Minimizing Cyber Risks For Our Clients And Partners
As technology becomes even more critical to the acquisition process, cybersecurity is at the forefront of everyones mind.Booz Allen is taking steps to ensure that our data and internal systems are protected and compliant with applicable laws and regulations. We also must ensure that the data within our subcontractors control, and transmitted by our subcontract to others, is protected and compliant with these same laws and regulations.
It is critical that our subcontractors can protect all forms of sensitive data. As a firm, we are taking a proactive approach to minimize cybersecurity risks to our national security and government clients. Prime Contractors that are not compliant with these cybersecurity requirements risk losing further contracts awards, as well as possible impacts to existing contracts.
It is imperative that our suppliers are aware ofthe requirements related to DFARS 252.204-7012, NIST SP 800-171, and the Cybersecurity Maturity Model Certification process.
The Federal Information Security Modernization Act
The Federal Information Security Modernization Act of 2014 was enacted to update the federal governments cybersecurity practices. The main goal of FISMA is to:
- Codify Department of Homeland Security authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems.
- Amend and clarifying the Office of Management and Budget’s oversight authority over federal agency information security practices.
- Require OMB to amend or revise OMB A-130 to “eliminate inefficient and wasteful reporting.
Cybersecurity Executive Order Establishes Framework To Strengthen Cybersecurity Elements Of Federal Government Contracts
The Situation: On May 12, 2021, President Biden issued an Executive Order on Improving the Nations Cybersecurity, which calls for bold and extensive action designed to update and standardize requirements and procedures relating to cybersecurity and Federal Government contracts.
The Result: The Executive Order establishes an aggressive and detailed plan for rapidly strengthening the ability of the Federal Government and its contractors to detect and respond to cyber incidents.
Looking Ahead: Federal Government contractors should anticipate a swift rollout of proposed changes and updates to cybersecurity requirements and be prepared to meet these new requirements as they are released.
In the wake of persistent and increasingly sophisticated malicious cyber attacks, President Biden issued an Executive Order on Improving the Nations Cybersecurity aimed at strengthening cybersecurity in the public and private sectors. As part of this effort, the Executive Order sets forth a framework and specific guidelines for updating and standardizing cybersecurity requirements and procedures relevant to Federal Government contractors. This summary focuses on those directives.
The Executive Order establishes three parallel tracks designed to strengthen and standardize cybersecurity requirements in connection with Federal Government contracts.
Sharing Cyber Threat Information and Collaborating with Response Agencies
Standardization of Cybersecurity Contract Language
Recommended Reading: What Is The Purpose Of Government
Specific Cybersecurity Requirements For Contractors
In recent years, several federal agencies including the Department of Defense have issued acquisition regulations that impose new cybersecurity requirements on contractors. The top four requirements that your organization should be familiar with are listed below:
- Federal Information Security Modernization Act
- DOD Defense Federal Acquisition Regulation Supplement clause 252.204-7012
- NIST 800-171 Migration to CMMC
Given the highly technical nature of each one of these regulations, policies, and emerging trends, its important to review each one of these subjects in detail.
A Govt Contractors Road Map To Biden Cybersecurity Order
This will affect developers, resellers and users of software extending well into the commercial marketplace.
WhenFollowing input from industry in the coming months, expect new NIST guidelines on software supply chain security by November within 180 days of the executive order. Throughout this summer, expect significant attention to key definitions and standards, including the definition of critical software.Within one year of the executive order mid-May 2022 designated agencies shall recommend to the FAR Council new rules regarding software security, including certification requirements. And following these FAR amendments, agencies shall begin the removal of noncompliant software for purchase by federal agencies.There can be little doubt that this executive order is an ambitious use of executive power to address a serious and continuing threat to our national security. While the devil is in the details, and the rollout will take some time, government contractors and their suppliers should plan ahead and take advantage of the opportunity to evaluate their exposure, comment on the rulemaking, and prepare to bring to bear the resources they will need to operate in a new compliance environment.
A Govt Contractors Road Map to Biden Cybersecurity Order, by Justin A. Chiarodo and Sharon R. Klein, was published in Law360 on June 11, 2021.
Also Check: Free Government Phones By State Texas
Need To Make A Procurement
Review key questions to consider regarding when agency cybersecurity experts should be consulted in the procurement of new equipment, systems, or services.
Federal agencies pursuing energy improvements using performance contracting vehicles, such as energy savings performance contracts and utility energy service contracts , must be sure that energy projects, and the specific energy conservation measures that will be implemented do not introduce cybersecurity vulnerabilities at the federal facilities where they are installed.
Legal and regulatory cybersecurity requirements provide the framework for federal and agency-specific policies and conditions for cybersecurity across federal facilities. These include, but are not limited, to:
- E-Government Act
- Federal Information Security Management Act of 2014, as amended
- Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
- National Institute of Standards and Technology Cybersecurity Framework Version 1.1
- NIST’s Federal Information Processing Standards
- All other applicable cybersecurity guidance and best practices as laid out in other NIST Special Publications
- All cybersecurity requirements and policies of the contracting federal agency.
