New Draft Security Guidance May Mean More Cost to Contractors

OMB posted the proposed guidance on the cio.gov website (although it’s buried) and posted it for public feedback on GitHub in an effort to reach a broad audience of stakeholders to aid in its further enhancement. The guidance will be open for comment until September 10.

The goal of the guidance is to strengthen cybersecurity protections in federal acquisitions and mitigate the risk of future security incidents. The purpose proposed memorandum provides guidance to Federal agencies on implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.

The guidance describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability. The bases for the guidance are several government documents, including NIST Special Publications, FISMA, Executive Orders, OMB memoranda, etc.

Provisions Impacting Contracting

The guidance distinguishes between systems operated “on behalf of the Government” and a contractor’s internal system used to provide a product or service for the Government. OMB will review compliance during FedStat and CyberStat sessions and the Federal Acquisition Regulatory Council will amend the Federal Acquisition Regulation (FAR) to provide for inclusion of related contract clauses.

The main substance of the guidance addresses the following areas:

• Security Controls – Agencies must require the contractor systems to meet its risk management requirements based in in NIST SP 800-53 and maintain a moderate confidentiality baseline for CUI. Cloud service providers are also covered under this provision. Contractor internal systems used to provide a product or service to the government but incidentally contain CUI must apply NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
  
  
• Cyber Incident Reporting – Agencies are to include specific contract language to ensure detailed reporting of cyber incidents that involve the loss of confidentiality, integrity, or availability of data is critical to the government’s ability to determine appropriate response actions and minimize harm from such incidents. While cyber incident reporting requirements for both categories of systems are similar, reporting of cyber incidents affecting a contractor’s internal system is limited to incidents affecting CUI, not every cyber incident affecting the contractor system.
  
  
• Information System Security Assessments – Contractors operating systems or providing a service that handles information on behalf of agencies are required to ensure certain safeguards and an Authority to Operate (ATO) are in place prior to operation of the system per NIST risk management standards. Agencies are to use relevant existing ATOs an indication of common controls and capabilities for the performance of multiple contracts. Agencies should assess contractor systems based on Federal Information Processing Standard (FIPS)-199, agency privacy assessments, and other risk assessments. Once a contract is underway, contractors must grant agencies access for security reviews on a periodic and event-driven basis for the life of the contract. Further, agencies should specify that the contractor will provide access to the contractor’s facilities, installations, operations, documentation, databases, IT systems, devices, and personnel. Finally, the guidance instructs agencies to include contract language requiring that the contractor follows NIST Media Sanitization standards and certify the results prior to contract closeout.
  
  
• Information Security Continuous Monitoring – The Information Security Continuous Monitoring (ISCM) initiative and Continuous Diagnostics and Mitigation (CDM) program have been established to facilitate security monitoring of systems. Under the new guidance, if an agency determines that it is not feasible to provide CDM capabilities to a contractor operating information systems on behalf of the government then the contract must include provision that ensure that contractor-operated systems meet or exceed the ISCM requirements identified in OMB and NIST standards. Further, the agency may elect to perform ISCM and IT security scanning of contractor systems with tools and infrastructure of its choosing. Existing contracts that allow contractors to self-report required ISCM information may be revisited from the standpoint of agencies and contractors collaborating to implement an appropriate solution that fulfills the ISCM requirements.
  
  
• Business Due Diligence – The guidance affirms that agencies can increase their overall cybersecurity and reduce their supply chain risk through greater due diligence in understanding how contractors develop and deploy their products and services as well as how contractors assure integrity, security, resilience, and quality in their operations. To this end, the guidance outlines several actions to be taken by various government stakeholders, including:
  • Agency CIOs and program offices will together identify and prioritize planned acquisitions and contracts that can benefit from business due diligence research
  • GSA shall create a business due diligence information shared service, make supporting research tools available to agencies
  • Various federal stakeholders, including the CIO, GSA and OFFP will develop risk indicators that should be used as a baseline for business due diligence research and other core requirements for the shared service.
    
    

Implications

While the guidance is still open for public comment it is likely the final version will not deviate greatly from its current provisions. The hopes are that these steps will raise the overall cybersecurity posture of federal agencies and their supporting contracting firms, and thus the nation as a whole. As with all things, execution will be a key determinant.

Several items above translate into greater demands on agencies and contractors for more mature processes, standards, and IT management. The guidelines also point to more security-related contract riders that will raise the stakes for bidders. Other provisions that increase reporting and auditing of contractor systems, etc. will increase costs on contractors … costs that will be passed onto agencies in contract rates or drive down operating margins, providing a disincentive to bid on government work.