New cybersecurity requirements for government contractors

Effective June 15, 2016, a new rule recently published by the US Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) will require federal government contractors to apply 15 basic cybersecurity safeguarding requirements and procedures to protect their information systems. All safeguarding requirements are based on security requirements published in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

Applicability

The new rule amends the Federal Acquisition Regulation (FAR) by adding requirements for “basic safeguarding” of contractors’ information systems, and applies to covered contractor information systems, which are defined as systems owned or operated by contractors that “process, store, or transmit federal contract information.” The new rule further defines federal contract information as any information “provided by or generated for the government under a contract to develop or deliver a product or service to the government.” Examples of federal contract information include, but are not limited to, financial, export control, agriculture, procurement, and acquisition data. Federal contract information does not include information intended for public release (e.g., publicly accessible website data) or “simple transactional data” (e.g., for billing or payment processing). Additionally, the rule does not apply to commercially available off-the-shelf (COTS) items. Contractors who are resellers of COTS items (e.g., printers, copiers) would not be impacted. Based on the definition and guidance provided for federal contract information, however, most contractors will be impacted by the new rule.

The new rule flows down to subcontractors, but only applies if subcontractors meet the same applicability definitions described above (i.e., they are using covered contractor information systems to process, store, or transmit federal contract information). The new rule also notes that compliance with basic safeguarding requirements will not remove any other regulatory or existing contractual requirements related to safeguarding government information in covered contractor information systems. If determined to be applicable to their operations, contractors should take reasonable measures to implement the necessary controls and become compliant with this new rule.

The requirements

The new rule describes 15 basic safeguarding requirements that applicable contractors must implement. These basic safeguarding requirements map directly to 17 of the 109 security requirements described within NIST SP 800-171. According to the Civilian Agency Acquisition Council and the Defense Acquisition Regulations Council, which reviewed and responded to public comments during its development, the new rule establishes “basic, minimal information system safeguarding standards which federal agencies are already required to follow internally and most prudent businesses already follow as well.” Figure 1 presents the 15 basic safeguarding requirements set forth in the new rule and their mapping to the specific NIST SP 800-171 section(s).

Fitting it all together

How does the new rule relate to other ongoing government information security initiatives? As stated in the Background section of the rule in the Federal Register, this new rule is “just one step in a series of coordinated regulatory actions” that are part of the recent surge in regulatory activity providing guidance intended to help strengthen contractors’ controls and practices around protecting government data. As such, DoD, GSA, and NASA plan to develop additional FAR changes in coordination with the Office of Management and Budget’s recently proposed guidance on “Improving Cybersecurity Protections in Federal Acquisitions,” as well as the National Archive and Record Administration’s (NARA) implementation of the Controlled Unclassified Information (CUI) program and registry in accordance with Executive Order 13556, “Controlled Unclassified Information.”

The requirements in this rule, when compared to other recently released rules around information security requirements, are fairly reasonable and require much less effort when you compare the number of controls required to be implemented. As an example, contractors required to comply with DFARS 252.204-7012 must implement 109 controls from NIST SP 800-171, compared to the 17 controls that the new rule requires.

Your next steps

Contractors who own or operate information systems that process, store, or transmit federal contract information should, at a minimum, conduct a gap assessment to understand what requirements they would not meet, and begin remediation planning to address identified gaps. Implementing these basic safeguarding requirements from the new rule is a logical first step for contractors who are not explicitly required by contract to adhere to any information security standards, but have the expectation of being subjected to new requirements present or future contracts where they will operate systems that handle government information, particularly if that would include CUI or covered defense information (CDI).

Figure 1: Mapping of basic safeguarding requirements to NIST SP 800-171

Basic safeguarding requirementsNIST SP 800-171 section(s)
1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices, including other information systemsAccess Control, 3.1.1
2. Limit information system access to the types of transactions and functions that authorized users are permitted to executeAccess Control, 3.1.2
3. Verify and control/limit connections to and use of external information systemsAccess Control, 3.1.20
4. Control information posted or processed on publicly accessible information systemsAccess Control, 3.1.22
5. Identify information system users, processes acting on behalf of users, or devicesIdentification and Authentication, 3.5.1
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systemsIdentification and Authentication, 3.5.2
7. Sanitize or destroy information system media containing federal contract Information before disposal or release for reuseMedia Protection, 3.8.3
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individualsPhysical Protection, 3.10.1
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devicesPhysical Protection, 3.10.3, 3.10.4, 3.10.5
10. Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systemsSystem and Communications Protection, 3.13.1
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networksSystem and Communications Protection, 3.13.5
12. Identify, report, and correct information and information system flaws in a timely mannerSystem and Information Integrity, 3.14.1
13. Provide protection from malicious code at appropriate locations within organizational information systemsSystem and Information Integrity, 3.14.2
14. Update malicious code protection mechanisms when new releases are availableSystem and Information Integrity, 3.14.4
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executedSystem and Information Integrity, 3.14.5

For more information on this topic, or to learn how Baker Tilly government contractor specialists can help, contact our team.

Sources
Federal Register
OMB
Office of Under Secretary of Defense for Acquisition, Technology and Logistics