Ep #108 - Legalities Around CUI

January 4, 2023

Orgs in the DIB need to protect CUI in alignment with the NIST 800-171 cybersecurity standard—and soon the Cybersecurity Maturity Model Certification (CMMC) requirements—or face legal and compliance penalties as well as potential lost business.

To clarify the biggest questions and reveal the most dangerous unknowns in the convoluted realm of CUI, your host John Verry, Pivot Point Security CISO and Managing Partner, sits down with Stephanie Siegmann, Partner and Chair at Hinckley Allen to share her knowledge on the subject.

Join us as we discuss:

The difference between CUI Basic and CUI Specified
Criminal penalties for “export controlled” CUI violations that will probably shock you
Sound advice on handling data subject to ITAR, NOFORM and other regulations
How to get your CUI questions answered—and what to do if you’re still not sure
The US Department of Justice Civil Cyber Fraud initiative, the False Claims Act, and why you don’t want to fire the whistleblower

To hear this episode, and many more like it, we would encourage you to subscribe to the Virtual CISO Podcast on our YouTube here.

To Stay up to date with the newest podcast releases, follow us on LinkedIn here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.

See Below for the full transcription of this Episode!

Intro Speaker (00:05):

Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.

John Verry (00:18):

Uh, hey there, and welcome to yet another episode of the virtual CISO podcast. Uh, with you is always your host, John Very, and with me today, Stephanie Siegman. And I hope I got that right. Hey, Stephanie.

Stephanie Siegmann (00:30):

Hi. Yes, you did get that right.

John Verry (00:32):

Um, so I always like to start simple. Uh, tell us a little bit about who you are and what is it that you do every day.

Stephanie Siegmann (00:38):

Thank you, John. And, uh, and thank you for having me on the podcast. Uh, so I started out my career 25 years ago as a Navy jag, right after law law school. Uh, and I served the country in Norfolk, Virginia at the Navy base there, uh, for approximately three and a half years. And after that, I went into private practice for a few years and then joined the US Attorney’s Office, uh, in the district of Massachusetts in 2003. Um, from 2003 until March of this year. I actually was a national security prosecutor the last four years of which I was the National Security Chief, uh, which meant I was in charge of all of the terrorism espionage on cyber, cyber investigations involving national security threats, um, China, Russia, all of the, our, you know, largest adversaries or biggest adversaries. Um, since March, I have been at the law firm of Hinckley Allen, where I’m a partner and I specialized in cybersecurity, leading their practice in that area, as well as international trade and global security. I also do a color defense, but my, the majority of my time is spent on cybersecurity and international trade export control issues.

John Verry (01:51):

And I would imagine you sleep a little bit better now than you did for a number of those years, <laugh>, because I’m always amazed that people that, that work in the government and they know things that the rest of us don’t know and don’t want to know and allow us to sleep at night. So thank you for your service and allowing me to sleep well, while you didn’t <laugh>, um, I always, uh, I always ask, uh, what’s your drink of choice?

Stephanie Siegmann (02:12):

So I couldn’t live without my coffee. Uh, as you just mentioned, I didn’t sleep a lot. I had my cell phone, um, or my mobile phone right next to my bed at night. Uh, and often was woken up with issues regarding threats. I raised three kids, so I also also, <laugh> didn’t sleep well, <laugh>. Um, so that would be my, but on the weekends, I like my Sauvignon Blanc, uh, wine, uh, to relax.

John Verry (02:36):

All right. And, uh, you please tell me that you don’t sleep with your phone next to your bed anymore.

Stephanie Siegmann (02:41):

Um, no, but I have my ringer loud enough from the, from downstairs that if there was a client emergency, I would hear it, so.

John Verry (02:48):

Okay. All right. Well, I’m sorry to hear that. So, so thank you for coming on today. Uh, I, I appreciate it. And, and based on your background, I think people are gonna quickly know why I was excited to have you on the podcast. So, you know, we’re spending, as you might imagine, with Cmmc an awful lot of time these days in the defense industrial base. And one of the biggest pieces of confusion that I think the vast majority of our clients have is trying to determine what is and what isn’t CUI in their environments. Um, and then we also see confusion, and I, I’d actually say more so than confusion, a lack of awareness of the difference between basic CUI and CUI specified. So can you explain a little bit about that difference and, and what exactly CUI specified is?

Stephanie Siegmann (03:34):

I, I, Stuart, I can do that. So I think the confusion comes, uh, from the fact that most contract officers, most folks, when you to have a, a defense contract and you’re dealing with D O D, they just tell you that everything’s c u i, you know, just treat everything as C U I C U I. Well, that’s not really easy, and that’s not, that’s, that’s that disservice to everyone. Um, because, and, and when we say cui, of course, we’re, they’re, we’re referring to controlled unclassified information. Uh, and, and that specific information that has to be controlled and pursuant to D A R S section 70 12 C U I is subject to controls under 800 dash 1 71, uh, which for are, you know, there’s 110 controls that you have to, you have to, you can only, uh, store it in a, uh, system, a computer network that meets those controls.

(04:30):

Uh, and they, everything needs to be marked and stored appropriately. And, and so it really, uh, and I often, um, think about it in in the same respect of, you know, when I worked as a prosecutor, you know, the FBI would over classify things. Now this is classified, that’s classified. Well, no, it’s not all classified and nor are is all the information cui, and there is information that’s just pure research, and that is not cui. So with regards to your, your question about basic versus specified, that that, what that means is specified is subject to higher level controls as a result of loss certain. So you have the general information that’s, that the government deems, or the contract officer or the prime contractor on the contract says this is all cui. Um, and, but when you drill down and you, and, and if you can, and get a contracting officer to drill down with you as to what specific information is controlled, certainly if you’re working on a military contract and it relates to specifications, technical specifications, and is going into a, uh, a submarine, for instance, or a military, uh, vehicle, then it’s likely gonna fall under the I A R, the International Traffic and arms regulations.

