Compliance Report. PHOTO: Cybercrime Magazine.

Compliance Report: Compliance Is Still Your Best Firewall

Regulatory developments in 2017, industry insight, and updates

Rob Hegedus, CEO at Sera-Brynn

Suffolk, Va. – Nov. 6, 2017

At Sera-Brynn, we have a motto: Compliance is your strongest firewall. To date, 2017 has been a dynamic year for new cybersecurity regulations and compliance frameworks worldwide. At the forefront of this report is one of the most pressing compliance deadlines – the end-of-the-year deadline for Defense contractors to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 by December 31, 2017. With the finish line in sight, many Defense contractors are working long hours to finish making the needed changes and turning towards assessing their supply chains. Some are compliant. Many are not.

In this report, we look at DFARS, NIST and the push for cloud service providers to pursue or consider accreditation under FedRAMP. We also shed light on how the deadlines imposed by the New York Department of Financial Services is forcing security change in the financial services industry.

Finally, we sum up some of the interesting compliance events of the last quarter and look ahead as the end of the year races towards us. We hope this helps you keep pace.

Brendan Lynch, Chief Privacy Officer at Microsoft on GDPR Compliance

The DFARS Domino Effect

As of October 1, 2017, there are 13 weeks left until U.S. Department of Defense (DoD) contractors and subcontractors must be fully compliant with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. The regulation imposes security and incident reporting requirements and requires the implementation of NIST 800-171. The deadline for compliance is December 31, 2017.

One questions we commonly hear is: will there be an extension to the deadline? The regulation was announced in 2013 there are no rumors of extensions. The stated reason for the necessity of the regulation is “national security.” So, an extension is highly unlikely.

One of the most significant clauses of DFARS is the mandatory flow-down provisions to subcontractors. Unlike other cybersecurity regulations (like the New York regulation imposed on financial institutions, discussed below) in the DFARS, there is no across-the-board exemption for small business or businesses with minimum revenue derived from DoD sources. Small defense contractors are facing the same deadlines, the same security requirements, and, in many cases, the same push to change the way they do everyday business.

At the same time, large defense contractors are auditing their supply chains and imposing institutionalized changes in order the make their supply chain more resilient. As such, we know that DFARS non-compliance is being viewed as a systemic vulnerability in the supply chain. We have already seen businesses choose to discontinue working on government contracts rather than absorb the cost and effort to implement these acquisition requirements.

Another notable clause provides baseline requirements for use of cloud services. If a company is using an external cloud to store, process, or transmit covered information, the Cloud Service Provider (CSP) must meet minimum security requirements established under the Federal Risk and Authorization Management Program (FedRAMP), discussed below.

Most Defense contractors are evaluating sizeable investments of time and money needed to comply. And 2018 is expected to bring us additional updates to the Federal Acquisition Regulations (FAR) that expand the requirements for NIST 800-171 compliance to all Federal contractors. Expect government acquisition compliance to be an issue for months to come.


Across government agencies, focus has been shifting from technology maintenance to core competencies. In other words, technology experts provide the technology using cloud based services, while the agency focuses on the mission. FAR and DFARS requirements for CSPs have service providers wondering if a FedRAMP accreditation is a worthwhile investment.

Even more critical are cloud-based resource management systems that play a role in manufacturing or critical industries. As anyone who has worked with an Enterprise Resource Management System is aware, migration could mean years of work and millions of dollars.

This is where vendor management plays a big role – a contractor storing government data in a cloud subjects the CSP to FedRAMP or equivalent security under the DFARS clause. This has had a high impact on many small and mid-size providers, and we expect to see a market shift and consolidation as smaller MSPs and CSPs look to merge with already accredited clouds. In any case, many are now weighing the cost of a FedRAMP accreditation or equivalent security against potential business gained or lost.

There are different ways to accredit a system under FedRAMP but all require an evaluation of the system against NIST 800-53. As a Third-Party Assessment Organization (3PAO), Sera-Brynn performs initial and periodic assessments that secure the cloud.

Financial Services: 23 NYCRR 500

In March 1017, the New York Department of Financial Services’ (NYDFS) Section 500 took effect. This first-of-its-kind regulation requires establishment of a cybersecurity program, appointment of a Chief Information Security Officer, vendor management, and several technical requirements designed to protect nonpublic information. It applies to Covered Entities regulated by the NYDFS.

