Podcasts
Caveat
Ep 59
Caveat 12.23.20
Ep 59 | 12.23.20

Interim cybersecurity compliance rule prior to CMMC with some privacy thrown in.

Show Notes
Transcript

Michelle Litteken: With private companies that get hacked, governments that get hacked, there's just this increased focus on cybersecurity. And I think people are concerned the longer you wait, if something happens, there will be that, you know, Monday morning quarterbacking, looking back and saying, why didn't we put a rule in effect earlier?

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's law and policy podcast. I'm Dave Bittner. And joining me is my co-host, Ben Yelin, from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, I've got the story of the FTC demanding information from social media companies. Ben covers a privacy story out of California dealing with Uber. And later in the show, my conversation with Michelle Litteken from Morris, Manning & Martin on an unexpected cybersecurity compliance rule that's forcing government contractors to act quickly. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, why don't you kick things off for us? What do you have to share this week? 

Ben Yelin: So my native state of California has had a lot of legal run-ins with these ride-sharing applications, including Uber and Lyft. And this is just the latest story in the never-ending rift between the California state government and Uber. This is a story that comes from The Washington Post, their technology page, by Faiz Siddiqui. California regulators issued a $59 million fine and threatened to suspend Uber's license to operate in the state over Uber's refusal to hand over data on sexual assault on its platform. 

Ben Yelin: So last year, Uber had released a report on the prevalence of sexual assault on its application. It's a groundbreaking report. There was, you know, a lot of interest, a lot of news stories about it. The report indicated that in the two years prior to it being released - so 2017 through 2018 - there were 6,000 cases of reported sexual assault. 

Ben Yelin: Uber has been reluctant to transmit this data to the state of California. California wants it for its own investigative purposes. They want this information so they can fulfill their law enforcement functions if necessary and also, as regulators, to make sure that if they're granting licenses to operate in the state, Uber is not unnecessarily dangerous in terms of potential sexual assault. 

Ben Yelin: So an administrative law judge, as part of the California Public Utilities Commission - and these commissions in California are so powerful, uber powerful, if you will. 

Dave Bittner: (Laughter) You went there. 

Ben Yelin: I know. Apologies to our listeners. 

Dave Bittner: (Laughter). 

Ben Yelin: So they say that Uber has 30 days to come into compliance with this order. And it wants some pretty private information - the date, time and location of each reported assault, description of the circumstances, et cetera. They want contact information for witnesses, which is another pretty extreme request. 

Ben Yelin: What Uber is saying is it does not want to release this data because they think it would compromise the anonymity of sexual assault victims, which, to me, is a very reasonable concern. They've spoken with survivor groups, saying that the best practice is not to release this information. It can lead to additional abuse on people who've already been victimized by sexual assault. 

Ben Yelin: The California Public Utilities Commission is saying that it's going to keep the information under seal. It would be completely anonymized, and they would replace the names with unique identifiers so that you wouldn't be able to find out exactly who the person is. But, you know, in the past, they've actually, you know - prior to this particular announcement, they have been insistent on collecting full names and contact information from sexual assault survivors. 

Ben Yelin: We now have a potential legal stare-down here between two very powerful entities as it relates to private information on an application. Uber has 30 days to file an appeal. To me, it just kind of depends on who you want to trust here. I mean, as someone who would - probably more inclined to trust the California Public Utilities Commission, it at least raises eyebrows that they want this really personal information taken from the Uber application. 

Dave Bittner: All right. Well, let me get some clarifications here from you. So first of all, when we're saying prevalence of sexual assault on its app, are we really saying enabled by its app? And we're talking about - I mean, this is people who are getting sexually assaulted during the course of a rideshare, yes? 

Ben Yelin: Yes, right. So it's an app-based ride-sharing service. It's not the app itself, as you say, that's facilitating the sexual assault. That's correct. 

Dave Bittner: Right. Right. So we're not talking about sending nude pictures of - the drivers aren't sending erotic pictures of themselves to their passenger. This is in the car or that sort of thing. 

Ben Yelin: Exactly. Exactly. 

Dave Bittner: OK. Why are they being stubborn about meeting all of these specifics? What difference does it make to them? Any indications? 

