GSA Begins Tightening Federal Contractor Cybersecurity Requirements

Thousands of Federal contractors could find themselves scrambling to comply with stringent cybersecurity requirements after the General Services Administration (GSA) announced it is tightening the rules for protecting sensitive, non-classified data.

The GSA cybersecurity requirements mandate that contractors protect unclassified information from cybersecurity vulnerabilities in accordance with the Federal Information Security Modernization Act (FISMA) and National Institute of Standards and Technology (NIST) requirements. In addition, the GSA is tightening its requirements for the reporting of cybersecurity breaches.

The rules cover internal contractor systems, external contractor systems, cloud systems, and mobile systems. The public comment period on the new requirements runs from April to June of 2018.

According to Kevin Corbett, director of Federal sales at CyberArk, “The new rule requires contractors that work with the GSA to demonstrate adequate security on all covered contractor information systems. Given the information that government contractors may hold based on their work with agencies, this is an important step to ensure that sensitive information is protected no matter where it resides. Contractors will now have to demonstrate that their servers, infrastructure, applications, and anywhere else government data may reside, are secure.”

In the guidance provided, contractors are requested to focus on the 110 security protocols set forth in the NIST SP 800-171 security requirements. Controlling and monitoring access to privileged accounts are central components of these guidelines–and more importantly, are critical components in maintaining a strong security posture. Privileged accounts are the most powerful accounts in any organization, providing broad access to systems and devices. Those credentials are increasingly sought out, stolen, and exploited in successful cyberattacks. Securing access to these accounts across all platforms and system types is fundamental to adequate security, noted Corbett.

While there are still questions about how compliance will be assessed, acquisition regulations require contractors to put a security plan in place that demonstrates how they’ll work towards implementing the NIST SP 800-171 recommendations. Corbett explained that this means contractors will have to show how they’re going to discover, secure, manage, and control access to all privileged accounts. This includes privileged accounts used to access operating systems, databases, network devices, as well as credentials embedded in applications. The recent CyberArk 30-Day Sprint for privileged controls enacted in the wake of the Office of Personnel Mangement breach is a good framework for contractors looking to rapidly comply with the new standards.

The GSA’s announcement comes on the heels of the Department of Defense’s (DoD) notice in October 2016, that it was requiring all military contractors to comply with NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

What is NIST 800-171?

The basic concept is that unclassified information needs the same level of protection whether it resides in a governmental or non-governmental system. The point is to apply security policies in a consistent way across Federal and non-Federal systems.

The 81-page NIST 800-171 publication provides a consistent set of security policies that cover everything from access control to incident response, personnel awareness, and training.

DoD contractors had until the end of 2017 to get into compliance, and “many defense contractors were caught flatfooted by DoD’s similar requirement and found themselves scrambling to come into compliance to meet DoD’s deadline,” said Jonathan E. Meyer, former deputy general counsel at the Department of Homeland Security and currently a partner in the Government Contracts, Investigations & International Trade practice group of Sheppard, Mullin, Richter & Hampton, LLP.

Meyer went on to say that expanding NIST 800-171 to cover all government contractors “will be a very significant development.” He points out that “while DoD is by far the largest single customer of contractor services, the broader contracting community is huge, and tends to be less security focused than DoD. This means we’re looking at an even larger scramble to meet any deadline the Federal Acquisition Requirement (FAR) sets.”

GSA Following DOD

Specifically, the GSA is proposing to update the General Services Acquisition Regulation (GSAR) on cybersecurity requirements and reporting. Integrating these requirements into the formal GSAR allows the GSA to receive public comments during the rulemaking process.

The new rule will require that contractors incorporate applicable GSA cybersecurity requirements into the statement of work to ensure compliance.

In terms of reporting, the rules establish a contractor’s responsibility to report any cyber incident where the confidentiality, integrity, or availability of information is potentially compromised. And it sets timeframes and specific procedures for reporting cyber incidents. There are additional rules for cyber incidents involving personally identifiable information.

“On the flip side, the more time passes, the more companies generally–and contractors in particular–are adopting 800-171 voluntarily as a best practice, or as a marketing asset,” Meyer added.

Recent