OMB Releases Draft Cybersecurity Guidance; New FAR Regulations on the Horizon

Government Contracts Update

Date: August 13, 2015

The Office of Management and Budget (OMB) today released draft guidance on improving cybersecurity protections in federal procurement in the wake of several recent high-profile, high-impact government data breaches. The new guidance provides minimum information security requirements for contractors handling Controlled Unclassified Information (CUI). It also instructs agencies on important security assessment, monitoring and due diligence functions. The guidance will likely form the basis of a new Federal Acquisition Regulation (FAR) Council regulation on CUI expected in 2016.

Once final, the guidance, “Improving Cybersecurity Protections in Federal Acquisitions,” will likely provide requirements in the following five areas, each of which impacts how contractors develop and maintain their information security systems:

  • Security controls. The guidance relies heavily on existing requirements set forth in National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53 and 800-171. The guidance distinguishes between contractors operating systems containing CUI “on behalf of the Government” from contractors operating their own systems. The former are subject to NIST SP 800-53 (standards applicable directly to federal agencies), while the latter are subject to the recently released SP 800-171 (specifically tailored to federal contractors’ systems). The guidance also adopts the established method for selecting baseline security controls using the impact classifications in OMB’s Federal Information Processing Standard (FIPS) 199.
  • Cyber incident reporting. Once the guidance is final, agencies will be required to modify or create contract clauses requiring contractors to supply certain critical information following a “cyber incident” to agency Computer Security Incident Response Teams (CSIRTs) or Security Operations Centers (SOCs) as well as Contracting Officers (COs) and other agency personnel to allow the government to adequately and timely respond to the incident.
  • Information system security assessments. The guidance will require agencies to ensure that contractors have the required Authority to Operate (ATO) in place and to assess the security of contractors’ systems under the NIST controls described above. Agencies will be permitted to accept several varieties of security assessment result evidence, including independent third party verification.
  • Information security continuous monitoring (ISCM). The guidance encourages agencies to develop ISCM as a way of maintaining ongoing awareness of federal contractors’ information security capabilities. The guidance does not specify a particular technology or program to achieve ISCM. To the extent agencies do not implement ISCM, they must require that contractors meet or exceed security monitoring requirements set forth in OMB Memorandum M-14-03.
  • Business due diligence. The guidance authorizes the General Services Administration to build a business due diligence information sharing service so agencies can review risk information collected from voluntary contractor reporting, public records and other data.

Regardless of whether or not they choose to comment on it, federal contractors should appreciate that this guidance will substantially inform the first FAR clause on CUI as well as a host of agency-specific FAR supplement clauses on CUI. As such, federal contractors should consider taking steps to get ahead of the compliance curve, such as:

  • Assessing their own information security capabilities. Examine existing contracts, evaluate known threats, consider the risk of unknown threats, take stock of lessons learned from any previous incidents and evaluate whether present security capabilities comply with what government agencies currently require.
  • Monitoring their information security capabilities. Be on the lookout for vulnerabilities – even compliant information security systems may be susceptible to certain types and levels of threats. Consider whether there are best practices or industry standards that would improve security capabilities in a way that is consistent with goals and budget.
  • Ensuring the right policies and procedures are in place. Take steps to ensure employees know how to detect, report and respond to a cyber incident. Have a chain of command in place that ensures the chief information security officer knows about any incidents as promptly as possible. Not only is this a best practice, it will ensure that the organization complies with its reporting obligations under applicable clauses.

For more information, please contact:

Thomas F. Zych

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.