Ben Yelin: So it's one of those things that they probably don't want to reveal the full details of what they're after. My guess is it's going to be part of a regulatory investigation into how Uber operates in the state and if Uber has done enough in the wake of the report that it's released last year to root out sexual assault. 

Ben Yelin: I think you can't understand the story outside the context, which is there is this major battle between the state of California. It went to a ballot proposition about ride-sharing services and minimum wage. There's already kind of a political battleline between state regulators and Uber and Lyft in particular. So I think this is part of a broad regulatory effort to try to understand the scope of the problem. 

Ben Yelin: But to answer your question, I mean, that's what I'm sort of confused about. Why exactly would they need this level of personal information? You'd probably want to root out patterns of abuse. 

Dave Bittner: Right. 

Ben Yelin: So if something has happened in particular neighborhoods, a certain type of driver, that might be useful information. 

Dave Bittner: Maybe a particular driver themselves who has a pattern, who's done this more than once. 

Ben Yelin: Right. 

Dave Bittner: I'm just thinking, like, if they had a driver who was trouble, Uber knew this driver was trouble and Uber didn't do anything about it or didn't do enough about it, well, that's certainly something that California wants to know about. 

Ben Yelin: Right, and they'll levy a huge regulatory fine against Uber. And I think that's the purpose of all of this. 

Dave Bittner: Right. 

Ben Yelin: But why they need to get information on the victim - part of my hesitance to it is it almost doesn't matter to me what the demographic or other information is about the victim in the first place. I'm sure it could be useful for some statistical purposes, but it's almost like getting to a potential danger area of victim-blaming, to be like, oh, well, most victims were within this age range. They weren't acting responsibly. 

Dave Bittner: Right, right. 

Ben Yelin: You know, they came from these neighborhoods. 

Dave Bittner: What were they wearing? 

Ben Yelin: Yeah, exactly. So that's why I think Uber, through its public relations office, has been right to push back against this, saying it's not the best practice. We've talked to advocacy groups. This is not something that they recommend. And we're not going to trust you to keep this private information under seal. It would be a betrayal to our customers, particularly ones who have already gone through so much in the wake of being sexually harassed or assaulted. 

Dave Bittner: Yeah. This is an interesting one - isn't it? - because I guess California has really been after these ride-sharing companies, as you say. 

Ben Yelin: Yes. 

Dave Bittner: And so I can see on the one side of California saying, OK, that didn't work. Let's try this. That didn't work. Let's try this. You know, like, I suppose a case could be made that California has it in for these companies. I'm sure that's probably the case that Uber and Lyft are making here. 

Ben Yelin: Yes, it is. 

Dave Bittner: But I don't know that that's what this is. I mean, perhaps in their enthusiasm to go after the companies, they're losing, you know, the forest for the trees in demanding information that I just - I'm with you. I don't see the case being made for, A, that they need this information at all, but also, B, that they can say with certainty that they'll be able to keep the information private because we know information can de-anonymized. 

Ben Yelin: It sure can. 

Dave Bittner: It's not that hard. 

Ben Yelin: Yeah. You know, another thing that's mentioned in this article is, what happens when other companies start to get these requests? They're going to be less likely to comply if they know that they'd have to hand over, you know, private information - that if you have a lack of clarity from exactly what the California Public Utilities Commission is after, what kind of information they're requesting, companies might just try to avoid releasing these types of reports altogether. 

Dave Bittner: Yeah. 

Ben Yelin: So it's a disincentive for a future Uber - say, their main competitor - to conduct their own report on sexual assault because otherwise, they're going to run into these issues with state regulators. And I think that's a bad incentive structure, in my opinion. 

Dave Bittner: And also, I could imagine for the victims themselves. If you know that if I report this to the company, then they are then obligated to send all my information along to The Government... 

Ben Yelin: Right. 

Dave Bittner: ...Capital T, capital G - that may make me hesitant to report this all... 

Ben Yelin: Absolutely. 

Dave Bittner: And we don't want that to happen either. 

Ben Yelin: No. We want people to be able to come forward. 

Dave Bittner: Yeah. 

