Cyber-Intrusion and Data Exfiltration Concerns for BIS

Cyber-Intrusion and Data Exfiltration
Cyber-Intrusion and Data Exfiltration
Photo by Freepik

Cyber-intrusion and data exfiltration are subjects of increased concern for the Bureau of Industry and Security (BIS).  In its March 2024 release of Don’t Let This Happen to You!, BIS reiterates its growing role in export enforcement to protect U.S. national security and foreign policy concerns.  It emphasizes the importance of developing effective export compliance programs for organizations involved transactions subject to the Export Administration Regulations (EAR).  

This report also contained concerns about the prevention of data exfiltration and the incorporation of of cybersecurity protocols into an organization’s Export Compliance Program (ECP).  Specifically, the report recommends the documentation of protocols for notifying the BIS of security incidents that result in data loss or data leakage of controlled technologies.  

It is noted that notifications of exfiltration of data is separate and distinct from the filing of a Voluntary Self Disclosure (VSD) and that the reporting of data theft allows the BIS to work with its interagency partners to identify and prosecute malicious actors.

Protection of Controlled Technology

While it is incumbent for organizations involved in export to protect controlled technology from “Deemed Exports”, the BIS does not define specific cyber security controls for data security.  Deemed exports are events that result in the release of technology or source code subject to the EAR to a foreign national in the United States.  Situations that can involve release of U.S technology or software include:

  • Tours of facilities with foreign visitors
  • Foreign national employees involved in certain research, development, and manufacturing activities (I-9 Work Visa, DACA)
  • Foreign students or scholars conducting research

NIST Cybersecurity Framework

The BIS, in an effort to address the need for cyber security measures, is recommending that organizations refer to the National Institute of Standards and Technology (NIST) National Cybersecurity Framework to establish plans for implementing, improving, and maintaining an information security program.  The NIST Cybersecurity Framework (CSF) 2.0, released in February of 2024, provides guidance on practices and controls for data protection applicable for managing risks.

This framework was designed to help organizations and industries in all sectors and of all sizes.  It is targeted towards a broad audience including executives, managers, and cybersecurity professionals to assist organizations in reaching their desired level of security. 

The document is comprised of three major components CSF Core for outlining  high level activities to define requirements, Organizational Profiles for tailoring a program based on an organization’s objectives, expectations, and threat landscape, and CSF Tier for establishment of level of risk management.

CSF Core

The CSF Core outlines high-level functions for the creation and organization of a cybersecurity program.  These core functions are:

    • Govern (GV) – These are policy level activities that are critical for implementing cybersecurity into the organizations enterprise risk management (ERM).  They include the establishment, communications, and monitoring of cybersecurity risk.
    • Identify (ID) – Identification issues include the documentation of assets such as data, hardware, systems, people, and suppliers.  This function aids in the formation of adequate policies and processes for cybersecurity.
    • Protect (PR) – This includes a large number of controls and activities including authentication, access control, data security, and training.
    • Detect (DE) – This activity includes the detection prevention, and analysis of incidents of unauthorized access to sensitive information.
    • Respond (RS) – This category includes incident management activities including management, analyses, communication, and mitigation.
    • Recovery (RC) – These activities are aimed at reduction of down time when responding to cyber events.  They include plan execution and recovery and communication.

CSF Profiles

Profiles can be created to tailor and prioritize an organization’s cyber requirements.  These profiles can be created to reflect the current profile of an organization, a targeted profile of desired outcomes, and a community profile that is used for a specific sector.   Profiles can assist in gap analysis and the generation of a Plan of Action and Milestones (POA&M) to be instituted in a program of continual improvement.  NIST provides an organizational profile template spreadsheet.  

CSF Tiers

Cybersecurity Framework Tiers establish a required level for prevention of cyber-intrusion and data exfiltration at an organization.  There are four defined tiers: Partial, Risk Informed, Repeatable, and Adaptive.  The highest level, Adaptive, involves an organization-wide approach to risk management and includes decision making based on current and predictive risk and the incorporation of continuous improvement methodologies.

Existing Cybersecurity Requirements for Government Contracts

Numerous requirements are already in effect for those companies engaged in business with the Federal Government.  For those involved with contracts with the Department of Defense, CMMC 2.0 will be required.

Currently CMMC 2.0 requirements are divided into three levels of compliance:

  • CMMC Level 1 – Foundational is comprised of the 17 practices described in FAR 52.204-21 and requires an annual self-assessment.
  • CMMC Level 2 – Advanced is comprised of 110 practices which are aligned with the NIST SP 800-171 Revision 2 This is a set of security practices and security standards for non-governmental organizations that handle Controlled Unclassified Information (CUI).  It requires that a third-party assessment by conducted every three years for information deemed critical for national security.  It also requires an annual internal assessment
  • CMMC Level 3 – Expert includes over 110 practices based on the NIST SP 800-17 cybersecurity standard and includes further controls.  There is also a requirement for triennial assessments conducted by government representatives. 

CVG Strategy Export Compliance Management Programs

As this BIS publication point out, export compliance is a growing and dynamic concern for businesses engaged in sales of items that are intended for international sales or could result in international sales.  Failure to comply with regulations can result in criminal prosecution including imprisonment and fines.  It can also result in civil penalties and disbarment from export activities. 

CVG Strategy can help you in understanding the ITAR and EAR, and help you establish a coherent and effective export compliance program.   We can perform export control classifications, perform audits, assist in filings for export licenses and educate your team.  Regardless of whether your business falls under EAR or ITAR, CVG Strategy has the expertise to help.  

CVG Strategy Information Security Management System Consultants

Cyber-intrusion and data exfiltration are a concern to organizations of all sizes.   While those in business leadership roles are increasing aware of the importance of cyber resilience, resources and necessary talent are often in short supply.  To assist businesses to meet the challenges in adopting a variety of requirements, including NIST and CMMC 2.0, CVG Strategy has developed an approach that combines these requirements with ISO 27001 Information Security Management System.  This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.