(05:53):

That would be specified, and that would be specified versus basic, because a, a ACT a law statute actually requires the, that information to be controlled. So then it would be C U I and the specification would be s SP and then E X P T, which stands for export controlled. And why that’s important is that if I, if information is subject to export controls, uh, that is, uh, the, the penalties for mishandling are far worse than if you just violate contractual provisions in a contract. Uh, and that, so for instance, uh, with regards to IAR data, that International Traffic and arms regulations, that’s information that’s controlled on the US munitions list. Uh, if you were to disclose that information or show that information or, um, are somehow a to a foreign person, or they were able to access that information on your network, that would constitute an export violation that would constitute an export. And if you didn’t have a license, that would constitute an export violation, which is a 20 year filling.

John Verry (07:10):

Gotcha. So,

Stephanie Siegmann (07:11):

But that’s, that’s, so that is, you know, when I’m talking about basic versus specified, so specified, one of the specifications specified categories, um, for CUI is export control information.

John Verry (07:22):

Okay. So question for you. It, so, so we now know that IAR R is c U I specified, and now the question is, you mentioned this p t, um, yes, by definition, I know there’s, there’s other export control stuff, right? There’s E A R, uh, I don’t know if you would consider something like no foreign or REL two is having something to do with export or not, right? But I know that those are additional COI specified categories. So I guess the question is, is when I see X P T, does that mean iar R by definition or could you know or not? And what is the difference between I T A R and E R? Right, which is another one that’s associated with export, correct?

Stephanie Siegmann (07:59):

Yes, exactly. So, uh, with regards to no foreign meaning, no foreign person, this, the information can be dis disseminated to, uh, so when you use the category C U I combined with X P T, uh, most of the, uh, literature, and that the guidance is that that cannot be disclosed to a, uh, foreign person. Um, so the fact that it’s

John Verry (08:23):

Expt, so they stack, right? So, so it’s, and IAR R can’t be disclosed. So technically I T A R has a no, you know, also is subject to no foreign. Yes, yes.

Stephanie Siegmann (08:32):

Okay. And that’s not used with, with, in conjunction with export control. So IAR control, it means that it cannot be disseminated to a foreign person. Okay? A foreign government and foreign person, uh, or non-US person, uh, would be a person who’s not a naturalized US citizen. Um, they’re, they’re, they don’t, they’re no lpr, they’re not a lawful permanent resident. They’re not in the United States pursuant to any special category. Um, and, uh, so sometimes there’s, um, and, and you, it can be very technical, but certainly any person that is not a US person, it cannot be shared with. And, uh, what I’ve seen sometimes is just, you know, these, this information can only be shared with the government, the US government and other D O D contractors. Sometimes you’ll see that type of, um, control statement. And, and so the difference, so when we say export control, then this is why I think you really need to drill down with your, when you’re speaking or you’re talking to your, your prime contractor, if you’re a sub working on a contract for a prime, you know, one of the larger kinds like Lockheed or Raytheon or any of those large, uh, uh, companies, or if you are you or yourself are contracting with the us um, D O D to understand, well, I understand this is export controlled, but, but where is it controlled?

(09:57):

Is it, is it controlled under the US munitions list? And then it would be IAR r uh, controlled, or is it controlled under the commerce control list? And that would be the export, uh, administration regulations would apply. And

John Verry (10:12):

What, so the, so it’s which list they’re on defines whether it’s IAR or E A r?

Stephanie Siegmann (10:18):

Exactly.

John Verry (10:19):

Excellent. Thank you. I didn’t know that.

Stephanie Siegmann (10:21):

Yeah, so you have the US munitions list, and when, if it’s on the US munitions list, it means as a military application. It’s especially designed for a military application with regards to the, and there was a, you know, there was export control reforms that occurred, and some items were moved over from the US munitions list to the commerce control list. And, and some of those items still have military controls, but they’re not the most significant. They’re not like, you know, so there was a, uh, concern that we were, we’re controlling too much information and too many things on the US munitions list. So things were transferred over to the commerce control list. That doesn’t mean there’s still not significant controls, cuz that includes nuclear, for instance, items. Uh, and, and there is a category on the, uh, commerce control list series 600 that has very significant, uh, export controls similar to that on the, um, US munitions list.

(11:20):

But the, the person, the, basically the agency who decides whether to grant licenses is different. The Department of State grants licenses for items on the US munitions list and Department of Commerce grants licenses for the items on the commerce control list. And the way you determine whether an item requires a license is different on the two lists. Okay. But with regards to US munitions list, which I think majority of your stuff on the, if it’s a DOD contract, will deal with that. Mm-hmm. <affirmative>, everyone should understand that if it’s on the US munitions list, it cannot lawfully be exported to a, uh, to a non-US person without first obtaining an export license from the Department of State. Uh, and if you, and so you have to do that prior to exporting an export though, is to, is not just a physical transmission outs, you know, from the united, from some someone inside the United States to outside the United States, but also exports can occur within the United States. And that would ha can happen as easily if you have a, a foreign person who’s walking through your, your plant or your, your warehouse or your office, and they see a document that has technical specifications, de defense technical data that’s controlled on the US missions list. Once they see that, and they see and, and see that the, the export, the defense technical data and export has occurred, that’s unlawful. And it could, it could mean your, a company is faced with a criminal prosecution.