Ben Yelin: So unless, you know, the Public Utilities Commission comes up with a very compelling reason why they need this additional information, I think we are right to join Uber in being skeptical, you know, even though it's not my natural inclination to side with Uber on these types of things. 

Dave Bittner: Now, what happens next? Does this go in front of a judge and they both make their cases and the judge makes a decision? Where does it go from here? 

Ben Yelin: This was a decision made by an administrative law judge working on behalf of this commission. Uber has the opportunity to appeal to a state court judge, which it seems that they are going to do. 

Ben Yelin: So administrative law judge, you know, is - I don't want to insult them, but it's kind of a step down from, like, a state trial judge or a state appeals judge. They deal with administrative matters, whether such and such company is subject to a particular fine, et cetera. 

Dave Bittner: I see. 

Ben Yelin: So Uber does have the opportunity to seek appeal. They have 30 days. I'm sure their willingness to appeal depends on what they see as the PR angle here. I mean, we've seen with other companies - you think back to the Apple and FBI dispute. If you want to advertise yourself as protecting user information, this might be the high-profile fight you want to take on, saying, we will take this to court because we're that committed to protecting private information, particularly on something that's such a sensitive subject. 

Dave Bittner: Yeah, yeah. Boy, what an interesting story. All right, we'll have a link to that. Again, that's from The Washington Post. We'll have a link to that in the show notes. 

Dave Bittner: My story this week is, I suppose, in a way, kind of follow-up to something you talked about last week, which was the antitrust case coming down against Facebook. And in the meantime, the FTC - the Federal Trade Commission - has reached out to a bunch of organizations. They've contacted Amazon, TikTok, Discord, Facebook, Reddit, Snap, Twitter and WhatsApp and YouTube. 

Ben Yelin: All the companies that run the world, yup. 

Dave Bittner: (Laughter) All the biggies. And they've demanded that they turn over details on their data collection and advertising practices. The companies have 45 days to respond to the order. Again, this is the government taking a closer look at these Big Tech companies, at our privacy and so on and so forth. 

Dave Bittner: Interesting that the FTC commission came after them with a 4-1 vote. One commissioner, Republican Commissioner Noah Joshua Phillips, dissented. And he said that (reading) the breadth of the inquiry, the tangential relationship of its parts and the dissimilarity of the recipients combine to render these orders unlikely to produce the kind of information the public needs and certain to divert scarce Commission resources better directed elsewhere. So that's one way to look at it, but he got outvoted 4-1 (laughter), right? 

Ben Yelin: Yeah. 

Dave Bittner: Is this just another step? How big a deal is this, Ben? 

Ben Yelin: So this is the next step. I think that started earlier this month when you had 48 state attorneys general and FTC itself start to file these antitrust actions against these Big Tech companies. And as we said on our previous show, this is something that's going to be a very long process, years and years worth of discovery. 

Ben Yelin: I think the first step is figuring out what these sites do with user data. Whether that's the first step in this lawsuit or the first step for some other regulatory action that the FTC wants to take, I think it's kind of all part of the same game here, where we're pulling the hood up on what goes on with these tech companies. 

Ben Yelin: I thought the dissenting view of the FTC commissioner, the Republican, was really interesting, basically saying that not only is this request overbroad, which could be the grounds for some potential legal challenges, but also, this isn't the type of information that the public would actually need. And, you know, the FTC has finite resources. So if we're combing through these nine huge tech companies and exactly everything they do with their data, it would overwhelm their resources and divert attention that could be spent elsewhere, including on these antitrust lawsuits. 

Ben Yelin: So, yeah, I mean, this is part of Big Tech finally being placed under the microscope and facing some accountability. This request, because it's so controversial and because of the breadth of the information that's part of this request, I think certainly is more newsworthy than anything else we've seen come from the Federal Trade Commission as it relates to Big Tech companies. 

Dave Bittner: Yeah. By the way, this article is from NPR, written by Jaclyn Diaz. It says that the agency - the FTC - is using its authority under Section 6(b) of the FTC Act, which allows it to undertake broad studies separate from law enforcement. Do you have any sense for the degree to which the FTC has the ability to demand things, to tell these companies what to do? And what's their ability to say no (laughter)? 

