The White House Office of Management and Budget (OMB) on Tuesday released a draft guidance concerning federal government contractor information technology (IT) security that would require consistent standards across services that relate to sensitive information.
The proposed rules would direct federal agencies to implement stronger cybersecurity protections in acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the federal government, according to the draft guidance.
The guidance was released for public feedback on GitHub, an open source platform “to signal transparency in Federal policymaking and to reach a broad audience of stakeholders to assist in further enhancing this guidance.”
“The threats facing Federal information systems have dramatically increased as agencies provide more services online, digitally store data, and rely on contractors for a variety of information technology (IT) services…The increase in threats facing Federal information systems demand that certain issues regarding security of information on these systems should be clearly, effectively, and consistently addressed in Federal contracts,” the guidance said.
This draft, Improving Cybersecurity Protections in Federal Acquisitions, is the result of an OMB-directed interagency working group formed by the Federal Chief Information Office (CIO) Council and the Chief Acquisition Officers (CAO) Council. Created to review current contract clauses and IT acquisition policies and practices around contractor and subcontractor information system security, the group intends the guidance to be a major step towards mitigating the risk of future cybersecurity incidents.
The guidance also seeks to address inconsistent security regulations for contractors that may have led to the recent OPM intrusions, which were linked to a compromised contractor account (Defense Daily, June 17).
Notably, the council’s consultations found that “it was determined that agency contracts often lack language governing when and how contractors are required to report information security incidents when they occur and when and how contractors should provide notification of breaches to affected individuals and third parties.”
The proposed guidance intends to strengthen government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems, OMB said.
“In addition to this, the Guidance outlines a business due diligence service that agencies can use to help ensure they are contracting for secure products and services.”
The guidance notably allows agencies to provide the Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) capabilities to contractors operating systems on behalf of the government.
If an agency determines providing CDM to a contractor is not feasible, the contract must at a minimum ensure contractor-operated systems meet or exceed information security continuous monitoring requirements identified in OMB Memorandum M-14-03 and the agency may elect to perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing.
The requirements in the document are based on several federal cybersecurity regulations including The Federal Information Security Modernization Act of 2014 (FISMA); Office of Management and Budget (OMB) policy; National Institute of Standards and Technology (NIST) standards regarding a framework for securing government and contractor information systems; NIST Special Publication (SP) 800-37, the Guide for Applying the Risk Management Framework to Federal Information Systems; NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations; NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations; and Executive Order 13556 – Controlled Unclassified Information (CUI).
The feedback period lasts 30 days through Sept. 10 and comments will be reviewed using an iterative approach, OMB said.