John Verry (13:00):

Yeah. We, we struggle with this, with, we have, um, a number of clients that are, uh, foreign entities that have, you know, north American US operations with that process ITAR data. And you have this strange situation where, you know, you’ve gotta figure out ways of enclaving that data in such a way that the entities that are part of the parent company have no access into those systems and can’t see that data. And in the event that they did get to that data, that would be a, a breach in the same way that you just said, uh, as a person walking through the entity. Correct.

Stephanie Siegmann (13:30):

Exactly. Yes.

John Verry (13:32):

So one are, so, so what happens, uh, what, you know, so let’s say, let’s say, you know, I’m listening to this and I have someone who’s got IAR data, and let’s say it happens. Um, what should I do? You know, you know, what are the, what are the potential pot penalties, if you will, to that occurring?

Stephanie Siegmann (13:53):

Okay? So if it happens and, uh, you’ve, uh, identified it, your, so your company has a, a, a good compliance program, everyone should have a compliance program mm-hmm. <affirmative>. And if they don’t, they should work to, to, to do, uh, to, um, to create one as soon as possible. Um, because that is one of the, uh, factors that will be considered in determining the punishment, uh, is, uh, you voluntarily self-disclose, but first you contact a lawyer, an in-house lawyer if you have one,

John Verry (14:23):

Or, and you wouldn’t know, you wouldn’t know a lawyer that we could call, would you, anybody who knows anything about this subject, I

Stephanie Siegmann (14:28):

Know, I,

John Verry (14:28):

I, you could maybe, maybe after the podcast you can get me a list and I can recommend somebody to somebody. Oh,

Stephanie Siegmann (14:34):

Sure. Yes, <laugh>. Um, but voluntary self disclosures are, are, uh, definitely be considered if you identify a violation, uh, that has occurred. Okay. Because that’s going to, um, drastically reduce any potential penalty. Um, and Department of Justice has a voluntary self-disclosure program. And if indi, if companies come in, uh, and this was, there was, I can do talk about that at length, but there was a Department of Justice has been promoting the fact that they are going to give, um, companies a huge benefit if they come in and just self-disclose any violations. Um, similarly, department of State, um, has, uh, actually encourages companies to also voluntary self-disclose because they can, uh, impose administrative fines, uh, for violations of the I T A R. And then Department of Commerce also has fines. Um, that, and if it involves, uh, a company, uh, this, did the, the export violation involve a company or an individual that’s on an one of the OFAC lists, especially designated nationals or Block persons list, ofac, the Office of Foreign Assets Control under the Department of Treasury would also get, potentially get involved.

(15:55):

So there is a significant, uh, issues, you know, exports are a really important area that’s often get overlooked, I think, um, by, uh, companies. I think there is a lot of companies now that are, are focused on it, they’ve gotten a lot of more attention, um, over the last year as a result of the sanctions that were imposed against Russia and export, and the, um, the export controls for items sent to Russia as a result of their unprovoked invasion of Ukraine. And now with China, there’s been a number of additional, um, restrictions that have been imposed just over the last month.

John Verry (16:31):

Gotcha. So it, so obviously with the voluntary, um, voluntary disclosure, I, I’m assuming that the, the penalty might vary. What if we, what if we didn’t? What, what if, um, what if there’s disclosure we don’t come forward and it’s identified what happens? I mean, is this part of the, okay, is this, is this a, is this part of the False Claims Act? Is this part of like civil cyber, cyber fraud? Is this, is this an Attorney general show? Like what, what happens?

Stephanie Siegmann (16:58):

Oh, so let me, I said no, but I, I spoke too soon. Uh, so the, let’s take it in pieces first. Mm-hmm. <affirmative>, there’s a disclosure, uh, to a foreign person, um, and no license was required. And, and then, uh, individuals decide, oh, and either they don’t realize it, uh, and, and, you know, maybe the, the senior management doesn’t know, or the senior management knows, and they cover it up. Uh, so, okay. And, and so the illegal export that, you know, the, you know, the disclosure to a foreign person of data or an item, uh, that is, uh, controlled under the IAR is a violation of the ARMS Export Control Act. Mm-hmm. <affirmative>, which is a 20 year felony. Wow. Uh, and I prosecuted those numerous times, and I did hundreds of investigations involving export control. So that, that is, uh, you know, a significant, uh, a significant violation, a serious violation of criminal law. The sentencing, the federal sentencing guidelines treat them very seriously. Um, they start out a much higher base offense level, then virtually, um, many, many, uh, crimes, uh, other than terrorism, I think, uh, so that, that they’re taking that seriously. Um, if there’s, you would, uh, engage in any type of obstructive activity or concealing, you’re talking potential obstruction charges, that’s also a 20 year felony. And if you lie about the fact that

John Verry (18:30):

You’re perjury Yeah. We’ve got another 20 years and basically spent the rest of your life in jail.

Stephanie Siegmann (18:35):

No, but then you had the False Claims Act piece that you asked me before. Okay. So if you certify that you’ve been compliant with all the conditions, uh, you know, all the things in your contract, and you’ve been, um, you’ve met all the material requirements of the contract when in fact, you know, you haven’t

John Verry (18:52):

Right. That date has been sitting on an open public drive. Yes. And I know I’ve got foreign people in my comp, so, so you could really Yeah. This is, this is really bad stuff.