Ben Yelin: They have very little ability to say no. Now, they can challenge these requests in court, and sometimes they do so. But the FTC has pretty broad powers as a regulatory agency. Congress has purposely given them wide enforcement power so that they can get all the information they need to expose corrupt or improper trade practices. So it's generally not easy to say no and not comply with these requests. I mean, I'm sure we will see some litigation. But it's also the case where you wonder if some of these tech companies might want to pick their battles. 

Ben Yelin: You know, if you're being sued over antitrust issues and data-sharing - there are other suits, like the 11 states that sued Google, alleging that Google violated competition law, the suits against TikTok in federal court. You almost think, like, these companies themselves have a finite amount of legal resources. Even with large, you know, in-house counsel departments, they might choose to comply with this and save their fight for another day. But certainly, the authority under this section of the FTC statute is extremely broad. 

Dave Bittner: This is information gathering from the FTC's point of view at this point, right? That's what this is. 

Ben Yelin: Yeah, it's information gathering. It's the beginning of an investigation. 

Ben Yelin: You know, and it's not just the FTC that's going to want this information. I mean, my guess is in the next session of Congress, if Congress takes seriously its renewed effort to go after Big Tech, then perhaps congressional committees will try and subpoena this information, and we'll have coexistent investigations. 

Ben Yelin: This is a request for information. It's an extremely broad request. It might take a long time for these nine tech companies to fulfill the request. But, yeah, this is still a preliminary step. 

Dave Bittner: All right, well, as you say, this is going to play out over months and years, so I'm sure we'll be checking in on it as time goes by. 

Ben Yelin: We will be extremely grumpy old geeks. 

Dave Bittner: (Laughter) But it seems as though the focus is finally on these companies, right? There's no denying that now. This snowball has started rolling down the hill. 

Ben Yelin: Yeah. I mean, I think that's the lesson we can take from the past few years, is that for such a long time, they've skirted this type of accountability. Now, there were a bunch of reasons, starting with Cambridge Analytica, you know, that these issues started to get into the limelight. But, yeah, now, as they say, that train has left the station. 

Dave Bittner: Right. 

Ben Yelin: And, you know, especially because you see bipartisan support for investigating Big Tech companies, albeit sometimes for different reasons, they are going to be under the microscope. And so you see them kind of making decisions where they hedge a little bit. 

Ben Yelin: We've talked about Section 230. But I think when you're under such a barrage of legal challenges, that's when you would understand why Facebook might be like, OK, you want to change Section 230 of the Communications Decency Act to make our lives a little more difficult, that's something I'm willing to work with you on. You know, we can come up with a satisfying standard that applies to all of us. That's one less battle we're going to have to fight in this ongoing series of lawsuits, regulatory investigations, et cetera. 

Dave Bittner: All right, well, we will keep an eye on it. That is my story this week. Of course, we'll have a link to that in the show notes as well. 

Dave Bittner: It is time to move on to our Listener on the Line. 

(SOUNDBITE OF PHONE DIALING) 

Dave Bittner: We got a nice correspondence from a listener named Mitch (ph) who wrote in to us. He actually was listening to one of our older episodes - back on Episode 51, which I - you know, like me, Ben, you have all of our episodes memorized. 

Ben Yelin: They're all memorized, yeah. Right in my head. 

Dave Bittner: (Laughter) So you know exactly what he's talking about. We'll get to the point here that he makes. He was listening to that episode, and he said, interesting episode interview with which I completely disagree. Not a surprise that you have listeners who disagree with you, I'm sure. 

Ben Yelin: No, and we welcome it. 

Dave Bittner: He said the cybersecurity laws that have the word reasonable in them should just be deleted. They are totally and completely meaningless. Other than that, they generate a huge amount of revenue for lawyers like Ben, which I guess helps the economy. 

Ben Yelin: I've got to stop you right there. 

(LAUGHTER) 

Ben Yelin: I wish I was making a lot of revenue from the word reasonable in these cases. 

Dave Bittner: Well, you know, I think you're just thrown into that big pile of lawyers, Ben. 

Ben Yelin: Yeah. 

