One of the things that’s become clear in the aftermath of the cyber breaches at the Office of Personnel Management is a lack of consistent standards for how contractors are securing their systems when dealing with government data and when they should notify agencies if a problem occurs.
The Chief Information Officers Council and the Chief Acquisition Officers Council just released new guidance on protecting non-sensitive information from federal contractors. The guidance would require that contractors follow National Institute for Standards and Technology (NIST) Special Publication 800-171 for protecting their information. The Office of Management and Budget is asking agencies and vendors for feedback. Final guidance is expected later in the fall.
Jeremy Grant, managing director at the Cheroff Group and former director of the National Strategy for Trusted Identities in Cyberspace at NIST, toldIn Depth with Francis Rose recently that the developing cybersecurity guidance for contractors was a logical step to take.
“Given that the federal IT ecosystem extends well beyond just federal systems, but to also encompass a variety of partners in the contractor world, there’s no better lever at the end of the day to drive change among what contractors are doing in terms of how they’re touching our security in government than through the acquisition process,” he said. “What the government is doing here really is saying, ‘If you want to do business with us, this is the threshold that you’re going to have to meet in terms of how you handle cybersecurity.'”
Addressing the role contractors play in securing government data is long overdue, Grant added.
“Especially in this post-OPM environment that we’re in, I think it’s going to be hard to argue much against it,” he said. “But look, the one thing I will point out is that every time there’s a mandate that then comes down on the vendors that are doing business with the government, it does get built into the cost of doing business and then that in turn ends up flowing back to the government in terms of cost.”
Rather than just passing the costs back to the government, Grant hopes that contractors will use this opportunity to look for new efficiencies in how they build their systems. For example, this could push more firms into the cloud.
“If you’re a small firm, are you going to try to build your own network and harden it in order to meet these requirements?” he asked. “Or are you going to go out there an buy this as a service? There are cloud providers out there today who are going to deliver these kinds of solutions and probably going to do it in a way that’s going to be more cost effective than what some firms might be doing with legacy networks today.”
Agencies play a role in evaluating contractors’ cybersecurity
OMB’s guidance is seeking feedback on five requirement areas:
Cyber incident reporting
Information systems security assessments
Information security continuous monitoring
The first four requirements focus on the actual practices of contractors, but the final one, due diligence, seeks insight on how agencies are evaluating the vendors from which they’re buying.
“It’s not to say that agencies aren’t doing that today, but I think what you’re seeing from here is a message from OMB and the CIO Council that where it is being done, it’s inconsistent,” Grant said. “There aren’t standard practices and some agencies are better than others. This is about putting a baseline in place to make sure that we’re really checking out who some of these firms are.”
The idea of “risk management” has been idea that has floated around in the discussions on cybersecurity over the last few years. With this guidance, risk management has moved to the center in that discussion.
Nick Nayak, former chief procurement officer at the Homeland Security Department, told In Depththis shift in prominence for risk management makes a lot sense.
“When you think of cybersecurity, it seems like it’s going to be impossible to get 100 percent protection 100 percent of the time in cyberspace,” he said. “Therefore, there’s always going to be risk. And if there’s going to be risk then what some of the strategies with helping with cybersecurity will have to do with risk management.”
It’s no long sufficient for an agency to be able to fend of attacks from random hackers. Nation states now have the ability to launch cyber attacks against government systems. That means evaluating risks in government and contractor systems.
“No matter what we do and how fast we move, we have to just remember, there are people every day, 24 hours of a day, with all kinds of resources trying to hack our critical infrastructure and, frankly, everything else,” Nayak said. “It’s going to take a huge shared effort between government and the private sector.”