Stephanie Siegmann (19:01):

Yes. And, and there’s so certainly an after aerojet, um, rocket, uh, rocket D uh, that, that was a, you know, one of the cases that came down over the last year with regards to a False Claims Act, um, their system was not secure at all. And it ended up, it was, they had several breaches, uh, and one of which they believe involved our data about missiles being mm-hmm. <affirmative>, you know, shared or, you know, obtained by our adversaries. Um, so those, those issues are really front and center now on top of mind for doj. And when they announced their civil cyber fraud initiative in October of 2021 over a year ago now, um, that was what they were, that, that, that’s their, what are their priorities? Okay. Their priorities is to go after individuals that are not taking cybersecurity seriously, not reporting breaches. And they’re really, uh, determined, uh, that dag the Deputy Attorney General indicated how important individual accountability is going forward. Uh, and so you should expect, an individual should expect that if that were to occur, there was to be export violations that jeopardize national security, uh, and a company did not report them, and they’re investigated, they’re gonna be, that’s gonna be a very seriously pursued, and I imagine indictments would be brought.

John Verry (20:24):

Yeah. And, and just to be clear, right, you know, the Civil Cyber Fraud Initiative is not just focused on export, it’s also focused. So if you had a whistleblower, um, that said that you had, uh, a score in SPR s right. You’ve, you have asserted that you’re 801 71 compliance since December of 2016, or you, or you have a, a score in spr s that’s knowingly not accurate, right? That civil under that same civil cyber fraud initiative, and under that same False Claims Act, they, they could pursue that as well, correct?

Stephanie Siegmann (20:58):

Yes. And, and, and so, and let me make just and clarify on, on the Civil Cyber Fraud Initiative, when I was mentioning it, it was to give the example of the False Claims Act. Mm-hmm. <affirmative>, the focus of the Civil Cyber Fraud Initiative is cyber fraud. And that is, you know, failures of your, you know, your, you know, non-compliance with cybersecurity provisions of government contracts. So if you are either a government contract or recipient of grants, federal grants that also require cyber security provisions, um, those are the people that we focus on under the Stimulus Cyber Fraud Initiative. Um, we had numerous investigations that I worked on over the years that purely involves export violations. Export violations have been a focus of DOJ for a very long time.

John Verry (21:43):

Gotcha. Um, perhaps a silly question, but I’m just curious. I, I know ITAR R now is C u I specified, so I know how to say that correctly. Is E a r technically C u I specified

Stephanie Siegmann (21:55):

It? Well, yes. I mean, so they, there’s no, they don’t distinguish in the directory. The C U I directory on the DO OD has a, a basically a directory, uh, listing and all the different acronyms and what they mean, it just has X P T, it says export controls. So it’s, and that’s where I think there’s a, that is a, um, a problem for contractors because the, there’s different requirements for the two for I T A R versus e r. When I said I T A R, anything that leaves the United States or is transferred essentially to a foreign person would require an export license. But that’s not this, the case for E R E A R, whether a license is required under, under the e r requires a more detailed analysis as to who the end user is, uh, who, you know, the country, the nationality of the end user, uh, and the end use.

(22:50):

So you have three different factors. Uh, and also you have to know what the export control classification number is. It’s, so, it’s when, so when I say it’s, it’s more complicated. It is more complicated. And, and you have to, you should be working with, um, an individual, whoever is in your company that is in charge of export compliance. So no empowered officials or your, your in-house counsel Gotcha. Um, to make those determinations. Uh, and that’s why it’s so important that you ask, you know, you know, find out from the contract officer, whoever you’re dealing with, the government official, the, the prime if that you’re a sub, you know, how is this, uh, classified? Is this classified under the iar, under the e r? Um, and it’s important because the requirement, the holder of the information, so if you are, uh, you know, a sub and you, you’re, you’re given the information to hold, you are, you are required in the contract to protect it and safeguard it if it’s C U I.

John Verry (23:51):

So, so that’s an interesting question. So, um, you know, it’s generally relatively easy to know if you may be subject to C U I provisions, right? Because like you mentioned, you look for that 70 12 clause. Exactly. If you have the 70 12 clause. All right. Pretty obvious I have, they’re at least saying that I have cy, right? Yes. Or, you know, um, how do I know if I have like IAR or e r, will it be that X P T? Like how, like if I said to someone, like, I’ll say to someone frequently, they’ll be like, I’m not even sure if we have cy. I’m like, it doesn’t matter. Do you have a 70 12 clause? Is there an equivalent clause that I should be asking about? Um, when, when we want to know whether they not have something that might be subject to IAR or E A r? Is it that X P T that you referred to?

Stephanie Siegmann (24:36):

Well, that is, you might see that. But again, the, the problem with that is you don’t then know if it’s iar R or E R. Mm-hmm. <affirmative>, I think asked, now, if you’re working on a military contract and the parts are going into a missile, for instance, my presumption would is it’s IAR R. Um, but you know, again, if you’re working on something that involves nuclear, you know, uh, you’re working on a Department of Energy contract and the items are nuclear, then they could, uh, relate to a commerce control. You know, they might be controlled under the commerce control list. Um, but it’s really important to understand. And some, you know, individuals are a, uh, asking me, and there was a discussion actually online about, well, what about the end part? If the part, if the information is cui, then what happens when you’ve developed what, you know, the end product, what is that and is that controlled as a cui?

(25:28):

I said, no, it’s not cui, that’s not information. That’s the part. And so you really need to know, and, and, and I would ask, and sometimes you might not cut the answers, but just air, I would err on the side of caution. You know, if you work in a military product and or a military contract, the likelihood is that there is going to, it’s gonna be controlled, the iar r um, and you can, uh, seek guidance and ask, there is a way to seek guidance from this harm state, uh, and Department of Commerce, but you really should be asking the contracting officer, um, and, and if they give you a answer like, well, it’s controlled either under the IAR R or the e r, that is not worth the paper it’s written on, written on. I’ve told this to, uh, to individuals, agents would come to me. And with these, uh, well, the individuals informed that it was either E a R or IAR r I said, well, that, that’s ridiculous because there is a section under the e r called e a r 99 that isn’t controlled. It has, there’s no license requirements. And that’s why it’s so important to understand if there are controls, um, so that you as a company know what your obligations are, um, to protect that information.