Dave Bittner: I mean, you've got to own it, right? 

Ben Yelin: I deserve it, absolutely. 

Dave Bittner: There's a reason why there are so many lawyer jokes, right (laughter)? 

Ben Yelin: Yup. 

Dave Bittner: So Mitch goes on, and he says, since every business defines reasonable using their own definition, the only way you can come to any kind of conclusion about whether reasonable is reasonable is by spending hundreds of thousands of dollars on lawyers, which I don't think is a great thing. 

Ben Yelin: Disagree. Disagree. 

Dave Bittner: Laws like New York's SHIELD Act and DFS 500 go completely in the other direction until you have the names of the policies you have to have. 

Dave Bittner: So he goes on from there, but I think that's the large picture there. And I think it's an interesting point - is that we see this a lot in all sorts of areas of the law. Is it fair to call them weasel words, like reasonable? 

Ben Yelin: Yes, it is. 

Dave Bittner: (Laughter) What's your take on this, Ben? 

Ben Yelin: The thing is it's not something that's the creation of - it's not a recent creation. It's not something that lawmakers have started doing in the past 50 years to wiggle themselves out of high-profile legal cases. 

Dave Bittner: Yeah. 

Ben Yelin: You look at the language of our Constitution, there are a lot of weasel words in there, too. I mean... 

Dave Bittner: Yeah. 

Ben Yelin: ...I'm a Fourth Amendment guy. The literal language there is a prohibition on unreasonable searches and seizures, you know? 

Dave Bittner: Right (laughter). What does that mean? 

Ben Yelin: So what exactly does that mean? It develops over hundreds of years' worth of court cases. 

Ben Yelin: I actually am sympathetic to this listener's view of that particular interview 'cause I do think, you know, you run into some enforceability problems if lawyers are arguing forever over whether an organization, hospital system, whatever has acted reasonably. And I think that's a very valid and reasonable criticism. You know the old Churchill quote about how democracy is the best system of government except for all the others? 

Dave Bittner: Right, right (laughter). 

Ben Yelin: Did I get that wrong? 

Dave Bittner: I think you got it backwards, but (laughter)... 

Ben Yelin: I got it backwards, yeah. 

Dave Bittner: Yeah. 

Ben Yelin: It's some variation of that. That's sort of my philosophy to these weasel word tests, is the alternative is that you have statutes that are overly specific and, therefore, don't apply to a wide enough range of potential situations, and then those laws become relatively useful. So if they're very narrow in their application - or relatively useless, I should say. If they're so narrow in their application, then they're not going to have much of an impact to begin with. And that's why I think we see some of these weasel words in statutes. 

Ben Yelin: And the professor on that call certainly included these types of words in his own proposal for how we should be adjudicating these types of cases. 

Dave Bittner: So the inclusion of words like this, is this kicking the can down the road, or is it trusting that throughout time, as opinions change on things, standards change, that, you know, making your case in front of a judge and jury or whatever will be contemporaneous with the definition of reasonable at that time? 

Ben Yelin: Yeah. I mean, it's always so hard to know if lawmakers, when they put language in there, have that sort of foresight. I don't know that they generally do. I mean, oftentimes, they put language in there thinking that they're going to leave it up to regulators to define what reasonable is... 

Dave Bittner: Ah. 

Ben Yelin: ...Because in their minds, they're delegating that power to the executive branch, saying, I don't know enough about this particular issue to determine what reasonable means in this context, but I'm sure somebody at NIST or at the Department of Homeland Security - they can come up with a reasonable definition. They have institutional expertise. 

Dave Bittner: Right. 

Ben Yelin: So if I put words in there that are vague enough, then I can allow those executive agencies to come up with rules to help define those terms. But again, those terms don't always end up getting defined in a satisfying way. So, yeah, I mean, I think that point is certainly well-taken here. 

Dave Bittner: Yeah. All right, well, we appreciate Mitch writing in. I think it's a very interesting point he makes. So... 

Ben Yelin: Absolutely. 

