What Obama's New Cyber Standards Mean for Federal Contractors

Manuel Balce Ceneta/AP

The guidelines will likely be mandatory to win agency business.

The White House on Wednesday issued voluntary cyber standards aimed at defending key private networks essential to U.S. society – but it could be years before the benefits are noticeable.

While optional for industry, it is expected that the guidelines -- which encourage reporting data breaches to the government -- will be required for federal contractors. 

Government suppliers say they felt involved in the development of the standards and are satisfied that their flexibility will not be burdensome. That same flexibility has given some security observers pause, however, over concerns that "critical infrastructure" industries, like the energy and medial sectors that sustain daily living, will remain vulnerable.

With Wednesday’s release, the Commerce Department met a one-year deadline set by President Obama in a Feb. 12, 2013 executive order to develop a pick-and-choose menu of controls understandable to everyone from technicians to corporate boardroom members, who ultimately will determine the rubric’s viability in industry. The private sector operates most critical infrastructure.  

"Today I was pleased to receive the cybersecurity framework, which reflects the good work of hundreds of companies, multiple federal agencies, and contributors from around the world," Obama said in a statement. "This voluntary framework is a great example of how the private sector and government can, and should, work together to meet this shared challenge."

To prod uptake, federal officials last month published plans to make contract awards contingent on compliance with many of the standards.

Reporting data compromises to authorities essentially will become compulsory for contractors governmentwide, according to trade groups briefed by Obama administration officials. Today, reporting typically is only mandated for breaches of classified information or Pentagon technical data, computer software, and other so-called unclassified controlled technical information.

In a call with reporters on Wednesday, senior Obama administration officials said most vendors do not know who to call within the federal organizational chart when there is an incident. Officials said they will work with contractors to help route them to the appropriate agency for each stage of an incident. For example, they might work with the Homeland Security Department to contain an infection and connect with the FBI or Secret Service for criminal investigations.

Within the next two to three years, suppliers that often don’t even know they’ve had a breach, will be contractually bound to tell the government, said Alan Chvotkin, executive vice president for the Professional Services Council, a trade group representing government vendors. 

"There's no classified information for contractors supporting the Department of Housing and Urban Development, there's comparably very little controlled technical information," he said. "You're now imposing a requirement governmentwide that has today only been imposed on a subset of all government contractors." 

There could be some compliance issues and extra costs involved for the suppliers, Chvotkin said. 

Where it gets complicated is “assessing the extent of the damage, whether the government can come in and seize equipment and your network while they are doing their forensic reviews," he said.

"What is the company's liability to others because of that breach? Those become the bigger barriers, not the mere reporting," he said. "If you do make a report, here are the secondary and tertiary impacts of doing so, and that's where companies take some time to evaluate before they make a report."

In general, the contracting industry seems comfortable with the regime of standards.

The format lets each organization choose a regimen of best practices for handling hackers, from identifying potential vulnerabilities through recovering from a successful intrusion. The best practices are drawn from compendiums of federal and industry standards. 

“It talks about a range of options.  It’s not a single item. It doesn’t say always do A, B, C and D,” Chvotkin said.

“We like regulations that allow tailoring based on the size of the company, the nature of the risk, and the market that they are in," he said. " It’s not about what industry you’re in. It’s not about whether you’re a government contractor or not. It’s, What is the nature of the business you’re in, your risk assessment of the threat of cybersecurity?”

The February 2013 executive order defined “critical infrastructure” as assets "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety.”

Officials with the Internet Security Alliance, a group representing critical infrastructure companies, said in a statement earlier this week that the new rubric will leave those industries vulnerable. "Sophisticated attackers, including nation-states and nation-state affiliated sources, and increasingly criminal organizations, will not be substantially deterred by the basic standards and practices," officials said. They cited a 2012 Ponemon Institute-Bloomberg study that found companies would need to spend almost nine times more on network defense to prevent a catastrophic cyberattack on the scale of Pearl Harbor. 

Government coffers are trying to help, but cyber budget increases have not scaled up by that magnitude either. A fiscal 2014 spending bill enacted in January included $447 million for the Pentagon's Cyber Command -- a two-fold increase over the component's fiscal 2013 budget of $191 million. The legislation provided $792 million for cybersecurity at the Homeland Security Department, an uptick of $35.5 million over last year.