Federal Contractors Now Subject to 15 “Basic Safeguarding” Cybersecurity Requirements – Are You Ready?
By Neal W. Beggan, CISA, CRMA, CRISC
Cherry Bekaert LLP Risk Advisory Services
Nearly four years following an initial ruling on IT security and data classification proposed by the combined efforts of the Department of Defense (DoD), NASA, and General Services Administration (GSA) comes a revised ruling tailored more towards the future of Federal contracts. On June 15, 2016, a new set of cybersecurity measures were enforced in order for contractors and consultants across a wide span of industries be able to better attain the “basic safeguarding” of their systems that house, process, and export the newly established classification of “Federal contract information” (described below).
The ruling differs from the previously established standard implemented in August 2015 by the DoD’s Defense Federal Acquisition Regulation Supplement (“DFARS”) rule, which outlines “enhanced safeguarding for certain sensitive DOD information” as it pertains to contractor systems. The Federal Acquisition Regulation (“FAR”) rule established on June 15, 2016, does not:
- Provide any mandatory cyber-incident reporting requirements or other elements or provisions related to cyber-incident response, analysis, or data collection.
- Require Federal contractors governed only by this cybersecurity rule (as opposed to the DFARS rule) to provide DoD with access to additional information or equipment necessary to conduct a forensic analysis in the event of a cyber incident.
- Require Federal contractors to meet the full set of controls from National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, the standard governing most systems covered by the DFARS rule.
- Specifically address cloud computing or prescribe any controls or requirements that directly address the use of cloud solutions.
A considerable amount of federally contracted IT systems must undergo proper evaluation and review to ensure compliance of the newly required safeguards as a result of the revised ruling. The classification of “Federal contract information” will require the majority of contractors and consultants to apply the following security controls:
Figure 1: Mapping of basic safeguarding requirements to NIST SP 800-171
|Basic safeguarding requirements||NIST SP 800-171 section(s)|
|1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices, including other information systems||Access Control, 3.1.1|
|2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute||Access Control, 3.1.2|
|3. Verify and control/limit connections to and use of external information systems||Access Control, 3.1.20|
|4. Control information posted or processed on publicly accessible information systems||Access Control, 3.1.22|
|5. Identify information system users, processes acting on behalf of users, or devices||Identification and Authentication, 3.5.1|
|6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems||Identification and Authentication, 3.5.2|
|7. Sanitize or destroy information system media containing federal contract Information before disposal or release for reuse||Media Protection, 3.8.3|
|8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals||Physical Protection, 3.10.1|
|9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices||Physical Protection, 3.10.3, 3.10.4, 3.10.5|
|10. Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems||System and Communications Protection, 3.13.1|
|11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks||System and Communications Protection, 3.13.5|
|12. Identify, report, and correct information and information system flaws in a timely manner||System and Information Integrity, 3.14.1|
|13. Provide protection from malicious code at appropriate locations within organizational information systems||System and Information Integrity, 3.14.2|
|14. Update malicious code protection mechanisms when new releases are available||System and Information Integrity, 3.14.4|
|15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed||System and Information Integrity, 3.14.5|
Covered Contractor Systems
The FAR, as it relates to the new classification of IT systems involving Federal contractor information, dictates that contracts are to include “acquisitions of commercial items other than commercially available off-the-shelf items… when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system.”
The classification for Federal contract information encompasses “information, not intended for public release, that is[:]”
- Provided by or generated for the Government
- Under a contract
- For developing or delivering a product or service to the Government
In turn, a covered contractor information system is “an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information.”
What should you do?
Contractors with covered contractor information systems should, at a minimum, conduct a gap assessment to understand how they stack up against the 15 new requirements and develop remediation plans to address any identified gaps.
For help determining if this new rule applies to your organization or if you would like help ensuring that you meet these 15 new requirements, please contact Neal Beggan.