If you have a government contract such as the GSA Multiple Award Schedule (MAS), or are thinking about getting one, good cyber hygiene is key. Of course, every company wants to avoid cyber attacks and hacking, but it’s important when you are selling to the federal government to have certain practices in place to proactively safeguard your network.
It’s no secret that security breaches are a frequent occurrence, and they affect both the private and public sector almost daily. As this continues, the federal government will continue to add regulations to try to mitigate and lessen its exposure. Since contractors can handle Controlled Unclassified Information (CUI), they are bound by regulations to protect their networks. Let’s talk about some current regulations and how you can improve your cyber hygiene.
Cybersecurity Regulations for Contractors
First, let’s highlight a few important regulations that affect government contractors so we can better understand the landscape.
FAR Clause 52.204-21
The first one we’ll cover is Federal Acquisition Regulation (FAR) clause 52.204-21 this is a clause that is added into solicitations, and requires contractors to apply basic safeguarding requirements and procedures to protect their contractor information systems. Examples of these requirements are:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Identify information system users, processes acting on behalf of users, or devices.
- Control information posted or processed on publicly accessible information systems.
- Monitor, control, and protect organizational communications. (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
The full list can be found in the FAR.
NIST SP 800-171 and CMMC
The National Institute of Standards and Technology (NIST) 800-171 applies to all contractors who are processing or storing sensitive unclassified information on behalf of the government. This often includes contractors within the Defense Industrial Base (DIB), universities, and research institutions providing services to government agencies. This standard consists of 110 requirements, each one addressing different areas of your organization’s IT, policy, and practices.
You may have heard this term come up in the last few years, but the final rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 is expected to come out in the fall of 2023 (although we aren’t holding our breath on this one), and it was created to ensure contractors are abiding by NIST regulations.
Tips for Cybersecurity Hygiene
Below are some tips to keep your network strong and compliant. Some of these tips incorporate rules and regulations that are already required as a government contractor, but may be difficult to keep up with.
Understand Regulatory Requirements
First and foremost, it’s important to be aware of cybersecurity standards set by the government, such as NIST 800-171, FAR 52.204-21, the Defense Federal Acquisition Regulation Supplement (DFARS) or the Federal Information Security Modernization Act (FISMA). These regulations often provide a baseline for security practices and should be viewed as useful resources, and not just intimidating regulations to adhere to. If you don’t understand these regulations, contact your consultant or your lawyer to have a better idea of what you need to be doing to keep up with your cyber hygiene.
Regular Cybersecurity Audits
We suggest you have systems in place to conduct periodic security assessments to identify vulnerabilities in your IT infrastructure. You can employ third-party experts if needed, or required (when CMMC 2.0 is officially rolled out).
Employee Training
Sometimes your employees can turn into a weak spot, especially, if they are not updated on all the latest regulations and practices. To avoid this risk, you should regularly train employees on security best practices. In these sessions you can ensure they are equipped to recognize and respond to phishing attempts and other threat, as well as know how your internal security systems operate.
Implement Multi-Factor Authentication (MFA)
Most sites you need to access as a contractor (through login.gov) require Multi-Factor Authentication (MFA). You can also look into requiring MFA for accessing sensitive internal data or systems. This adds an extra layer of security, ensuring that even if passwords are compromised, attackers can't gain easy access.
Implement a Zero Trust Model
In Executive Order 14028 on Improving the Nation’s Cybersecurity, the federal government has been pushing agencies to adopt zero trust cybersecurity practices. This means to assume that no one, inside or outside your organization, is trustworthy by default. And as a result, you should always verify and authenticate before granting access.
Maintaining Consistent Practices for Your GSA Schedule
Keeping up with cybersecurity practices is one important step to having a successful GSA Schedule contract. If you want to learn more about cybersecurity for government contractors, check out these blogs:
- Top Cybersecurity Requirements for Government Contractors
- Cybersecurity Resources and Programs for GSA Contractors
Other practices within contract maintenance include sales reporting, modifications, and keeping your pricelist up to date. If you need help with your GSA Schedule, or are interested in getting one, our consulting experts would be happy to assist you.