John Verry (26:44):

Yeah. Like, and I, no wonder, um, I know c U I, there’s something called the Christian Doctrine, and it basically says, and I’m paraphrasing here, that if the government doesn’t specifically specify that something is, needs to be treated as c u I in a contract, um, but it is c u i, you should have known that and you should treat it as C U I. Um, does the Christian doctrine or something analogous to that apply to IAR and E A r? I mean, so cuz like when, when, like, I, I’m amazed how often that we’re working with clients and we get down to a, no one will definitively say if this is C U I, so we’ve gotta make a decision. And typically the decision is if we can’t say that it’s not, then we have to assume it is, do we follow that same protocol from an IAR perspective? Because you get a lot of the same blank looks and lack of, uh, certainty from people when you ask those questions.

Stephanie Siegmann (27:34):

So I will say, so at the end of the day, um, if the in information, if you’re, if it, no one is aware, um, whether iar, R e r, uh, or, but there’s a presumption in cui, they’re obviously treated as cui. There is not gonna be any criminal liability there. The government will not be able to prove criminal liability if no one knew it was iar R or E A r. Because there is, you are the elements for a criminal prosecution for an illegal export under the Arms Export Control Act and under the Export Control Reform Act, is that a knowing and willful violation?

John Verry (28:12):

Okay. So if I do due diligence, if I do due diligence, and I, and I, and I said, look, I, I asked the question, I went to the contracting officer, I went to the prime, I went to the agency, here’s what I got, here’s what I did. If I, if if I didn’t know, if somebody didn’t say it was ITAR data and, and I mistreated it, then I’m gonna be safe.

Stephanie Siegmann (28:34):

Yes. But again, you don’t wanna wear blinders either. I

John Verry (28:37):

Mean No, I know that. I, I know that. Yeah. And look, I mean, to our guidance usually is air error on the side of caution. I mean, if you’re already gonna, like, if you’re already building a C U I enclave, putting a little more data into the CY enclave is not that much of a burden. And it reduces risk if you’ve already got, I mean, I think where the challenge would be is if you have no IAR data, right? Then you don’t have an IAR R enclave, then the idea of creating an IAR r enclave to put data that we don’t know if it really is IAR into it, that’s a lot higher of a burden than if I’ve already got other IAR data and I’ve got another piece that I can’t get certainty on. Hell with it. Put it into, put it into the enclave. Right. And, and let it follow the same processes. Cuz you’ve already, you’ve already built them and spent that money, time and effort. Right?

Stephanie Siegmann (29:19):

Exactly. And then, then no, that’s exactly what I would advise because, you know, then you, you cannot get in trouble for overprotecting the data mm-hmm. <affirmative> and it shows that you’re being cautious and you don’t want, I mean, I, we’ve been talking a lot about the criminal violations, but as a government contractor, you don’t wanna lose the contract. You don’t want them to come and, and find that you haven’t abided by the terms of the contract. And we’re gonna either take the contract away or not award you for future contracts. So that would be, you know, what I would, uh, advise.

John Verry (29:50):

Okay. And then, so in terms of, excuse me, other than the export control, access control requirements associated with IAR R, are there any other, uh, specific controls that people should be aware of?

Stephanie Siegmann (30:06):

Well, with regards, I think those are the most important for Okay. With regards to, um, DG type contracts. We’re talking predominantly about defense contractors here. That would be the ones that I think are the, and uh, and again, as I said, there, there is nuclear, um, uh, controls that could apply and that those export controls fall under the e r for the most part.

John Verry (30:29):

Okay. Um, so we talked a little bit about the civil cyber court initiative, and we’re definitely seeing more FCAs. I mean, I saw a number that was crazy, like $20 billion was recovered in 2020 or 2021. Um, what, and, and I know you’ve been on both sides of this equation, so what causes a false claim act? And, you know, what can a company do to minimize the risk that they’d ever be in this terrible situation?

Stephanie Siegmann (30:58):

So, and I just wanna preface that the Civil Cyber Fraud Initiative didn’t come out until the fall October of 2021. So the majority of that, the, the recoveries that you’re referring to was repri. Uh, you know, they predated that, um, the False Claims Act has been used for a long time by the, the government. It’s one of the, uh, most important civil enforcement tools that DOJ has. It’s used a lot in the healthcare context, he healthcare fraud context as well. Uh, and, and so what it, it is very broad. It’s basically submitting a false claim to the government. You’re submitting under a, you know, a government contract. You’re get, you’re submitting, uh, a claim to be paid under this contract. And when you do that, you’re certifying compliance with the contractual provisions in that contract. Uh, and, and if it, and if there’s anything false about that, you know, you’re falsely certifying that you did the work.

(31:56):

You know, people overbuild the government, that would be a False Claims Act violation. Uh, and some of the things that you said earlier, you mentioned, you know, the, you know, you submit a score that’s not true for your, your compliance, uh, SPR S number is wrong. It’s not accurate. You don’t have, um, documentation to back up that score. Uh, and, um, and then when you certify, you know, you, you submit claims that are false. So those are generally what they, what you’re looking at. Um, I would expect, uh, and this is what I, where I think that the civil cyber fraud, uh, initiative is really designed to, um, force companies to report data breaches. That was one of the priorities that, um, was announced. You know, that, that they were really after as their, and they’ve and DOJ has repeated that type of mantra that we’re tired of, of companies, you know, hiding the fact that there’s been a data breach.

