Robert Metzger Interviewed About Cyber Risks & Protecting Government Data -- Limited focus of NIST 800-171 raises doubts. Is the government doing enough?
Robert Metzger was interviewed for an article published in Inside Cybersecurity, October 29.
The article discusses the efforts of the National Institute of Standards and Technology (NIST) and Department of Defense (DOD) rules to address cybersecurity threats.
Metzger expressed doubts that NIST guidelines were strong enough to fend off “the exfiltration of protected information.” He also suggests that “contract language should be used to set tougher requirements for protecting data and systems.”
The article indicates that Special Publication NIST 800-171 does not adequately address “advanced and systemic” risks. DoD regulations require defense suppliers to implement the 110 cybersecurity safeguards of SP 800-171.
NIST SP 800-171 focuses on protecting “data confidentiality,” but doesn’t go far enough “to address the latest threats which pose risks to system operations that could result in physical harm, according to Metzger.”
“They don’t protect against enough threat vectors and are not now tailored for high risk, high impact situations.”
He also said recent attacks go much further than stealing confidential information. “Blended operations” of attackers are “intended to achieve a number of adverse consequences that may include the exfiltration of protected information, but also could go well beyond that to compromise critical infrastructure, logistics systems, sensors, weapon systems and platforms.”
The complete article can be found here.
About Robert Metzger
Mr. Metzger is a member of the firm’s Government Contracts and Complex Commercial Litigation Practice Groups and is the head of RJO’s Washington, D.C. office. He is recognized as among the nation’s leading experts in cybersecurity and supply chain risk management. He advises leading U.S. and international companies on key public contract compliance challenges and in strategic business pursuits. His litigation practice includes representation of companies in civil matters in federal and state courts and before administrative agencies. He also has extensive experience in federal and state bid protests and in controversies arising from information technology (IT) implementation projects.