Top Cybersecurity Requirements for Government Contractors

We've learned in the past few years that cybersecurity scams are on the rise, and they aren't as simple as the infamous gift cards for your boss gimmick. Bad actors have become more skilled in their phishing and hacking, making it more important than ever to have a strong cybersecurity posture. As a government contractor, you inevitably deal with sensitive government information, data, and software, so there are certain government regulations you have to follow to defend against compromising your network.

Keeping compliant with the Federal Acquisition Regulation (FAR) and related requirements will mitigate the risk of cyberattacks and prevent leakage of sensitive government information. Here are the top cybersecurity requirements you should keep in mind as a federal government contractor.

Top Cybersecurity Requirements for Contractors

In recent years, several federal agencies including the Department of Defense (DoD) have issued acquisition regulations that impose new cybersecurity requirements on contractors. The top requirements that your organization should be familiar with are listed below:

• FAR 52.204-21
• Federal Information Security Modernization Act (FISMA)
• DOD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
• NIST 800-171
• CMMC 

Given the highly technical nature of each one of these regulations, policies, and emerging trends, it’s important to review each one of these in detail.

FAR 52.204-21—Basic Safeguarding of Covered Contractor Information Systems

If you are a contractor in the federal marketplace, you should be especially familiar with FAR 52.204-21, which is the Basic Safeguarding of Covered Contractor Information Systems. At a minimum, GSA Schedule contractors are required to meet 15 basic security controls outlined in FAR 52.204-21 and the procedures to protect their covered contractor information systems.

These requirements and procedures shall include, at a minimum, the following security controls:

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

The Federal Information Security Modernization Act (FISMA)

The Federal Information Security Modernization (FISMA) Act of 2014 was created to establish a framework for the federal government’s cybersecurity practices, especially as it relates to the Executive Branch. FISMA applies to all federal agenices and government contractors if they operate federal systems, like providing a cloud-based platform. The main goal of FISMA is to:

• Codify Department of Homeland Security (DHS) authority to administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems.
• Amend and clarifying the Office of Management and Budget's (OMB) oversight authority over federal agency information security practices.
• Require OMB to amend or revise OMB A-130 to "eliminate inefficient and wasteful reporting.

Contractors can maintain compliance with FISMA in-house following the Assessment Procedures defined in the National Institute of Standards and Technology (NIST) section 800-53, or they can work with a third party Managed Security Services Provider (MSSP).

Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012

DFARS clause 252.204.7012 is emerging as a very relevant form of cybersecurity requirement for federal contractors. Established under Executive Order 13556, DFARS 252.204-7012 requires contractors and subcontractors to:

• Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network.
• Report cyber incidents that affect a covered contractor information system or the covered defense information residing therein, or that affect the contractor’s ability to perform requirements designated as operationally critical support.
• Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
• If requested, submit media and additional information to support damage assessment
• Flow down the clause in subcontracts for operationally critical support, or for which subcontract performance will involve covered defense information.

NIST 800-171

NIST SP 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. NIST 800-171 requires contractors to protect controlled unclassified information in nonfederal systems and organizations. For more information on NIST 800-171, please visit the latest revision on the NIST website. 

Cybersecurity Maturity Model Certification (CMMC)

It's important to note that the current NIST SP 800-171 framework was used to create the building blocks for the Cybersecurity Maturity Model Certification (CMMC) program. CMMC was created as a way to verify contractors in the Defense Industrial Base (DIB) are meeting NIST guidelines for protecting Federal Classified Information (FCI) and CUI. 

Depending on the nature of the business your organization may be seeking, agencies or Contracting Officers may require a certain level of CMMC prior to awarding a contract. Right now, CMMC applies to businesses in the Defense Industrial Base (DIB), but agencies may start requiring it in future contract vehicles or solicitations.

The CMMC Final Rule was published in October 2024 and is will be in effect on December 16, 2024. The DoD has also implemented a draft rule on how CMMC will be implemented in future solicitations. 

Keeping Up with Your GSA Schedule 

Following cybersecurity requirements is just the beginning to successfully managing your GSA Schedule. GSA Schedule maintenance can be a lot to keep up with from sales reporting, to modifications, and Contractor Assessment Visits (CAVs), but it’s rewarding to be a part of such a booming marketplace. Need help with your contract? If you would like to learn more about staying on top of your GSA Schedule or need help identifying ways you can optimize your offerings, Winvale is here to help!