(32:54):

They want them to report it. And, and you’ve seen that also with the recent conviction of the Uber former chief of the, uh, the chief Security officer at Uber, Joe Sullivan. And the press announcement of that verdict, DOJ said the same similar things is, and so the focus going forward is really gonna be on, on, on companies. Did you hide the breach? Did you not report it? Did you, did you en engage in any concealment type activity? And so when you’re asking how to protect yourself and prevent yourself from, at your company, from being at Target, you know, training and more training, because the False Claims Act is unusual and unique in one respect, it incentivizes whistleblowers, it incentivizes whistleblowers to come forward with a financial incentive. And that is that if and whistleblower comes, um, forward and your, your employees could be whistleblowers. And that’s why training’s so important and, and if they make complaints, investigate them, is that if they come forward and the government, federal government obtains a recovery as a result of the information they’ve provided, they stand to, uh, get one third of the recovery. So it’s a huge,

John Verry (34:14):

Which, which could be a, which could be a huge financial incentive, right? Yes. Because I mean, cuz you can recover something crazy like all of the money you’ve ever invoiced. And plus it’s like, isn’t there like something crazy like $11,000 per invoice or something that you submitted?

Stephanie Siegmann (34:29):

Yeah, there’s, there’s, there’s a civil penalty, there’s trouble damages attorney fees. And so the recovery can be astro. I mean, there’s been cases where people get millions of dollars. In the case of the, um, in the Aerojet case, the individual got 2.6 million, the whistle blower, um, Marcus. So there, there,

John Verry (34:49):

That’s a lottery. That’s like, that’s like winning the lottery.

Stephanie Siegmann (34:52):

It it can be, yeah. It can be very, uh, a very large, uh, amount of money.

John Verry (34:56):

Yeah. And and what you pointed out about the, uh, the reporting incidents, that’s a really interesting thing because that’s another, uh, misconception that many people have is, you know, they don’t realize that they don’t need to be 801 71 compliant, or they don’t need to be cmmc compliant. They need to be d r s compliant. And that requirement for incident reporting right, is actually in D R 70 12. I forget which clause is somewhere. It’s c and m I believe. Right. So I mean, I, you know, that’s a, they, you know, that’s another a case where if someone doesn’t really understand what their obligations are, you know, that’s where they’re gonna put themselves in harm’s in harm’s way

Stephanie Siegmann (35:32):

There. And it’s a 72 hour requirement, you know, so they don’t have a long time to report a cyber incident cybersecurity incident. They have 72 hours. Uh, and, and that, you know, for many companies, unless you have a cyber incident response plan, it’s very difficult in 72 hours, you often don’t even know and understand, um, everything that’s happened to

John Verry (35:55):

Your company. No, I was just gonna say, I mean that, uh, I’m curious right, because there is a stretch of time in any incident where we’re, we don’t know if we have, we know we have an incident, but we don’t know if we have a breach. Right, exactly. And there’s, and there’s a discovery period, an investigation period. Um, when does that clock, when does that, you know, and, and it’s a fuzzy line when, when you go from, I think we might have a problem here to, we definitively have a problem. When does that clock start? Like, I mean, well, the clock at the definitive, or when, when we think <laugh>,

Stephanie Siegmann (36:32):

Well, and I would, at the, at the discovery phase, you have to understand, you know, the government’s gonna be worried about their information. Uh, and so I would err on the 72 hours starts when you, you discover that there has potentially been a breach Wow. That there is, there is access into your network. And you, what you, you can do in that instance is we’ve detected a, uh, a cybersecurity incident. Cybersecurity incident is very broad. It doesn’t necessarily mean a breach, by the way mm-hmm. <affirmative> and cybersecurity incident is the, the language that’s used. And, and therefore, and then you can provide the additional information a as the investigation ensues. So we’ve investigated, here’s the, and they’re gonna want logs. They’ll likely gonna want, the government’s gonna want logs, they’re gonna wanna know if their information was compromised. And, and, and depending on, you know, the sensitivity of the information, you one can understand why they wanna know this. Because if it, you know, they wanna know who was it and who accessed it mm-hmm. <affirmative>. And they, they, the government will have access to more information then the, the, the company will. Right. The the classified piece of this is they

John Verry (37:40):

May have, that might be your largest understatement of this entire episode, <laugh>. They might have more information than a, than a hundred person manufacturing firm. Yeah. There’s a lot of three letter agencies that do some crazy stuff out there. Steph, I don’t know if you’ve heard of them, work

Stephanie Siegmann (37:58):

With them, but, you know, I’m very careful when I talk about potential plus money.

John Verry (38:05):

I I understand.

Stephanie Siegmann (38:07):

I don’t wanna be prosecuted then

John Verry (38:08):

<laugh>.

(38:11):

Yeah. Um, that is, that is, that’s really interesting. And, you know, and, and that, and you know, let me ask you a question. That, that, that’s also an interesting, so is it, so prior to SPR s and, and you know, and, and, and 70 19, I think the 70 19 clause really drove SPR to a higher level. Right? Um, people were asserting to their primes, right, that they were 800, 1 71 compliant. So if I’ve asserted to my prime that I made hundred 1 71 compliant, and I’ve signed off on 871 compliance or submitted a letter of assertion or attestation, whatever they called it, and, and I have some type of an issue, would I be subject to a False Claims Act? Because I didn’t assert to the gov? Well, I guess I’m invoicing the Prime.

Stephanie Siegmann (39:01):

Yes. You’re invoicing.

John Verry (39:02):

So I, is that the same thing?