Dave Bittner: Thanks for sending in your opinion there, Mitch. We do value it. And we would love to hear from you. We have a call-in number. It's 410-618-3720. You can call and leave a message. And you can write us. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Michelle Litteken from Morris, Manning & Martin LLP. And she joins us with an interesting conversation about kind of an unexpected cybersecurity compliance rule that is making government contractors step up and have to adjust and act quickly. It's an interesting little case here. So here's my conversation with Michelle Litteken. 

Michelle Litteken: Like many industries, the government contracting industry has seen a focus on increased cybersecurity over the last several years. As you can imagine, government contractors often have some pretty sensitive information on their systems. And we knew that there would be new rules coming at some point. The focus of those rules was called the Cybersecurity Maturity Model Certification, or CMMC process, and that has been expected for, I'd say, a year or two. 

Michelle Litteken: The surprise came recently when the DOD announced a rule that included CMMC but also includes a new DOD assessment methodology that uses NIST SP 800-171, which consists of over a hundred different standards of cybersecurity. 

Michelle Litteken: And I'll say that there is currently a regulation - it's in the Defense Acquisition Regulations - that apply to any DOD contract, potentially, that uses the NIST SP 800-171. But at this point, contractors have been self-certifying that. So they check the box, and they say, yeah, our systems are good to go under the NIST. 

Michelle Litteken: Now, with this newly announced methodology, they're going to have to, for a level - a basic level - still self-certify, but they're going to have to provide more information to the government to back up that self-certification. And then there'll also be medium- or high-level assessments that include more standards. And the government will be actually coming in and conducting those certifications, which will be required for contracts that have more sensitive, more secure-type information. 

Dave Bittner: Now, you mentioned that this was a surprise. I mean, to what degree was it a surprise? Did this come out of nowhere? 

Michelle Litteken: Yes, (laughter) in short. 

Dave Bittner: Really? Wow. 

Michelle Litteken: The CMMC was expected... 

Dave Bittner: Yeah. 

Michelle Litteken: ...And it wasn't really clear how - we knew it was going to be rolled out over the next five years because the CMMC process is going to use third-party certifiers, and there'll be five different levels for CMMC. So that's a more complicated new system to roll out. 

Michelle Litteken: So this DOD NIST assessment is seen as kind of a stopgap measure to fill in this five-year gap between when CMMC is going to be fully rolled out because we need to be protecting the information now in the interim, and I would suspect the DOD and the government generally are losing confidence that the self-certification that officers have been doing to date is sufficient. 

Dave Bittner: Oh, interesting. So what has the overall reaction been to this? I mean, I think fair to say, in general, people don't like surprises. 

Michelle Litteken: Yeah. And I think it would vary a little bit depending on how sophisticated the company is and what its current operations are. A lot of people that I've talked to are confused and surprised, especially with respect to the timing. This is going to take effect November 30. 

Michelle Litteken: So an additional surprise of this was that it was announced as an interim rule. You know, if you want to get lawyerly and wonky, the way these things normally roll out is you have a proposed rule, you have the time for notice and comment, and then a final rule is issued. That process can take over a year sometimes as different stakeholders, the industry weigh in. 

Michelle Litteken: This was announced as an interim rule. So it goes into effect, and then maybe they work out some of the problems and the details as it goes into effect and they get comments on it. So that was another big part of the surprise. 

Michelle Litteken: So a lot of contractors are kind of shocked that they could have put a proposal in for a procurement months ago, and if it hasn't been awarded yet and it's awarded December 2, they're going to have to have an assessment on file if it's covered by this rule, which, you know, many contracts are. 

Michelle Litteken: That's an additional complexity, is that it's - this covers what's known as covered information systems, which the government isn't always clear with contractors on whether they do have covered information systems, on whether they're handling the kind of sensitive, unclassified data that is subject to these rules. So there's just been really a lot of confusion within the industry. 

Dave Bittner: Has there been any sort of reading between the lines? I mean, was there an event that people can look to that triggered this sort of unusually fast timeline on the DOD's part? 

Michelle Litteken: I don't think so. I think it's just more of an evolutionary process, that there's been a heightened increase on these issues over time. There's been a Huawei ban in effect. That started out as just that you couldn't use Huawei or other type of - their affiliates, I'll say, their equipment or services in performing a contract. Then, earlier this year, that was broadened to you can't even have a contract or just can't have that as part of their telecommunications backbone or their IT backbone. Even if they're not using it in connection with a contract, you have to certify that you don't have those systems. 