Federal project executives can advise agencies on including cybersecurity control terms and conditions in their ESPCs or UESCs starting with acquisition planning through project development and post-award review.
Dods New Cybersecurity Requirements For Contractors
Starting in September, the Department of Defense will demand that bidders on DoD contracts meet higher cyber security requirements. And bidders will no longer be able to self-certify their compliance. Below are high-level questions guiding you on what you need to know.
What are these higher cyber requirements?
The higher cyber security requirements are in the Department of Defenses new Cybersecurity Maturity Model Certification framework . This framework is intended to be incorporated into the Defense Federal Acquisition Regulation Supplement and will be used as a requirement for all Department of Defense contract awards. The CMMC framework will serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place among the entire DoD supply chain.
DoD contractors must be certified at one of the five levels and must meet the contract requirement at the time of bid submission. The level of the CMMC certification required is dependent upon the type and nature of information flowed down from the prime contractor and/or the government client. The DoD will set the certification level designation for each contract at the time of releasing the solicitation.
The C3PAO will verify whether the government contractors internal processes and procedures have met the appropriate level of cybersecurity requirements and procedures for their business.
Recommended Reading: Does The Government Owe Me Money
Ready Or Not Government Contractor Cybersecurity Requirements Roll Out This Month
New Department of Defense regulations related to government contractor cybersecurity requirements become effective Nov. 30, 2020.
The progressive steps to mandatory contractor Cybersecurity Maturity Model Certification are expected to roll out over the next five years. However, certain preliminary actions are required this month to ensure that contractors are eligible for award of new contracts, task orders, delivery orders or option terms.
History of Cybersecurity Requirements. The new CMMC requirements build on existing regulations. Under DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractors are required to comply with National Institute of Standards and Technology SP 800-171, in the protection of certain contractor and government information. Defense contractors and subcontractors are required to provide “adequate security” to store, process or transmit Controlled Unclassified Information on information systems or networks, and to report cyber incidents that affect systems or networks. Based on DoD research, contractors essentially performed system gap analysis and developed a plan for compliance, or Plan of Action and Milestones . However, the government has had low visibility regarding contractors actual implementation and compliance with the 110 NIST SP 800-171 security requirements.
How Ey Can Help
The U.S. Government is the worlds largest buyer of goods and services. Keys to a successful business relationship with the U.S. Government include knowledge of applicable regulations, operational capability and innovation that you bring to the table to achieve, maintain and demonstrate economic viability, security, efficiency and compliance.
The order focuses on information sharing requirements for DoD federal contractors or suppliers. However, non-DoD contractors will likely benefit from evaluating whether these changes will raise expectations for sharing cyber incident information with federal agencies. For example, businesses may benefit from tracking guidance and expectations regarding what information to share and when. Forthcoming guidance may help inform organizations contracting with civilian agencies with respect to how to manage information sharing, which can often be time-consuming while resources are stretched during the response to a cyber incident. Notably, while mentioning privacy considerations, the order clearly outlines expectations that increased sharing can occur while adhering to privacy laws, regulations and policies.
This could be laying the groundwork for the requirements of the Cybersecurity Maturity Model Certification becoming required for contractors, regardless of the agency with which they contract.
About this article
Don’t Miss: Best Free Government Phone Ohio
Standardizing The Federal Governments Response To Cybersecurity Vulnerabilities And Incidents
Within 120 days of the date of the order, the secretary of homeland security shall develop a standard set of operation procedures to be used in planning and conducting cybersecurity vulnerability and incident response activities with respect to all agency systems except those for the DoD and the intelligence community.
Top Cybersecurity Considerations For Government Contractors In 2021
Although it was already apparent, recent events have made it even clearer that cybersecurity is an essential concern for government contractors. The coming year is poised to include many cybersecurity-related changes and developments. Below we highlight just a few:
Continued Rollout of Department of Defenses CMMC Program
The Department of Defense interim rule for its Cybersecurity Maturity Model Certification Program went into effect November 30, 2020. Although full CMMC implementation will not be achieved until 2025, a number of steps must be taken by contractors in the coming year. First, registration and reporting of assessment scores in accordance with the DoD Assessment Methodology Special Publication 800-171) in the Supplier Performance Risk System are now required of all DoD contractors and subcontractors that handle controlled unclassified information . Second, the first pathfinder contracts requiring CMMC review have been announced by DoD. Contractors and subcontractors seeking to obtain these contracts, expected to be awarded in late 2021, will need CMMC certification by date of award in order to participate. More contract opportunities that require CMMC certification will be forthcoming this calendar year, meaning the race is on for contractors to come into compliance and line up for assessment, lest they be excluded from DoD contracting altogether.
Legislative Changes Impacting Cybersecurity for Government Contractors
You May Like: Federal Government Jobs Lexington Ky
Defense Federal Acquisition Regulation Supplement
The Defense Federal Acquisition Regulation Supplement Part 252 Solicitation Provisions and Contact Clauses governs cybersecurity requirements for federal contractors. It requires that contractors provide adequate security, report cyber incidents, submit any malicious software discovered and submit media to support damage assessment.
