recommended reading

What Obama's New Cyber Standards Mean for Federal Contractors

Manuel Balce Ceneta/AP

The White House on Wednesday issued voluntary cyber standards aimed at defending key private networks essential to U.S. society – but it could be years before the benefits are noticeable.

While optional for industry, it is expected that the guidelines -- which encourage reporting data breaches to the government -- will be required for federal contractors. 

Government suppliers say they felt involved in the development of the standards and are satisfied that their flexibility will not be burdensome. That same flexibility has given some security observers pause, however, over concerns that "critical infrastructure" industries, like the energy and medial sectors that sustain daily living, will remain vulnerable.

With Wednesday’s release, the Commerce Department met a one-year deadline set by President Obama in a Feb. 12, 2013 executive order to develop a pick-and-choose menu of controls understandable to everyone from technicians to corporate boardroom members, who ultimately will determine the rubric’s viability in industry. The private sector operates most critical infrastructure.  

"Today I was pleased to receive the cybersecurity framework, which reflects the good work of hundreds of companies, multiple federal agencies, and contributors from around the world," Obama said in a statement. "This voluntary framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge."

To prod uptake, federal officials last month published plans to make contract awards contingent on compliance with many of the standards.

Reporting data compromises to authorities essentially will become compulsory for contractors governmentwide, according to trade groups briefed by Obama administration officials. Today, reporting typically is only mandated for breaches of classified information or Pentagon technical data, computer software, and other so-called unclassified controlled technical information.

In a call with reporters on Wednesday, senior Obama administration officials said most vendors do not know who to call within the federal organizational chart when there is an incident. Officials said they will work with contractors to help route them to the appropriate agency for each stage of an incident. For example, they might work with the Homeland Security Department to contain an infection and connect with the FBI or Secret Service for criminal investigations.

Within the next two to three years, suppliers that often don’t even know they’ve had a breach, will be contractually bound to tell the government, said Alan Chvotkin, executive vice president for the Professional Services Council, a trade group representing government vendors. 

"There's no classified information for contractors supporting the Department of Housing and Urban Development, there's comparably very little controlled technical information," he said. "You're now imposing a requirement governmentwide that has today only been imposed on a subset of all government contractors." 

There could be some compliance issues and extra costs involved for the suppliers, Chvotkin said. 

Where it gets complicated is “assessing the extent of the damage, whether the government can come in and seize equipment and your network while they are doing their forensic reviews," he said.

"What is the company's liability to others because of that breach? Those become the bigger barriers, not the mere reporting," he said. "If you do make a report, here are the secondary and tertiary impacts of doing so, and that's where companies take some time to evaluate before they make a report."

In general, the contracting industry seems comfortable with the regime of standards.

The format lets each organization choose a regimen of best practices for handling hackers, from identifying potential vulnerabilities through recovering from a successful intrusion. The best practices are drawn from compendiums of federal and industry standards. 

“It talks about a range of options.  It’s not a single item. It doesn’t say always do A, B, C and D,” Chvotkin said.

“We like regulations that allow tailoring based on the size of the company, the nature of the risk, and the market that they are in," he said. " It’s not about what industry you’re in. It’s not about whether you’re a government contractor or not. It’s, What is the nature of the business you’re in, your risk assessment of the threat of cybersecurity?”

The February 2013 executive order defined “critical infrastructure” as assets "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.”

Officials with the Internet Security Alliance, a group representing critical infrastructure companies, said in a statement earlier this week that the new rubric will leave those industries vulnerable. "Sophisticated attackers, including nation-states and nation-state affiliated sources, and increasingly criminal organizations, will not be substantially deterred by the basic standards and practices," officials said. They cited a 2012 Ponemon Institute-Bloomberg study that found companies would need to spend almost nine times more on network defense to prevent a catastrophic cyberattack on the scale of Pearl Harbor. 

Government coffers are trying to help, but cyber budget increases have not scaled up by that magnitude either. A fiscal 2014 spending bill enacted in January included $447 million for the Pentagon's Cyber Command -- a two-fold increase over the component's fiscal 2013 budget of $191 million. The legislation provided $792 million for cybersecurity at the Homeland Security Department, an uptick of $35.5 million over last year.

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.