recommended reading

What Obama's New Cyber Standards Mean for Federal Contractors

Manuel Balce Ceneta/AP

The White House on Wednesday issued voluntary cyber standards aimed at defending key private networks essential to U.S. society – but it could be years before the benefits are noticeable.

While optional for industry, it is expected that the guidelines -- which encourage reporting data breaches to the government -- will be required for federal contractors. 

Government suppliers say they felt involved in the development of the standards and are satisfied that their flexibility will not be burdensome. That same flexibility has given some security observers pause, however, over concerns that "critical infrastructure" industries, like the energy and medial sectors that sustain daily living, will remain vulnerable.

With Wednesday’s release, the Commerce Department met a one-year deadline set by President Obama in a Feb. 12, 2013 executive order to develop a pick-and-choose menu of controls understandable to everyone from technicians to corporate boardroom members, who ultimately will determine the rubric’s viability in industry. The private sector operates most critical infrastructure.  

"Today I was pleased to receive the cybersecurity framework, which reflects the good work of hundreds of companies, multiple federal agencies, and contributors from around the world," Obama said in a statement. "This voluntary framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge."

To prod uptake, federal officials last month published plans to make contract awards contingent on compliance with many of the standards.

Reporting data compromises to authorities essentially will become compulsory for contractors governmentwide, according to trade groups briefed by Obama administration officials. Today, reporting typically is only mandated for breaches of classified information or Pentagon technical data, computer software, and other so-called unclassified controlled technical information.

In a call with reporters on Wednesday, senior Obama administration officials said most vendors do not know who to call within the federal organizational chart when there is an incident. Officials said they will work with contractors to help route them to the appropriate agency for each stage of an incident. For example, they might work with the Homeland Security Department to contain an infection and connect with the FBI or Secret Service for criminal investigations.

Within the next two to three years, suppliers that often don’t even know they’ve had a breach, will be contractually bound to tell the government, said Alan Chvotkin, executive vice president for the Professional Services Council, a trade group representing government vendors. 

"There's no classified information for contractors supporting the Department of Housing and Urban Development, there's comparably very little controlled technical information," he said. "You're now imposing a requirement governmentwide that has today only been imposed on a subset of all government contractors." 

There could be some compliance issues and extra costs involved for the suppliers, Chvotkin said. 

Where it gets complicated is “assessing the extent of the damage, whether the government can come in and seize equipment and your network while they are doing their forensic reviews," he said.

"What is the company's liability to others because of that breach? Those become the bigger barriers, not the mere reporting," he said. "If you do make a report, here are the secondary and tertiary impacts of doing so, and that's where companies take some time to evaluate before they make a report."

In general, the contracting industry seems comfortable with the regime of standards.

The format lets each organization choose a regimen of best practices for handling hackers, from identifying potential vulnerabilities through recovering from a successful intrusion. The best practices are drawn from compendiums of federal and industry standards. 

“It talks about a range of options.  It’s not a single item. It doesn’t say always do A, B, C and D,” Chvotkin said.

“We like regulations that allow tailoring based on the size of the company, the nature of the risk, and the market that they are in," he said. " It’s not about what industry you’re in. It’s not about whether you’re a government contractor or not. It’s, What is the nature of the business you’re in, your risk assessment of the threat of cybersecurity?”

The February 2013 executive order defined “critical infrastructure” as assets "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.”

Officials with the Internet Security Alliance, a group representing critical infrastructure companies, said in a statement earlier this week that the new rubric will leave those industries vulnerable. "Sophisticated attackers, including nation-states and nation-state affiliated sources, and increasingly criminal organizations, will not be substantially deterred by the basic standards and practices," officials said. They cited a 2012 Ponemon Institute-Bloomberg study that found companies would need to spend almost nine times more on network defense to prevent a catastrophic cyberattack on the scale of Pearl Harbor. 

Government coffers are trying to help, but cyber budget increases have not scaled up by that magnitude either. A fiscal 2014 spending bill enacted in January included $447 million for the Pentagon's Cyber Command -- a two-fold increase over the component's fiscal 2013 budget of $191 million. The legislation provided $792 million for cybersecurity at the Homeland Security Department, an uptick of $35.5 million over last year.

Threatwatch Alert

Network intrusion

Florida’s Concealed Carry Permit Holders Names Exposed

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.