- Multi-factor authentication of local and network access
- FIPS-validated cryptography to protect CUI when transmitted or stored externally
- Develop a NIST SP 800-171 System Security Plan
- Possess External Certificate Authority as verified by DCMA
- Report cyber incidents within 72 hours to DoD. Submit an incident report, any malicious software and provide access to information systems
DFARS further requires that contractors implement the National Institute for Standards and Technology Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations .
- Limit information systems to authorized users
- Limit information system access to permitted transactions and functions
Awareness and Training
- Ensure manages, administrations and users are aware of policies, standards and procedures
- Ensure personnel are adequately trained to carry out assigned duties and responsibilities
Audit and Accountability
- Create, protect and retain information system audit records
- Ensure the actions of individual users can be uniquely traced to those users
Identification and Authentication
Top 10 Government Cybersecurity Company Contractors
The rampant increase of cybersecurity threats costs the United States economy billions of dollars yearly. The federal government has realized these threats to economic and national security as its an easy target for its valuable information, enticing digital thieves.
In the fiscal year 2020, President Bidens budget reached over $17.4 billion for cybersecurity-related activities alone, with a 5% increase from last year due to some activities extreme sensitivity. Simply figuring out how a cyberattack happened could cost as much as $15,000. There are a few notable cybersecurity firms to choose from for government agencies. But which ones are the best out there? This post will cover the top cyber security government contractors!
Read Also: Can You Refinance Government Loans
Safeguarding Controlled Unclassified Information
In 2017, the Department of Defense implemented requirements to enhance the protection of controlled unclassified information within the supply chain . In addition to the reporting requirement, DOD set standards to protect CUI, as recommended by the National Institute of Standards and Technology and expected the supplier community to do the same.
However, over time, the DOD Office of Inspector General found that DOD suppliers were not consistently implementing the mandated requirements for safeguarding CUI. This was partly because DOD relied solely on suppliers to self-report their progress. Thus, DOD implemented a “trust but verify” policy requiring suppliers to complete a self-assessment based on the NIST 800-171 controls and to send their score to the DOD Supplier Risk Performance System database.
Frequently Asked Questions for Suppliers
Covered defense information is CUI, as described in the Controlled Unclassified Information Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policiesand is either:
The full requirements can be found in the NIST publication: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
New Cybersecurity Requirements For Government Contractors
Effective June 15, 2016, a new rule recently published by the US Department of Defense , General Services Administration , and National Aeronautics and Space Administration will require federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. All safeguarding requirements are based on security requirements published in the National Institute of Standards and Technologys Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Also Check: Government Help For Senior Housing
What Are The Nist 800
The National Institute of Standards and Technology developed a Special Publication that provides requirements for protecting controlled unclassified information . These NIST 800-171 requirements for government contractors are broken down into 14 compliance families which contain over 100 individual requirement statements and translate into over 300 assessment objectives on the part of a DoD contractor.
If your organization currently executes a DoD contract or plans on proposing to DoD contracts in the future, you need to start now to align the technical, managerial, and operational facets of your information system to the NIST 800-171 or CMMC requirements.
- System and Information Integrity
What Do These Cybersecurity Requirements Look Like For Prime Government Contractors
The vast majority of, if not all, DoD prime contractors process some sort of Controlled Unclassified Information and must abide by these cybersecurity requirements. Prime contractorsprimeshave historically had a difficult time extracting from their DoD program management offices exactly what information is considered Controlled Unclassified Information. Thats because the DoD hasnt adopted the Controlled Unclassified Information process as efficiently as it could have.
For a while, it was up to the primes to guess what information was considered Controlled Unclassified Information. Of late however, DoD contractor officers have begun including language in solicitations and contracts specifying what information is considered Controlled Unclassified Information. It currently looks like the cybersecurity requirement for government contractors possessing CUI will be CMMC Level 3, 4, or 5.
When the process is perfected, all contracts will include a Security Classification Guide or equivalent, which dictates classification, marking, and handling requirements for all information types processed under the contract. If, as a prime, your contract does not currently provide an SCG, ask for oneits the DoDs duty to provide one.
Don’t Miss: Free Government Cell Phones Sacramento Ca
What Is The Status Of The Biden Cybersecurity Executive Order
President Biden signed a National Security Memorandum to improve the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems, as required in his Executive Order 14028, Improving the Nations Cybersecurity, which outlines the following:
At a recent Bloomberg Government event, The Cybersecurity Landscape: Bridging the Gap, Sonny Hashmi, commissioner of the U.S. General Services Administrations Federal Acquisition Service, discussed the progress that the GSA has made in implementing the Biden executive order for cybersecurity. A few of the major takeaways include vendor assessment programs and communities of practice.
Were continuing to develop ways to help agencies reduce cyber supply chain risk through vendor assessment programs so that when we engage with the vendor community, we have a threat or risk profile, Hashmi said. Were not only working with U.S. companies, but were also working with companies and suppliers across the globe we need to understand where those risks, including cybersecurity risks, corporate foreign ownership risk, and so forth need to be further investigated.