This past quarter contained two notable deadlines for financial institutions subject to the regulation, known as NY Rule 500 or 23 NYCRR Part 500. August 2017 marked the month that banks, insurance companies, and other financial services institutions subject to New York DFS regulation were required to create compliant cybersecurity programs. September 27, 2017 was the deadline for filing notices of exemption under the regulation.

23 NYCRR 500 is robust and has many similarities to the requirements imposed on Defense contractors via DFARS. The Colorado Division of Securities has since adopted cybersecurity regulations on brokers and investment advisors. In the absence of nationwide, regulated cybersecurity requirements for financial institutions, we expect more states will adopt similar measures.

Quarter in Review: Notable News and Compliance Events

While the massive Equifax breach dominated cybersecurity news this past quarter, a small change to NIST password guidelines created a cycle of news stories celebrating the apparent relaxing of the standard. It’s not often that NIST makes the news, but it’s also not often that a cybersecurity standard become less complex.

July to September 2017 contained some notable regulatory and legal events related to cybersecurity compliance. Some highlights include:

  • In August 2017, China reportedly brought the first enforcement action against information technology companies under China’s Cybersecurity Law.
  • In August 2017, Delaware joined 14 other states and amended its breach notification laws to strengthen the ways organizations in the state protect personal information. The changes, which include new requirement for credit monitoring and an expanded definition of personal information, will be effective on April 14, 2018.
  • On September 12, 2017, the public comment period ended for The National Institute of Standards and Technology’s (NIST) draft, Revision 5, of Special Publication 800-53 “Security and Privacy Controls for Information Systems and Organizations.” The latest draft of SP 800-53 is part of the government efforts to unify the cybersecurity framework used by the federal government, but it has practical implications for the private sector. The word “federal” has been removed from the title and the federal focus of the document has been de-emphasized. The current version, Revision 4, has been in use since April 2013.
  • On September 19, 2017, the National Institute of Standards and Technology (NIST) updated its Digital Identity Guidelines, releasing NIST SP 800-63-3. This four-volume set (SP 800-63-3, 800-63A, 800-63B, and 800-63C) provides technical requirements for federal agencies implementing digital identity services. Of all the changes, the one that made the news was the change to password guidelines. However, the updates to the approved types of Multifactor Authentication (MFA) are also significant, especially for those seeking compliance under DFARS 252.204-7012.
  • The Department of Homeland Security (“DHS”) is in rulemaking (the public comment period is now closed) with three new proposed cybersecurity regulations for DHS contractors under the Homeland Security Acquisition Regulation (HASR).
  • Organizations that process, store or handle information on European Union citizens have about 7 months left until GDPR enforcement begins – on May 25, 2018. (Also, on September 14, 2017, the UK Government published a draft of the Data Protection Bill which increases the level of cybersecurity mandates country-wide and impacts the GDPR).

Looking Ahead to the Next Quarter: What Will the DFARS Deadline Bring?

Looking ahead through December 2017, we anticipate that the collective effort of DoD contractors trying to implement DFARS requirements will reach a fever pitch. We may see movement on the proposed cybersecurity updates to the Department of Homeland Security’s acquisition rules, as well as the Federal Acquisition Regulations, which would apply to a broad spectrum of government contracts. Mandatory cybersecurity clauses in the FAR will be an enabler of change.As the year ends, watch for signs of enforcement action – to see what becomes of companies that willingly fail to comply with the cybersecurity clauses of DFARS. To put this in context, in FY 2016, the Department of Justice obtained more than $4.7 billion in settlements and judgments from civil cases involving fraud and false claims against the government. Claw backs from health care and financial fraud made up the largest portions of this $4.7 billion. We will see how cybersecurity fraud stacks up in 2017.

Compliance Report Archives

Rob Hegedus is CEO at Sera-Brynn, a global Cybersecurity Audit and Advisory firm.

Contributors: Colleen H. Johnsons, Senior Cyber Legal Analyst; Heather Engel, Chief Strategy Officer.

Sera-Brynn is a FedRAMP Third Party Assessment Organization (3PAO) specializing in cyber risk management. Offering compliance and risk assessment, risk control, and incident response services, Sera-Brynn empowers clients to manage cyber risk and meet applicable and mandatory cybersecurity regulatory standards. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list.