recommended reading

What Obama's New Cyber Standards Mean for Federal Contractors

Manuel Balce Ceneta/AP

The White House on Wednesday issued voluntary cyber standards aimed at defending key private networks essential to U.S. society – but it could be years before the benefits are noticeable.

While optional for industry, it is expected that the guidelines -- which encourage reporting data breaches to the government -- will be required for federal contractors. 

Government suppliers say they felt involved in the development of the standards and are satisfied that their flexibility will not be burdensome. That same flexibility has given some security observers pause, however, over concerns that "critical infrastructure" industries, like the energy and medial sectors that sustain daily living, will remain vulnerable.

With Wednesday’s release, the Commerce Department met a one-year deadline set by President Obama in a Feb. 12, 2013 executive order to develop a pick-and-choose menu of controls understandable to everyone from technicians to corporate boardroom members, who ultimately will determine the rubric’s viability in industry. The private sector operates most critical infrastructure.  

"Today I was pleased to receive the cybersecurity framework, which reflects the good work of hundreds of companies, multiple federal agencies, and contributors from around the world," Obama said in a statement. "This voluntary framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge."

To prod uptake, federal officials last month published plans to make contract awards contingent on compliance with many of the standards.

Reporting data compromises to authorities essentially will become compulsory for contractors governmentwide, according to trade groups briefed by Obama administration officials. Today, reporting typically is only mandated for breaches of classified information or Pentagon technical data, computer software, and other so-called unclassified controlled technical information.

In a call with reporters on Wednesday, senior Obama administration officials said most vendors do not know who to call within the federal organizational chart when there is an incident. Officials said they will work with contractors to help route them to the appropriate agency for each stage of an incident. For example, they might work with the Homeland Security Department to contain an infection and connect with the FBI or Secret Service for criminal investigations.

Within the next two to three years, suppliers that often don’t even know they’ve had a breach, will be contractually bound to tell the government, said Alan Chvotkin, executive vice president for the Professional Services Council, a trade group representing government vendors. 

"There's no classified information for contractors supporting the Department of Housing and Urban Development, there's comparably very little controlled technical information," he said. "You're now imposing a requirement governmentwide that has today only been imposed on a subset of all government contractors." 

There could be some compliance issues and extra costs involved for the suppliers, Chvotkin said. 

Where it gets complicated is “assessing the extent of the damage, whether the government can come in and seize equipment and your network while they are doing their forensic reviews," he said.

"What is the company's liability to others because of that breach? Those become the bigger barriers, not the mere reporting," he said. "If you do make a report, here are the secondary and tertiary impacts of doing so, and that's where companies take some time to evaluate before they make a report."

In general, the contracting industry seems comfortable with the regime of standards.

The format lets each organization choose a regimen of best practices for handling hackers, from identifying potential vulnerabilities through recovering from a successful intrusion. The best practices are drawn from compendiums of federal and industry standards. 

“It talks about a range of options.  It’s not a single item. It doesn’t say always do A, B, C and D,” Chvotkin said.

“We like regulations that allow tailoring based on the size of the company, the nature of the risk, and the market that they are in," he said. " It’s not about what industry you’re in. It’s not about whether you’re a government contractor or not. It’s, What is the nature of the business you’re in, your risk assessment of the threat of cybersecurity?”

The February 2013 executive order defined “critical infrastructure” as assets "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.”

Officials with the Internet Security Alliance, a group representing critical infrastructure companies, said in a statement earlier this week that the new rubric will leave those industries vulnerable. "Sophisticated attackers, including nation-states and nation-state affiliated sources, and increasingly criminal organizations, will not be substantially deterred by the basic standards and practices," officials said. They cited a 2012 Ponemon Institute-Bloomberg study that found companies would need to spend almost nine times more on network defense to prevent a catastrophic cyberattack on the scale of Pearl Harbor. 

Government coffers are trying to help, but cyber budget increases have not scaled up by that magnitude either. A fiscal 2014 spending bill enacted in January included $447 million for the Pentagon's Cyber Command -- a two-fold increase over the component's fiscal 2013 budget of $191 million. The legislation provided $792 million for cybersecurity at the Homeland Security Department, an uptick of $35.5 million over last year.

Threatwatch Alert

Network intrusion

FBI Warns Doctors, Dentists Their FTP Servers Are Targets

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.