With more government contractors adopting cloud solutions for their businesses, the importance of maintaining security regulations has become more pressing.
At the “Deltek Network and Check-in on New Cloud Adoption Regulation” conference held in Tyson’s Corner on 4 February 2016, key industry experts discussed the merits of compliance with new government cybersecurity standards.
The meeting’s key takeaways were unsurprising: cybersecurity is still vulnerable to attacks, government regulations around cybersecurity are evolving and demand contractor compliance, and every business that conducts cloud computing is (or will be) affected by both.
As a systems engineering and analysis firm located just down the street from the White House in Washington, DC, BluestoneLogic operates almost entirely on a cloud-computing basis, and because of that, data security is our top priority. We believe that the Federal Government would benefit from making a change and working directly from the cloud for most, if not all, of their efforts.
But this is Washington, DC — and here, change almost always means breaking through a few layers of bureaucratic red tape, especially when trying to prove that taking a risk will reap big rewards.
As more contractors are using cloud computing for their businesses, however, the Federal Government is taking notice and revising current cloud computing regulations. The only issue: They’re playing defense.
2015 Survey Findings
According to conference speakers Michael Cullen and Michael Wright from the accounting and advising firm Baker Tilly:
- 89% of cybersecurity survey respondents had some intrusive security challenge.
- 47% of respondents had a physical or virtual breach.
5 Things Government Contractors Need to Know About Cybersecurity
1. What is Federal Information
Controlled Unclassified Information (CUI) is data handled for a civilian non-government agency. Examples include critical infrastructure, financial data, personal data, financial data, and proprietary business information.
Covered Defense Information (CDI) is data handled for a government agency (see DFARS 252.204–7012). Examples include controlled technical information, critical information, and export control.
2. Recent Guidance
In June 2015, the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce (DoC) published the final version of its guidelines to ensure that confidential and sensitive federal information remains protected and secure when stored in non-federal information systems and organizations.
The document, SP 800–171 “Protecting Controlled Unclassified Info in Nonfederal Info Systems and Organizations”:
- Is intended for use by federal agencies in appropriate contractual vehicles established between those agencies and contractors.
- Describes 109 total controls across 14 control families.
- Provides mapping to NIST SP 800-53, Revision 4, and ISO 27001 info security constraints.
The Department of Defense (DoD) also published the “Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS 2013-D018),” which:
- Provides new guidance for safeguarding CDI and cyber incident reporting.
- Directly references NIST SP 800–171 for compliance.
- Demands that contractors must comply with NIST SP 800–171 guidance by 31 December 2017, as well as that contractors must report existing cybersecurity deficiencies within 30 days of contract award, as of December 2015.
Lastly, the Office of Management and Budget (OMB) published a draft entitled “Improving Cybersecurity Protections in Federal Acquisitions,” which was temporarily open to public feedback in preparation for final guidance publication. The draft:
- Focuses on incident reporting and notification, information system assessments, and info security continuous monitoring.
- Is still under review, and final publication is pending.
3. Who is impacted?
All contractors who handle CUI or CDI are affected by recent guidance and legislation (or soon will be). Contractors are also responsible for ensuring that their subcontractors are in compliance with these new and/or revised guidelines.
4. Why Should Contractors Care?
According to Cullen and Wright, it’s not a matter of “if,” but rather “when” a cybersecurity attack will harm a government contractor. A cybersecurity attack will impact a contractor’s reputation, financial decisions, and operations.
5. Call to Action: Five Steps
- Inventory all existing contracts.
- Understand existing security requirements.
- Access your current state of security controls.
- Develop an implementation plan.
- Engage third parties.
Challenges remain as contractors continue to conduct cloud-computing work on behalf of their government customers.
Aside from maintaining IT data security and access control, recruiting and retaining qualified talent remains an increasingly important cybersecurity issue for contractors. Contractors must continue to re-engineer solutions and leverage staff solutions to prepare for cyber attacks.
It also appears that further discussion is needed in regards to who is responsible for the systems engineering behind both the regulations and solutions. BluestoneLogic continues to provide systems engineering expertise and industry analysis to strategize the right solutions for our customers, using the most secure tools and methods.
Just as cybersecurity attacks are inevitable, so is the creation of new systems and methods to counter them. Remaining compliant with regulations and staying secure are important components of our process — but so is innovation. Regulating the use of cloud computing and data security should help contractors stay vigilant, but it shouldn’t discourage the continued use and improvement of cloud computing and the systems engineering behind it.
By Nina M. Dejesus