Michelle Litteken: So I think it's just an overall - as we've seen in society, you know, with private companies that get hacked, governments that get hacked, there's just this increased focus on cybersecurity. And I think people are concerned the longer you wait, if something happens, there will be that, you know, Monday morning quarterbacking, looking back and saying, why didn't we put a rule in effect earlier? 

Dave Bittner: What are you hearing from the folks that you work with in terms of the real-world effects of this and how this is going to impact the way that they do business? 

Michelle Litteken: So we've talked to several companies. They don't feel confident in being able to do the assessments on their own, especially if they're not, you know, an IT security company that does this day in and day out. So there is a lot of churn in the industry and questions in the industry about who is the right consultant or third party to bring in to help companies meet these standards. 

Michelle Litteken: And then, how expensive is that going to be to, one, get those services to help advise you on what to do, and then, two, put in any measures that are necessary to help bring you into compliance? And ultimately, whether expending those costs is going to be worth it to continue to do business with the government. 

Dave Bittner: Is my perception correct that there's also kind of a wait-and-see kind of thing to see to what degree the government is going to be enforcing things and what particular things they focus on? 

Michelle Litteken: There is a bit of a wait-and-see at several points in the process. One is whether the provision that requires this assessment is going to be in your contract. So there is waiting to see until that happens. For some contracts, I think it's pretty obvious because, you know, you'll be dealing with maybe, you know, military defense information, so it's probably going to be there. But other things - maybe you have DOD personnel information. Are they going to require it for that? 

Michelle Litteken: There's also some waiting and seeing if you're a subcontractor to see if your prime contractor is going to flow this requirement down to you and make you comply with it because prime contractors often need to do those things. 

Michelle Litteken: And then, yes, as you mentioned, there's over a hundred security requirements in the NIST standard. You don't need to have all of them to achieve the basic level, but you need to have a plan in place for how you're going to achieve all of them. 

Michelle Litteken: So there is a question of, which ones will the DOD really focus on and say, well, if you don't have this one now, that's a problem, whereas, OK, we're comfortable waiting, you know, 60 days, 90 days, six months if it's going to take some time for you all to implement some of these standards? 

Dave Bittner: So where do you suppose this is going to go from here? I mean, this is an interim rule. What happens next? 

Michelle Litteken: Well, as of November 30, it will start going into effect. Contractors will need to start complying with it, certifying that they have it. I expect to see more and more companies in the marketplace offering services to help contractors get up to speed here. I could see more enforcement actions on behalf of the government in the coming years if people are not complying. 

Michelle Litteken: And then if there is a hack, there is going to be questions about, well, which of these 100 or more requirements did you certify that you met that you didn't that led to this security incident, and looking at, was there a misunderstanding that made a company certify that it did meet those, or was there some kind of misrepresentation, which could open the door to other kinds of liability? 

Michelle Litteken: And then I think there may even be kind of a refocus within the government to say, which of these standards is the most important or are the most important collectively as different security threats evolve and we see, you know, how different state actors or nonstate actors are targeting different contractors? 

Dave Bittner: When you switch from being self-certified - and I would imagine that different organizations, you know, define that differently. I think we all, you know, have experienced working with companies who do everything by the book, strictly so, and others are looser when it comes to those sorts of things. And I suppose that's natural. 

Dave Bittner: I guess one of the things I'm curious about is in the government switching to a process where they're going to be providing some of the verification of the certification, does that mean that DOD is spinning up a new department or a new group of folks who will have to take on this work? 

Michelle Litteken: So there's a two-part answer there. 

Dave Bittner: Yeah. 

Michelle Litteken: For the DOD assessment, it will be the government responsible for the medium or the high assessment. And the rule isn't 100% clear on who within the DOD will be doing that. I suspect it would be somebody from within one of the DOD technical entities. 

Michelle Litteken: The CMMC assessment creates a whole different system because for those five levels, regardless of the level, it's going to have to be a third party that comes in and certifies the company and then provides that information to the government. 