Stephanie Siegmann (39:04):

I I don’t think that the government will be, uh, I, I don’t think that will be the focus of the cyber fraud initiative. At least at this junk. Okay. I just, cause I think there’s, um, uh, ambiguity there. I do. I mean, there is language in the, uh, civil cyber fraud initiative that they could go after indivi, you know, companies that made assurances of, you know, cyber security compliance when in fact they weren’t, uh, uh, cyber security compliant. But I do think that those are gonna be a far harder to prove. And I think the easier ones are, the ones at least, uh, right now would be the, the failure to report the breaches, because that is just a far easier, there was a breach, an employer reported you had a breach, you didn’t report it. Um, and often the whistleblowers will will first go to the company and say, and report something.

(39:54):

And, and then inevitably, I have to say in a lot of these cases, the company fires them <laugh>. So they retaliate against the whistleblower, which by the way is the, then becomes a wrongful termination lawsuit. In addition, the False Claims Act. So the count, you know, the, the, the things that companies should not do would be to fire the whistleblower. Uh, you know, they should actually, and, and they should have systems in place where people can anonymously report, uh, you know, these kind of concerns. These kind of, uh, the, the concerns that, you know, this happened or this happened, we’re not doing sufficient security and take those seriously. And if the company does that has measured, you know, ways for com employees to express these concerns, and the, the employees know that they’re going to be investigated thoroughly and the company takes that type of thing seriously, they’re far less likely to become a target of doj.

John Verry (40:51):

Yeah. And I feel bad this, you know, these organizations that have half-assed, excuse the expression, um, 871 conformance over the last four or five years, um, you know, they’re, they’re gonna be caught between a rock and a hard place because if they have some type of an incident, you know, reporting it is going to shine light on the fact that they haven’t conformed. Right. So it’s kind of a catch 22 where we’re either, I either don’t tell them that I had an incident and I’m non-compliant, or I tell them I ha I might have had an incident and they dig in a little bit and they find out I’m non-compliant. So it’s, um, I mean, I think the long and short answer is there’s a sheriff in town now, right? Through, through, you know, both the FCA mechanisms, SPR s um, soon to be cmmc. Yes. And it’s time to get your crap together from an information security perspective. You know, you’re taking the government’s money and you’re taking a lot of money in some cases from the government to do things for them. You know, they’ve given you contractual obligations outlined by these clauses. Follow them.

Stephanie Siegmann (41:51):

Well, I actually, and the other issue I think is for the subcontractors, your prime contractor is not going to want to work with you mm-hmm. <affirmative>, uh, if they know you’re not gonna take this stuff seriously because it looks bad for them. So if the prime I, you know, learns that you’re not compliant, you’re, you’re, your sub security compliance is subpar and you’re not taking it seriously, they’re likely to self-report to the government, Hey, it wasn’t us, but one of our subcontractors we learned of this and terminate the relationship with you. Um, so that’s also another issue that to be aware of. Um, because the subcontractors often are not the ones that are gonna be, have the ability to report, um, to the, the government. They’ll be reporting it to their primes, and then the primes will then be obligated to report it to the government.

John Verry (42:39):

Yeah. And I don’t know if you’ve seen this, but we’ve seen this with some of our customers that some of the big primes, you know, some of the names that you’d recognize are actually holding, uh, their subs feet to the fire at a higher level than just cmmc. I literally reviewed a, uh, a letter email recently where they wanted them to be both cmmc and, and CS csc uh, compliant. So it’s really interesting that, you know, that, that, that the primes, and it makes a lot of sense, right? Because if you’re gonna pursue a $10 billion contractor, you’re gonna put together a capture team. You know, if you’re able to assert that that capture team, you know, is all CMMC certified or all, you know, they’re, they’re clearly documented to be more secure, that’s gonna be a competitive advantage.

Stephanie Siegmann (43:25):

Oh, exactly. Uh, and then the other issue is if you’re not taking, you know, cybersecurity, uh, controls seriously not, you know, using the 801 71 as that, you know, what your standard, you may not be able to get cyber insurance going forward. Uh,

John Verry (43:42):

That was a question I was gonna ask you. I I was gonna, yeah. So that’s interesting. And then the other part of that that I was gonna ask you is, um, how do you help clients navigate, so cyber liability insurance, right? Uh, when, when you have a, a a a breach or a suspected breach, right, you are obligated, right? Your instant response plan should include the, you know, what they refer as an authorized response vendor, right? You get a breach counselor if you’re in a breach. Um, so now we have an interesting question. Um, how do you navigate that? I’ve gotta, I, I don’t wanna lose my cyber liability insurance in this particular case, so I’ve gotta follow their playbook, but I also have these government obligations. H how do those two interact? I mean, do you, I’m assuming that it would seem to make sense to me that if I had a breach that I, that I would, I counsel people that I would like to, uh, I’d like external counsel involved because I don’t, I, I know that the, uh, the, the breach advisor that is being paid by the cyber insurance company, you know, they’re serving that master who’s serving me.

(44:49):

Right. So do you, do you get involved, I’m assuming you get involved in cases like

Stephanie Siegmann (44:53):

That? I, yeah, I do not get involved in those cases. I, I actually am, um, yes, I’ve had, uh, uh, several cases of that nature. Um, what I will say is that often even, uh, there may be a panel of people that your insurance company says these are the people that are pre-approved mm-hmm. <affirmative>, but you can get your counsel. If you’ve picked an attorney, you can ask that your counsel be your coun. And, and I’ve had that happen where, um, and sometimes you may have to, um, the insurance usually caps how much money they’ll pay per hour for an attorney mm-hmm. <affirmative>, and if you want a specific attorney, you may have to pay the difference between their rate and the insured, you know, what the insurer’s gonna pay.

