The General Services Administration (GSA) is responsible for making sure contractors remain compliant with the government’s cybersecurity policies, which help to ensure the resilience of government systems and networks. To do business with the government, it’s important to understand current Federal Acquisition Regulations (FAR) and other government regulations, which defend against compromising sensitive government information.
Federal contractors, as with government agencies, are often subject to cyberattacks due to access to sensitive federal information, data, and software. Keeping compliant with the FAR and related regulations will enable your organization to better defend against cyberattacks and aid in the prevention of leakage of sensitive government information. Here are the top 4 cybersecurity requirements you should follow as a government contractor.
In recent years, several federal agencies including the Department of Defense (DoD) have issued acquisition regulations that impose new cybersecurity requirements on contractors. The top four requirements that your organization should be familiar with are listed below:
Given the highly technical nature of each one of these regulations, policies, and emerging trends, it’s important to review each one of these subjects in detail.
The Federal Information Security Modernization (FISMA) Act of 2014 was enacted to update the federal government’s cybersecurity practices. The main goal of FISMA is to:
If you are a contractor in the federal marketplace, you should be especially familiar with FAR 52.204-21, which is the Basic Safeguarding of Covered Contractor Information Systems. The main objective of FAR 52.204-21 is to have contractors follow basic safeguarding requirements and procedures to protect covered contractor information systems. Requirements and procedures for basic safeguarding of covered contractor information systems shall include, at a minimum, the following security controls:
DFARS clause 252.204.7012 is emerging as a very relevant form of cybersecurity requirement for federal contractors. Established under Executive Order 13556, DFARS 252.204-7012 requires contractors and subcontractors to:
NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. NIST 800-171 requires contractors to protect controlled unclassified information in nonfederal systems and organizations. For more information on NIST 800-171, please visit the following NIST Special Publication SP 800-171.
It's important to note that the current NIST framework was used to create the building blocks for the Cybersecurity Maturity Model Certification (CMMC). CMMC, which is now CMMC 2.0, serves as an extension of DFARS 252.204-7012 by adding the certification process as a verification for meeting FAR cybersecurity requirements.
Depending on the nature of the business your organization may be seeking, agencies or Contracting Officers may require this a certain level of CMMC prior to awarding a contract. Right now, CMMC is aimed at businesses in the Defense Industrial Base (DIB), but several solicitations and contract vehicles may be requiring it in the future. However, the official guidance is still in the works. More information on CMMC, and the process for attaining certification can be found on the Cyber AB site and the Acquisition and Sustainment webpage on CMMC FAQs.
Following cybersecurity requirements is just the beginning of successfully managing your GSA Schedule. It can be a lot to keep up with from clauses to modifications and sales reporting, but it’s rewarding to be a part of a unique marketplace. If you would like to know more about how your organization can meet contract compliance requirements, or would like to know more about attaining a GSA contract, Winvale is here to help!