In the wake of data breaches in the private sector of Target and Sony and the colossal data breaches in the Office of Personnel and Management resulting in the theft of personnel records of more than 21.5 million federal employees and contractors, the Office of Management and Budget (OMB) issued draft guidance on Tuesday to strengthen cybersecurity protections in federal acquisitions.
OMB’s draft guidance comes on the heels of the National Archives and Record Administration (NARA) proposed rule concerning the designation and control of Controlled Unclassified Information (CUI) and the National Institute for Standards and Technology’s (NIST) Special Publication 800-171, which establishes standards for protecting CUI in nonfederal information systems and organizations.
All are efforts to respond quickly to increasing concerns about cybersecurity and attempts to cut through the morass of agency-specific regulations and practices employed to protect sensitive information. But agencies still appear to retain significant discretion to define appropriate controls. And OMB’s guidance does not appear to invalidate existing agency-specific requirements such as those imposed on companies contracting with DoD and DHS, for example (although the stated purpose of the draft guidance is to attempt to create a uniform system across executive branch agencies).
Nevertheless, both the NARA proposed CUI rule and OMB’s guidance forecast amendments to the Federal Acquisition Regulation (FAR) to apply the requirements of the proposed CUI rule, of the NIST SP 800-171 and of OMB’s guidance to all contractors. Until such regulations are promulgated, these proposals and recommendations are just that. But what appears inevitable is that the ultimate scheme will require contractors working with the government who generate or otherwise maintain CUI on their information systems, to implement protections identified in SP 800-171.
NARA Proposed CUI Rule
NARA’s proposed CUI rule attempts to implement Executive Order 13556, which President Obama signed in 2010 to “establish an open and uniform program for managing information that requires safeguarding or dissemination controls….” The EO created the CUI program to address the “inefficient, confusing patchwork” of “ad-hoc, agency-specific policies and procedures, and markings” used to safeguard and control this sensitive information. In a nutshell, the NARA was designated as the Executive Agent responsible for creating uniform CUI categories and subcategories of CUI to be used throughout the executive branch and to define how that information was to be protected.
NARA has started the process by defining 23 categories and 82 subcategories of CUI, and identifying those categories requiring special or additional safeguarding. But while the proposed rule provides two levels of “safeguarding standards” (“CUI Basic,” the default set agencies must apply to all CUI not designated as CUI Specified; and “CUI Specified,” which have additional agency-specific requirements), it does not say what constitutes CUI Basic safeguards. And although NARA partnered with NIST to develop SP 800-171, NARA’s proposed CUI rule only mentioned the publication in the regulatory analysis section of the proposed rule, but not explicitly as a requirement of the rule itself. The proposed rule does require agencies handling CUI to comply with the requirements of Federal Information Processing Standards (FIPS) Publications 199 and 200 and NIST SP 800-53, the security and privacy control standards required of federal information systems and organizations (versus nonfederal systems).
NIST SP 800-171
But unlike SP 800-53, which establishes levels of control for federal information systems after determining both the category of secured information and the potential risk associated with its disclosure, destruction or loss of access to such information, SP 800-171 lists “Basic Security Requirements” drawn from the basic security requirements from FIPS Publication 200, and additional “Derived Security Requirements” drawn from security controls in SP 800-53. These Derived Security Requirements do not mirror SP 800-53. Instead, SP 800-171 tailored the requirements by eliminating requirements that were determined to be uniquely federal or not directly related to protecting the confidentiality of CUI. In an effort to avoid imposing a federal system on contractors, SP 800-171 attempts to provide a less onerous set of protections than those imposed on federal systems.
Draft OMB Guidance
The draft OMB guidance picks up where NARA’s proposed rule left off, and would expressly require contractors with nonfederal information systems to implement the protections identified in SP 800-171. It remains to be seen whether SP 800-171 would establish a ceiling or a floor to security standards. Beyond establishing security controls, the draft guidance also goes on to require reporting of “cyber incidents.” Importantly, for those contractors providing services for the government (versus those operating information systems on behalf of the government), contractors only need to report hacks of contractor’s internal systems that affect CUI, not every incident affecting the contractor’s system.
In addition, the draft guidance requires executive agencies to establish procedures for ensuring contractors’ information systems are secure throughout the procurement process, including requiring contractors to demonstrate that they meet the requirements of SP 800-171 in their proposal, “including the security assessment for contractor internal systems” depending on the level of information at risk. Notably, although SP 800-171 does not establish categories of secure information or include an assessment of risk resulting from a breach to define the level of appropriate controls (as is the case when determining appropriate controls for federal systems under SP 800-53), the draft guidance would require agencies to assess the security of its contractors’ information systems prior to an acquisition. The draft guidance goes on to require monitoring of compliance with security measures, as well as mandating the GSA create a business due diligence service to allow agencies to conduct the necessary security assessments of potential contractors.
So what does it all mean?
It is hard to say. The above measures signal a move towards a unified approach by federal agencies on how to handle sensitive nonclassified information. And it appears as though the protections set out in SP 800-171 will play a significant role in defining what constitute appropriate, if not required, security controls of nonfederal information systems. However, it remains to be seen whether the costs of adopting the types of security measures proposed by SP 800-171 will drive existing contractors out of the federal market, particularly small businesses.
Despite the apparent speed of these responses to increasing cyberattacks, it may be a while before federal contractors have a clear picture of what cybersecurity measures they need to have in place to do business with the federal government. But it would not be too far afield to suggest that contractors should look to SP 800-171 to see what that might entail.