Michelle Litteken: And that's created some concerns about conflicts of interest because if the same company - CMMC company - comes in and helps a company get up to standard, will that company also be allowed to certify the company? It's my understanding that the government's not going to allow that to happen. So then you're going to have your government contractors having to incur two separate costs, one with the company to help them get up to speed and then the other with the CMMC company that's going to charge them to get whatever level is needed for the contract that they're seeking. 

Dave Bittner: Right. 

Michelle Litteken: And then if a security incident does happen, you have potential liability for the CMMC company that certified and said they did meet standards when maybe they didn't and the contractor itself. 

Dave Bittner: Yeah. I mean, it's fascinating. I mean, you can see how this is all necessary stuff, but you can't help thinking that we're injecting some uncertainty, complexity and, I guess, also cost into all of this. 

Michelle Litteken: I agree. I don't know if it's unique to the government industry, though, because I've talked to some clients who also do work with financial institutions that will often bring in either their institution's security team or third parties to do kind of vulnerability testing and cyber testing before they agree to work with third parties because they view their information as sensitive. 

Dave Bittner: Right. 

Michelle Litteken: So this could be, you know, more - and I think you probably know even more than I. This could be something that's just an evolving trend, that eventually every industry that handles sensitive information is going to have to have some kind of certification or assessment done. 

Michelle Litteken: I think most people now have been the victim of hacking, you know, whether it's the credit cards or the credit agencies or security clearance information through the Office of Personnel Management. I think most people in this country have been touched in one way or another by these incidents. 

Michelle Litteken: And then... 

Dave Bittner: Yeah. 

Michelle Litteken: ...It's a question of cost-benefit analysis and how much to spend on kind of proactive, preventative measures to prevent those things from happening. I will note that although this is beginning with the Department of Defense, we often see the rest of the government - or known as the civilian agencies - follow what the Department of Defense does. And we've already seen some chatter that civilian agencies will adopt similar rules. So even for contractors that currently only work with the Department of Defense, this will likely soon affect all government contractors. 

Dave Bittner: Yeah, so take note (laughter). 

Michelle Litteken: It's coming. 

Dave Bittner: Right, right. 

Dave Bittner: All right, Ben, interesting stuff. What do you make of this? 

Ben Yelin: Yeah. I mean, I can certainly understand the angst of cybersecurity compliance officers and... 

Dave Bittner: Right (laughter). 

Ben Yelin: ...Attorneys at companies all across the country. This is quite a window into the federal rule-making procedures, which I'm - you know, I'm always happy to nerd out on the difference between interim rules, final rules, what goes into notice of proposed rule-making and the notice and comment period. I'm always amenable to these types of discussions. 

Dave Bittner: Yeah. And interesting, you know, for the folks who have to implement these sorts of rules and adapt to them along the way, as Michelle says, you know, there's a lot of, do you wait and see? Do you jump right in? You know, there's competitive issues here as well. 

Ben Yelin: Right, because if you're using your resources to comply with an interim rule and it turns out that that interim rule is going to be partially changed to reverse into a final rule and your competitors have not invested those resources, then you're putting yourself at a competitive disadvantage. 

Ben Yelin: It's always the lack of clarity that's so confusing about this. And unfortunately, this has a disproportionately negative impact on smaller companies. Big tech companies have people who follow the federal registry website and who can track these things before most of us are aware of them in public. 

Dave Bittner: Right. They're represented by people like Michelle and the folks at her organization to help shepherd them through it. 

Ben Yelin: Right. And unfortunately, most organizations don't have themselves a Michelle because they're smaller and potentially can't afford one, and they're still going to be affected by this type of regulation. 

Ben Yelin: Now, the regulatory system is set up that, you know, at least regulators are supposed to take into account the negative impact of a regulation on small businesses. But, you know, there are always rules that even with that under consideration are going to put a burden on these businesses. 

Dave Bittner: Yeah. All right, well, we appreciate Michelle Litteken for joining us. Again, she's from the firm Morris, Manning & Martin. We do appreciate her taking the time. Really interesting insights there. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producers are Kelsea Bond and Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.