White House Preps New Cyber Policy Dealing with Federal Contractors

Orhan Cam/Shutterstock.com

The proposal, which could be published as early as today, follows hacks at two background checkers that compromised the security of personnel who handle U.S. secrets.

The Obama administration is preparing to release a new policy to homogenize the way vendors secure agency data.

The proposal, which could be published as early as today, follows hacks at two background checkers and the Office of Personnel Management that potentially compromised the security of personnel who handle U.S. secrets.

"The increase in threats facing federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively, and consistently addressed in federal contracts," states a notice scheduled to be posted Thursday in Federal Register.

More details about the contract rules are expected to be posted on CIO.gov shortly, along with a deadline for submitting comments on the proposal.

As of early this afternoon, a placeholder webpage stated the White House is reviewing current contractor data security policies to create the new guidelines for "improving cybersecurity protections in federal acquisitions."  

Today, there is a hodgepodge of laws, White House policies and government standards that direct agencies to secure data wherever that information is housed. Discrepancies among these many regulations have created confusion for companies and departments.

On June 18, the National Institute of Standards and Technology issued guidelines for potential contractor clauses involving the protection of sensitive “controlled unclassified” information inside company systems.

The Pentagon in May 2014 released rules specific to defense contractors on counterfeit electronic parts, which aim to address the problem of suppliers damaging computerized military systems.

Then, there are November 2013 contractor stipulations for guarding confidential military technological and scientific data, known as “unclassified controlled technical information.”

In recent years, a spate of hacks at contractors exposed sensitive government data that might have armed foreign adversaries with U.S. intelligence. Also, some of these data breaches resulted in the loss of medical information on agency personnel.

In 2011, Tricare military health insurance data on 4.9 million service members and their families was stolen out of an SAIC contractor's car. On Wednesday, SAIC, now known as Leidos, won a multi-billion deal with the Pentagon to upgrade electronic health records. In 2012, it was discovered that hackers entered a Serco computer containing the Social Security numbers of 123,000 federal employee retirement plan participants.

And in the largest known breach of sensitive government information, suspected Chinese spies used a password stolen from a KeyPoint contractor to hack into OPM networks. Through a series of coordinated intrusions, the attackers ultimately gained records on 21.5 million past and present feds, individuals applying for clearances to see classified information, and their family members.

One of the hacks, which targeted background investigator USIS, also retrieved personal data on more than 31,000 employees at the Department of Homeland Security, the National Geospatial-Intelligence Agency and the U.S. Capitol Police.

(Image via Orhan Cam/ Shutterstock.com)