New cybersecurity requirements for government contractors

/ May 17, 2016 at 8:30 AM

The Defense Department and General Services Administration are formally releasing the text of a final rule on cybersecurity acquisition requirements for federal contractors to assure "basic safeguarding" of contractor information systems that process, store, or transmit federal contract information.

DOD and GSA announced in a May 16 Federal Register notice that the final rule will go into effect in 30 days. NASA also contributed to the rulemaking.

As Inside Cybersecurity reports:

The minimum security control standards will apply to any contractor system containing federal information, according to the final rule, and is "just one step in a series of coordinated regulatory actions being taken or planned to strengthen protections of information systems."

The new acquisition requirements will be complemented by acquisition guidance being developed by the Office of Management and Budget, as well as guidance from the National Archives and Records Administration.

The final rule covers controls to safeguard entire contractor information systems, rather than just specific information contained in such systems. Further it clarifies that the acquisition requirements do not relieve contractors from complying with other specific safeguard requirements established by other federal agencies.

DOD and GSA in 2014 issued a report recommending the development of baseline cybersecurity requirements as a condition of defense contract awards. It also recommended addressing cybersecurity in training, developing common definitions for cybersecurity for acquisitions, and instituting federal acquisition cyber risk management strategies.

The release of the DOD-GSA rules comes as the Office of Management and Budget has fallen behind on its own cyber guidance for federal contractors. In March, Inside Cybersecurity reported that OMB was several months behind its self-imposed deadline for issuing a final version of its own contractor cyber guidance.

DOD is also working on cyber incident reporting requirements, which have raised many concerns among industry stakeholders, who have cited that the proposed rule contains "overly broad and unworkable" requirements for reporting cyber incidents.

178224