or a high rating.
In addition, Regulation 7020(e) allows a company that has received a medium or high rating from a government rater to challenge government decisions and argue for score improvements. SPRS. The DoD will provide Medium and High Evaluation Summary Level Scores to the Contractor and provide an opportunity to rebut and judge the Evaluation Summary Level Scores prior to posting the Summary Level Scores on SPRS. This rebuttal must be made within 14 days and obliges the contractor to provide additional information demonstrating that controls have been put in place.
This is why lawyers should be included early in a company’s cybersecurity assessment. The lawyer should work with the company and the appraiser to organize a document management system. The lawyer must understand the controls and the evaluation objectives, as well as the strengths and weaknesses to determine if a control is implemented. The attorney will explain quickly, and with a technical understanding, how the government assessors missed critical information (hence the need for organized document management) or misinterpreted the requirements given the evidence presented.
Finally, the company and the lawyer must require three documents. First, the company must obtain a report on the implementation status of each of the 110 controls. Second, the company must receive a System Security Plan (SSP), a document that defines the controls, statuses, and operation of the network and controls. Finally, the company must receive a Plan of Actions and Milestones (POAM) document. The POAM will list deficient controls and corrective actions that need to be taken to improve the control to the status implemented. These POAMs should be managed effectively, and as recommendations are implemented, documentation of actions should be kept with control to prove that the status of implementation should be fully credited.
Lawyers must understand these three documents and must work with the contracting client to organize a system that can prove, through evidence and regulatory language, that a control has been put in place. Being a technically proficient lawyer may just help your client win contracts they wouldn’t otherwise be eligible for. And that, without avoiding math and computer science, is why lawyers have gone to law school all along.