John Verry (45:38):

Yeah. But if you’re in the dib, you should have someone who’s got dib level knowledge, someone like yourself. Yeah,

Stephanie Siegmann (45:43):

Exactly. So

John Verry (45:44):

On call, right?

Stephanie Siegmann (45:45):

Yeah. That might not necessarily be the person on the panel that the insurance company,

John Verry (45:50):

You know? Yeah. I mean that they’re gonna be just a general, and, and, and I hate to say this, but you know, the people that win those contracts are the lowest bidders, you know, it’s like the old famous, well, you know, it, was it John Glenn? I think it was that was, you know, when they asked him as the rocket was shaking and taking off, what, what, what thought was going through your mind? And he says that the rocket was built by the lowest price bidder. Right.

Stephanie Siegmann (46:10):

So no, I, and so I would say is that, so what happens typically is then the insurance company will pay up to the, whatever their maximum is. Sometimes it’s like three or $400, that’s not going to pay for most lawyers in private practice. Mm-hmm. <affirmative>. And then the, then if you are a big company in the dib, you’re going to pay the extra money and get someone that is, um, that’s gonna fight for you to ensure that, you know, there, there, there often is, um, you know, coverage disputes with the insurance company, is this covered? You know, and there’s been, um, you know, over time, uh, cyber insurance policies have changed a lot. And, and there’s the war exclusions that they’ve used recently, the terrorism exclusions. And, and so there has been disputes about whether certain things are covered. Uh, and I expect that will continue.

John Verry (46:59):

Right. And especially in the dib, right? Because they could argue it’s a nation state adversary, right? Oh, yeah. And, and, and they’ll try to ex and they’ll, they’ll try to exclude off of that. So, so, long story short, if you’re in the dib, right? You, you, you don’t want to use probably you’re psycho reliability insurances who, whoever they’ve, they’ve said, oh, here’s your breach counselor.

Stephanie Siegmann (47:17):

Well, and, and it all depends on who the breach. And you can actually work with brokers to get policies where you can write in your attorney that you can use. So there is, you know, and I sort don’t want us, you know, um, you know, and say generally, you know, but, but what I will also say is that you’re not the nation state actor issue. And with regards to Ukraine and the, and Russia’s, um, war with Ukraine, um, there has been far greater, uh, use of exclusions, like on the not pet Petya, um, uh, that malware attack, that Russia, uh, uh, Russia, you know, orchestrated against numerous, uh, it hit numerous companies, including Merck. Mm-hmm. <affirmative>, which was not in the dib and Monex, which says just brought a lawsuit and they had a trial and resettled. Um, but does they, they actually do you know, Oreo cookies? They’re manufactured Oreo cookies, they’re a snack man manufacturer. So it’s not just the individuals in the dip that have to worry about those types of war terrorism exclusions, cuz it, if a, a malware attack is orchestrated by Russia or China, it could actually hit a lot more than just members of the defense industry.

John Verry (48:28):

And you just broke my heart. You’re telling me that Nabisco is no longer manufacturing Oreo cookies?

Stephanie Siegmann (48:33):

Sorry. Well, my luck stuff.

John Verry (48:35):

We’ve, we, we’ve, we’ve, we’ve sold an American institution to some that sounded like a foreign company to me, Stephanie, couldn’t that have been covered by like, you know, the eTAR, like, you know, edible <laugh>. I mean, come on, let’s come up with something. We, we, you know, in Bev, I mean, Anheuser-Busch is no longer an American company, right? I mean, they got sold to InBev. I mean, do, do we need an alcoholic one? Uh, anyway, I’m not gonna get there. We, we’ve rambled on a long time here. Um, but it’s been really good. Um, so, um, is there anything that you think we missed?

Stephanie Siegmann (49:05):

I don’t think so, although you can bring me back any time. I’m happy

John Verry (49:08):

You, the eTAR, the eTAR. I mean, I’ll tell you what, I’m gonna have you back on for an eTAR conversation about edible and alcoholic beverage, you know, regulation, export regulation, uh, so that way we can, you know, you and I can game plan something. Um, so, uh, I always ask, give me a fictional character or real world person you think would make an amazing or horrible ciso and why?

Stephanie Siegmann (49:30):

All right, so I’m gonna go with Homer Simpson because, uh, and I think he would make a horrible ciso, um, because he’s so disorganized lock days, you know, doesn’t really care. He is not, you know, he wouldn’t follow the rules at all. He probably would be drinking on the job. So that’s who I would go with as the worst ciso, although my husband loved that show, um, for a long time.

John Verry (49:59):

<laugh> and, and that show has been, and the crazy thing is that show is still on, and I think it’s, I think it’s now the, like, the longest running TV show or the longest running comedy of all. It’s like 25 years old, you know? I mean, the other one that I saw recently, I couldn’t believe how long it’s been on was Survivor. Oh yeah. Like survivor’s still on <laugh>. I had no idea. Um, well this, this, this has been fun. Um, I, I, I appreciate you coming on. Um, obviously you, uh, you are a subject matter expert in this area. If folks need, want to contact you, um, you know, to chat about some of these issues, what’s the best way to do that?

Stephanie Siegmann (50:35):

So I’m on LinkedIn. I post a lot on cybersecurity issues. I also, all my information is available. My firm website, Hinckley Allen, and my name is Stephanie, and my last name is spelled s i e g m a n n. And if you go on my firm website, my email address is there, and I, uh, and you can email me and my phone number at the office is also available.

John Verry (50:58):

Excellent. Stephanie, this has been fun. Thank you.

Stephanie Siegmann (51:00):

Thank you.

Pivot Point is now part of CBIZ. Click Here for more information.

Ep #108 – Understanding the Legalities Around CUI

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security