Some of the most infamous cyber security breaches to US Federal systems in recent years were caused via a previous breach to a contractor’s system. Some of the most notable cases were the Office of Personnel Management (OPM) breach where officials said that the thieves broke in by using stolen contractor logins and passwords and the Lockheed hack.
The US Government on its end is trying to enforce stronger security controls on contractor systems.
Judging by its recent announcements, it looks like the Government will be able to help after all.
Last week, on August 11, the Office of Management and Budget (OMB) issued a draft guidance intended to improve cyber security protections in Federal acquisitions of products and services. Calling for public feedback using GitHub (which is cool by itself), the OMB is trying to reach a broad audience of stakeholders to assist in further enhancing this guidance.
The proposed memorandum provides direction to federal agencies on “implementing strengthened cyber security protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.”
According to the guidance, systems that are “operated on behalf of the government” as well as “internal contractor systems” used to provide a product or service for the government where the processing of CUI is incidental to contract performance will have to meet several security mandates.
The guidance requires, for the first time that information systems “operated on behalf of the government” will have to meet NIST SP 800-53 and conform to the same standards as government-operated systems. “Internal contractor information systems” generally will be subject to the requirements described in NIST SP 800-171. More important, the guidance makes it clear that the applicable NIST standards will only provide “the appropriate baseline” for security controls and, as a result, each federal agency will still be required to tailor the NIST standards to meet their own unique “risk management requirements.”
The guidance addresses five areas:
- Security controls
- Cyber incident reporting
- Information system security assessments
- Information security continuous monitoring
- Business due diligence
One of the five requirements is to report “cyber incidents”, providing a broad definition of such events as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein”. This definition is different than what the Department of Homeland Security (DHS) is providing.
According to DHS, A cyber incident is the violation of an explicit or implied security policy. In general, types of activity that are commonly recognized as being in violation of a typical security policy include but are not limited to:
- Attempts (either failed or successful) to gain unauthorized access to a system or its data, including PII related incidents
- Unwanted disruption or denial of service
- The unauthorized use of a system for processing or storing data
- Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent
At any rate, it is just a matter of time until the confusion is cleared and a single standard created.
We believe that this is an important step to improve the overall security of all systems, Federal and civilian, and we expect more agencies to adopt this guidance. It will take some time until all the agencies will comply with the new requirements. However, it is a step in the right direction.
Ronald Reagan: “the nine most terrifying words in the English language are: I’m from the government and I’m here to help.”