Phone: (202) 296-5505 Email:

New Call-to-action

 Back to all posts

The Importance of Cyber Hygiene in Government Contracts Blog Feature
Stephanie Hagan

By: Stephanie Hagan on October 26th, 2023

Print/Save as PDF

The Importance of Cyber Hygiene in Government Contracts

Government | Technology | 4 Min Read

If you have a government contract such as the GSA Multiple Award Schedule (MAS), or are thinking about getting one, good cyber hygiene is key. Of course, every company wants to avoid cyber attacks and hacking, but it’s important when you are selling to the federal government to have certain practices in place to proactively safeguard your network.

It’s no secret that security breaches are a frequent occurrence, and they affect both the private and public sector almost daily. As this continues, the federal government will continue to add regulations to try to mitigate and lessen its exposure. Since contractors can handle Controlled Unclassified Information (CUI), they are bound by regulations to protect their networks. Let’s talk about some current regulations and how you can improve your cyber hygiene.

Cybersecurity Regulations for Contractors

First, let’s highlight a few important regulations that affect government contractors so we can better understand the landscape.

FAR Clause 52.204-21

The first one we’ll cover is Federal Acquisition Regulation (FAR) clause 52.204-21 this is a clause that is added into solicitations, and requires contractors to apply basic safeguarding requirements and procedures to protect their contractor information systems. Examples of these requirements are:

  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  • Identify information system users, processes acting on behalf of users, or devices.
  • Control information posted or processed on publicly accessible information systems.
  • Monitor, control, and protect organizational communications. (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

The full list can be found in the FAR.

NIST SP 800-171 and CMMC

The National Institute of Standards and Technology (NIST) 800-171 applies to all contractors who are processing or storing sensitive unclassified information on behalf of the government. This often includes contractors within the Defense Industrial Base (DIB), universities, and research institutions providing services to government agencies. This standard consists of 110 requirements, each one addressing different areas of your organization’s IT, policy, and practices.

You may have heard this term come up in the last few years, but the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 is expected to come out in the fall of 2023 (although we aren’t holding our breath on this one), and it was created to ensure contractors are abiding by NIST regulations.

Tips for Cybersecurity Hygiene

Below are some tips to keep your network strong and compliant. Some of these tips incorporate rules and regulations that are already required as a government contractor, but may be difficult to keep up with.

Understand Regulatory Requirements

First and foremost, it’s important to be aware of cybersecurity standards set by the government, such as NIST 800-171, FAR 52.204-21, the Defense Federal Acquisition Regulation Supplement (DFARS) or the Federal Information Security Modernization Act (FISMA). These regulations often provide a baseline for security practices and should be viewed as useful resources, and not just intimidating regulations to adhere to. If you don’t understand these regulations, contact your consultant or your lawyer to have a better idea of what you need to be doing to keep up with your cyber hygiene.

Regular Cybersecurity Audits

We suggest you have systems in place to conduct periodic security assessments to identify vulnerabilities in your IT infrastructure. You can employ third-party experts if needed, or required (when CMMC 2.0 is officially rolled out).

Employee Training

Sometimes your employees can turn into a weak spot, especially, if they are not updated on all the latest regulations and practices. To avoid this risk, you should regularly train employees on security best practices. In these sessions you can ensure they are equipped to recognize and respond to phishing attempts and other threat, as well as know how your internal security systems operate.

Implement Multi-Factor Authentication (MFA)

Most sites you need to access as a contractor (through require Multi-Factor Authentication (MFA). You can also look into requiring MFA for accessing sensitive internal data or systems. This adds an extra layer of security, ensuring that even if passwords are compromised, attackers can't gain easy access.

Implement a Zero Trust Model

In Executive Order 14028 on Improving the Nation’s Cybersecurity, the federal government has been pushing agencies to adopt zero trust cybersecurity practices. This means to assume that no one, inside or outside your organization, is trustworthy by default. And as a result, you should always verify and authenticate before granting access.

Maintaining Consistent Practices for Your GSA Schedule

Keeping up with cybersecurity practices is one important step to having a successful GSA Schedule contract. If you want to learn more about cybersecurity for government contractors, check out these blogs:

Other practices within contract maintenance include sales reporting, modifications, and keeping your pricelist up to date. If you need help with your GSA Schedule, or are interested in getting one, our consulting experts would be happy to assist you.

A Complete Checklist for Maintaining Your GSA Schedule CTA


About Stephanie Hagan

Stephanie Hagan is the Training and Communications Manager for Winvale. Stephanie grew up in Sarasota, Florida, and earned her Bachelor's of Arts in Journalism and Rhetoric/Communications from the University of Richmond.