Alert

Office of Management and Budget Releases Proposed Cybersecurity Guidelines for Government Contractors

August 14, 2015

The Office of Management and Budget (OMB) released proposed guidance designed to take “major steps” to improve cybersecurity in Federal acquisitions. The proposed guidance, available here, requires that government contractors who collect or maintain information on behalf of a federal agency implement additional cybersecurity practices, including certain security controls, incident reporting, security assessments, and system monitoring.

The proposed guidance is different for systems that are “operated on behalf” of the government and a contractor’s internal system that is used to provide a product or service to the government. Under the proposed guidance, systems that are operated on behalf of the government and use Controlled Unclassified Information (CUI) will be required to meet the “moderate baseline” security controls established by National Institute of Standards and Technology (NIST) SP 800-53. A contractor’s internal system, however, will not have to meet all of the requirements of NIST SP 800-53. Rather, contractors who collect or maintain CUI on their own internal system will have to comply with NIST SP 800-171, which governs handling CUI.

The proposed guidance also requires reporting cyber incidents that affect a system that is operated on behalf of the government. Under the proposed guidance, contractors would have to report cyber incidents on their own internal systems if the cyber incident affected CUI. In addition, the proposed guidance would require that contractors undergo system security assessments. Depending on the nature of government information that is on the system, the security assessments may be as simple as a statement of compliance by the contractor or as onerous as a detailed description and analysis of the system’s security controls.

Under the proposed guidance, contractors that maintain or collect information on behalf of a federal agency would also be required to use software capable of continuously monitoring their network for cybersecurity vulnerabilities. The proposed guidelines did not mandate the use of any specific monitoring software. Rather, contractors may be required to use the Continuous Diagnostics and Mitigation (CDM) program created by the Department of Homeland Security, use their own monitoring software if it meets certain standards, or use monitoring software selected by the contracting agency.

Lastly, the proposed guidance tasks the General Services Administration (GSA) with maintaining a “business due diligence information shared service.” The stated goal of the due diligence service would be to allow agencies to have access to “comprehensive information about current and prospective contractors and subcontractors” in order to assess the contractor’s potential cybersecurity risk.

Comments on the proposed guidance are due by September 10, 2015. OMB stated it intends to publish the final guidance in the fall of 2015.

Read Time: 2 min
Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek