Looking Ahead to 2023 – Key Cybersecurity Compliance Areas to Watch

As we begin to close out 2022 and look to the new calendar year, there are numerous policies and initiatives aimed at achieving government-wide objectives towards improving cybersecurity – for both federal agencies and their supporting contracting companies. Here are three key cyber-related areas which contractors should watch in 2023.

White House Cybersecurity Executive Order (EO) 14028 Implementation Activities

The May 2021 White House’s “Executive Order on Improving the Nation’s Cybersecurity,” set agencies engaged in activities to address the cybersecurity issues of highest priority to the administration. Two areas among several to watch include:

• Supply Chain Security – Agencies are also under mandates to improve supply chain security, which translates into pressure on product and services providers. For software supply chain security (SSCS) in particular, Federal Acquisition Regulation (FAR) contract language updates are imminent, requiring software suppliers to comply with and attest to following National Institute of Standards and Technology (NIST) secure software development guidance. Agencies will be collecting attestations and Software Bill of Materials (SBOMs) from software vendors verifying adherence to secure development practices.
• Cloud Security – A federal cloud-security strategy and FedRAMP modernization plan are expected, building on CISA’s Cloud Security Technical Reference Architecture (TRA) addressing cloud migration, data protection and zero trust. Commercial cloud and services providers and cloud integrators are likely to be impacted.

Department of Defense Cybersecurity Maturity Model Certification (CMMC) Enactment

The DOD’s revised CMMC 2.0 program continues to progress toward a 2023 roll-out, with multiple concurrent efforts underway. DOD contractors must take steps to adhere to the NIST standards appropriate to their contract work or risk losing business.

• Transitional Assessments – During the transition to full CMMC implementation, companies working at medium- or high-security levels are to undergo an assessment of their compliance with NIST SP 800-171 standards, the underlying standard for CMMC.
• DFARS Rule Coming – The DOD hopes to complete work on an Interim Final DFARS Rule by March 2023 and begin adding CMMC into contracts in May 2023, while completing work on a final rule. The CMMC DFAR is being finalized in parallel with finalizing the NIST SP 800-171 DOD Assessment Requirements Update (DFARS case 2022-D017).

The Federal Risk and Authorization Management Program (FedRAMP) Evolution

The role of cloud computing in federal agencies’ IT modernization and cyber strategies raises the importance of FedRAMP within the federal IT landscape. FedRAMP continues to rapidly grow the number of authorized cloud products and its leadership plans to expand operational capabilities as well as shore up security guidance.

In a September 2022 report, the U.S. Government Accountability Office (GAO) noted weaknesses in FedRAMP’s requirements and guidance for implementing certain security controls, contributing to several agencies failing to include all required information in their cloud system’s security plans; summarize security control test results in security assessment reports; and identify required information regarding cloud service deficiencies and mitigation tactics within remedial action plans. GAO recommends that Office of the Management and Budget (OMB) expand agency oversight and that the FedRAMP Program Management Office (PMO) provides additional guidance and program requirements.

Implications for Contractors

With these efforts comes additional oversight and accountability to improve visibility, transparency and performance of agency cybersecurity operations and postures in real-time. Agencies will push these pressures down to the contractors supporting agency programs.

Expect increasing scrutiny and oversight from OMB, Congress and other oversight bodies. Some of this may potentially come with additional reporting burdens for agencies and contractors. DOD contractors should expect more scrutiny of cyber self-attestations under the CMMC program than previous self-attestation processes. Cloud service providers may anticipate additional reporting or compliance requirements coming out of OMB and the FedRAMP PMO.

---

To learn more check out our report, Federal Contracting Trends to Watch in 2023.