Federal Cybersecurity Areas to Watch in 2024

As we begin 2024 and look to potential opportunities in the new calendar year, there are various federal policies and initiatives aimed at improving cybersecurity – for both federal agencies and their supporting contracting companies. While many of these efforts focus on operational cybersecurity, several have significant acquisition and regulatory elements that impact agency procurement and contractor cybersecurity practices. Here are four key cybersecurity areas which contractors should watch in 2024.

National Cybersecurity Strategy Implementation Plan

The White House National Cybersecurity Strategy Implementation Plan (NCSIP) outlines more than 65 “high impact” initiatives, with leadership spread across 18 federal agencies. The Office of the National Cyber Director (ONCD) will coordinate, OMB will ensure budget alignment and CISA will manage much of the civilian agency-wide cybersecurity policies and initiatives.

In addition to pushing forward on key priorities in modernizing federal cybersecurity capabilities, the NCSIP details plans that will impact contracted services and solutions, including increasing cloud services cybersecurity and requiring secure-by-design software and hardware. Regulatory and acquisition priorities include harmonizing cyber regulations and proposing Federal Acquisition Regulation (FAR) changes to address cybersecurity incident reporting, and other areas. The Department of Justice is charged with expanding their Civil Cyber-Fraud Initiative (CCFI) efforts to identify and prosecute under the False Claims Act companies that fail to comply with cybersecurity requirements included in their federal contracts or grants.

Department of Defense Cybersecurity Maturity Model Certification (CMMC) Enactment

The DOD’s CMMC 2.0 program continues to progress toward a potential 2024 roll-out, with multiple concurrent efforts underway.

Over the December 2023 holidays, the DOD officially released their highly anticipated CMMC proposed acquisition rule for public comment through February 26, 2024. The fact that there are no major surprises in the proposed rule suggests that the DOD is essentially settled on their approach, as revised under CMMC 2.0 in 2021. (An additional CMMC rule impacting changes to the Defense Federal Acquisition Regulation (DFAR) to further address how CMMC will be implemented into acquisition contract provisions is anticipated in March 2024, and the two rules will need to be synchronized.)

While the final rules codifying the CMMC program may not be anticipated until late 2024, DOD contractors should already be talking steps to adhere to the underlying NIST SP 800-171 standards appropriate to their contract work and seeking the appropriate level of provisional third-party assessments, if applicable. Companies that delay risk “playing catch-up” and potentially losing business, especially as more firms seek third-party assessments to meet CMMC Level 2 and Level 3.

Standardizing Cyber Contract Language – Proposed Acquisition Rule

Section 2 of the 2021 Executive Order 14028 “Improving the Nation’s Cybersecurity” required the Cybersecurity and Infrastructure Security Agency (CISA) to review agency-specific cybersecurity requirements and recommend standard language for federal contracts. In October 2023, DOD, GSA and NASA proposed a rule to revise the Federal Acquisition Regulation (FAR) based on those recommendations, which would add a new subpart (FAR 39.X, “Federal Information Systems”) to provide the policies and procedures agencies should follow when acquiring services to develop, implement, operate, or maintain a Federal Information System (FIS). The proposed rule was open for comment until December 4, 2023, so now the agencies will need to adjudicate those comments and possibly revise the rule considering this input.

In addition to leveraging existing OMB policies and NIST guidance, the proposed rule adds new contract clauses impacting both cloud and non-cloud services procured to develop, implement, operate or maintain an FIS. The scope of the rule also includes Internet of Things (IoT) devices and Commercially Available Off-the-Shelf (COTS) items.

Agencies would be required to specify the impact level of the FIS based on the Federal Information Processing Standard (FIPS) security controls and FedRAMP authorization level, if leveraging a cloud service. Further, agencies would be required to specify the security and privacy controls needed for each contract, following NIST guidance.

Contractors must provide their agencies and CISA with access to federal data, etc. for auditing, investigating and inspection purposes; develop system security, continuous monitoring and contingency plans based on NIST guidance for all FIS; and ensure relevant contract clauses are included in related subcontracts. Cloud service providers will also be required to maintain security controls aligned with the FedRAMP level specified by the agency and report on continuous monitoring activities.

The Federal Risk and Authorization Management Program (FedRAMP) Modernization

The role of cloud in federal agencies’ IT modernization and cyber strategies raises the importance of FedRAMP. Both Congress and OMB have been working to modernize FedRAMP, expanding oversight capabilities as well as operational guidance.

The FedRAMP Authorization Act, included as part of the FY 2023 NDAA, established a FedRAMP Board and Federal Secure Cloud Advisory committee to provide program oversight and recommendations; required GSA to institute processes supporting the FedRAMP program’s operation; and introduced a “presumption of adequacy” clause permitting agencies to use FedRAMP-authorized solutions without the need for additional security checks.

In October 2023, OMB released a draft memo on proposed modernizations to FedRAMP, as required by the FedRAMP Authorization Act, and public comment was accepted through December 22. Once OMB finalizes the guidance, expected actions by GSA include detailing program activities, staffing and budget for implementing program modernization and producing a plan to structure FedRAMP to transition federal agencies away from using government-specific cloud infrastructure. In addition, each federal agency will be required to update their policies to promote the use of cloud computing products and services that meet FedRAMP security requirements and other risk-based performance requirements.

Implications

With these efforts comes increasing oversight and accountability for agencies and contractors to improve internal cybersecurity practices and associated compliance processes. Both agencies and contracted service providers will be expected to increase the visibility and transparency of their cybersecurity operations and incident response and reporting data. Agencies will push these pressures down to the contractors supporting agency programs, and primes will be required to pass through cybersecurity provisions in contracts to their subcontractors and be held accountable for their compliance.

DOD contractors should prioritize complying with NIST 800-171 security controls and others within their internal cyber- operations as well as pursue provisional third-party assessments in preparation for CMMC implementation. Firms should likewise prepare for the various cyber- attestations that are coming, as well as prepare for more scrutiny of these attestations.

Contracted service and product companies should review the various coming acquisition rules and proposed standardized contract provisions and ensure that their business and solutions development processes will pass muster when these rules are finalized.

Cloud service providers and agencies alike must begin preparing for changes to FedRAMP, to shift away from government-specific clouds, to update their continuous monitoring processes and to automate electronic transmission of authorization and continuous monitoring information.

---

To learn more check out our report, Federal Contracting Trends to Watch in 2024.