By Michael Bhargava and Madison Plummer

The public disclosure of cyberattacks on Latin American governments further highlights the need for all government contractors to keep constant vigilance over and ensure the protection of sensitive data.

In September, an international group of “hacktivists” called Guacamaya provided journalists access to 10 terabytes of data hacked from the militaries of Colombia, Peru, Chile, Mexico, and El Salvador, as well as the national police of El Salvador.  The Mexican government confirmed last week that data had been stolen from its Defense Ministry, including sensitive information on military operations, surveillance of political and social movements, ties to narco-traffickers, and even  the president’s health.  The Chilean government also confirmed that a leak of 400,000 emails—including top-secret documents—was genuine, and it announced the resignation of the head of its Joint Chiefs of Staff in response.

Guacamaya reportedly used ProxyShell, exploiting Microsoft vulnerabilities that allowed hackers to take control of Exchange email servers to gain access to these networks.  Although patches for these vulnerabilities were released more than a year ago, the timing of the hacks suggests that the vulnerabilities were never patched.   According to a recent study, 42% of companies that experienced a data breach in 2020 failed to patch a known vulnerability.

These cyberattacks illustrate the importance of safeguarding valuable government data.

Federal contractors store, handle, and access government and proprietary data in support of  critical U.S. Government missions and programs.  With such a  target-rich environment, hackers frequently focus on federal contractors for socio-political reasons (e.g., the Guacamaya Hack), economic gain (e.g., the Maui Ransomware), or espionage.  Indeed, government contractors are under constant threat from sophisticated ransomware attacks, leaked credentials, and theft of data from advanced persistent threat activities.

Federal contractors must maintain a comprehensive cybersecurity plan to protect their own data and that of government clients, or risk facing both cyberattacks and legal liability.  Government contractors and entities interested in entering the federal marketplace should, at a minimum, implement a system security plan in addition to complying with individual contract requirements to ensure adequate protection.

  • System Security Plan: At a minimum, contractors should have a comprehensive cybersecurity plan that contains (1) cybersecurity polices, procedures, and plans; (2) the design and implementation of security controls as defined in National Institute of Standards and Technology (“NIST”) Cybersecurity Framework and NIST Special Publication 800-171; and (3) supporting sub-projects that complete the cybersecurity requirements for the company.
    1. Cybersecurity policies, procedures, and plans should outline the internal governance regime for your company’s cybersecurity plan. This includes how the cybersecurity plan will be designed and implemented, what controls and functions will be contained in the plan, which risk mitigation procedures will be followed, how to report breaches and compliance issues internally, and who within the company will be responsible for monitoring and updating the plan.
    2. NIST SP 800-171 provides recommended requirements for protecting the confidentiality of “controlled unclassified information” within supply chains tied to government contracts. Specifically, this publication includes 110 controls that should be mapped across the organization’s relevant policies, standards, or other documents when applicable.  Should contractors want to go above and beyond the minimum requirements established by NIST SP 800-171, NIST SP 800-53 provides a full collection of security and privacy controls for all S. federal information systems.  Furthermore, defense contractors should be preparing for the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) 2.0 certification rule that is to take effect in Spring 2023.
    3. Supporting sub-projects include the tools and plans to support the implementation and validation of both the cybersecurity policies, procedures, and plans and the NIST/CMMC requirements.
  • Contract Compliance. In addition to a System Security Plan, contractors should review each government contract for specific cybersecurity requirements that may exceed the baseline requirements. The Defense Department, for example, has instructed contracting officers to use contractual remedies to ensure that contractors have “adequate” cybersecurity capabilities.  Defense contracts will likely include DFARS 252.204-7012 (and CMMC 2,0), which requires contractors to implement NIST SP 800-171 for covered defense information and requires contractors to report cyber incidents that affect such information.  Failure to adhere to such specific contract requirements may result in default termination, poor past performance ratings, or monetary claims by the Government.  In certain circumstances, failure to comply with these mandatory cybersecurity requirements may lead to False Claims Act liability, as described in the Department of Justice’s Civil Cyber-Fraud Initiative, and, potentially, suspension or debarment.

Due to the high risk of cyberthreats, contractors should pay close attention to their cybersecurity systems and whether such systems are compliant with the NIST standards and specific requirements in their government contracts.  Nichols Liu has extensive expertise in these areas and can help you attain your compliance goals through assessment of your cyber systems,  upgrading of those systems to meet standards,  and  assistance with continuing contract compliance.   Please contact the authors of this article or the Nichols Liu attorneys with whom you regularly work.

Photo: Artem Oleshko | Shutterstock