Top Cybersecurity Requirements for Government Contractors

The General Services Administration (GSA) is responsible for making sure contractors remain compliant with the government’s cybersecurity policies, which help to ensure the resilience of government systems and networks. To do business with the government, it’s important to understand current Federal Acquisition Regulations (FAR) and other government regulations, which defend against compromising sensitive government information.

Federal contractors, as with government agencies, are often subject to cyberattacks due to access to sensitive federal information, data, and software. Keeping compliant with the FAR and related regulations will enable your organization to better defend against cyberattacks and aid in the prevention of leakage of sensitive government information. Here are the top 4 cybersecurity requirements you should follow as a government contractor.

Specific Cybersecurity Requirements for Contractors

In recent years, several federal agencies including the Department of Defense (DoD) have issued acquisition regulations that impose new cybersecurity requirements on contractors. The top four requirements that your organization should be familiar with are listed below:

• Federal Information Security Modernization Act (FISMA)
• FAR 52.204-21
• DOD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
• NIST 800-171; Migration to CMMC (2.0)

Given the highly technical nature of each one of these regulations, policies, and emerging trends, it’s important to review each one of these subjects in detail.

The Federal Information Security Modernization Act

The Federal Information Security Modernization (FISMA) Act of 2014 was enacted to update the federal government’s cybersecurity practices. The main goal of FISMA is to:

• Codify Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems.
• Amend and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices.
• Require OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting.

FAR 52.204-21—Basic Safeguarding of Covered Contractor Information Systems

If you are a contractor in the federal marketplace, you should be especially familiar with FAR 52.204-21, which is the Basic Safeguarding of Covered Contractor Information Systems. The main objective of FAR 52.204-21 is to have contractors follow basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012

DFARS clause 252.204.7012 is emerging as a very relevant form of cybersecurity requirement for federal contractors. Established under Executive Order 13556, DFARS 252.204-7012 requires contractors and subcontractors to:

• Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network.
• Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support.
• Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
• If requested, submit media and additional information to support damage assessment
• Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information.

NIST 800-171 and the Migration to CMMC 2.0

NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. NIST 800-171 requires contractors to protect controlled unclassified information in nonfederal systems and organizations. For more information on NIST 800-171, please visit the following NIST Special Publication SP 800-171.

It's important to note that the current NIST framework was used to create the building blocks for the Cybersecurity Maturity Model Certification (CMMC). CMMC, which is now CMMC 2.0, serves as an extension of DFARS 252.204-7012 by adding the certification process as a verification for meeting FAR cybersecurity requirements.

Depending on the nature of the business your organization may be seeking, agencies or Contracting Officers may require this a certain level of CMMC prior to awarding a contract. Right now, CMMC is aimed at businesses in the Defense Industrial Base (DIB), but several solicitations and contract vehicles may be requiring it in the future. However, the official guidance is still in the works. More information on CMMC, and the process for attaining certification can be found on the Cyber AB site and the Acquisition and Sustainment webpage on CMMC FAQs.

GSA Schedule Compliance

Following cybersecurity requirements is just the beginning of successfully managing your GSA Schedule. It can be a lot to keep up with from clauses to modifications and sales reporting, but it’s rewarding to be a part of a unique marketplace. If you would like to know more about how your organization can meet contract compliance requirements, or would like to know more about attaining a GSA contract, Winvale is here to help!