Compliance Management, Government Regulations

Government budget agency drafts contractor cybersecurity guidelines

The Office of Management and Budget (OMB) proposed new cybersecurity guidelines earlier this week to help government agencies draft contracts with third-party groups.

Its suggestions, titled “Improving Cybersecurity Protection in Federal Acquisitions,” aim to “take major steps toward implementing strengthened cybersecurity protections in federal acquisitions and therefore mitigating the risk of potential incidents in the future,” OMB wrote. The policy will apply to “information collected or maintained by or on behalf of an agency,” the draft stated.

The agency based many of its guidelines around those of the National Institute of Standards and Technology (NIST). In particular, portions of OMB's proposal mirror NIST's June release, “Security and Privacy Controls for Federal Information Systems and Organizations” (NIST SP 800-53).

Contractors that enter into an agreement with the government will be subject to compliance reviews. OMB said it will use “security assessments” to confirm that contractors are maintaining strong security.

That said, Christian Henel, a government contracts attorney at Thompson Hine, told the enforcement wording is vague.

“[The guidelines do] provide for government monitoring of contractors' security capabilities,” he said.
“It's not clear how that's going to be done.”

He went on to say that third parties or self-reporting might be used, but at the same time, the government will likely be “significantly” involved in contractor monitoring.

These guidelines might be met with mixed reaction, Henel said, as some contractors might see more regulation as a burden, whereas others might feel relieved to have “advanced warning and know what the agency clauses say,” he said.

Generally, “OMB wants to make sure there are minimum requirements for contractors, [especially] when they report cyber incidents that could result in a breach of government information.”

For instance, the proposal says that “at a minimum,” agency contracts should define the phrase “cyber incident,” have a set reporting timeline and clarify what information should be included in that report, among other factors.

The proposed draft is on Github and available for comments until September 10. The agency hopes to have a final policy in the fall.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.