Feds Finalize Basic Cyber Hygiene Rules for Contractor Systems

jijomathaidesigners/Shutterstock.com

Some industry members say the marching orders are not in lockstep.

Long-awaited rules to guard contractor systems containing nonpublic government data against hackers have been finalized. Federal officials describe the regulations as one step in a series of cybersecurity regulatory actions for civilian and defense suppliers.

But some industry members say the marching orders are not in lockstep. 

In a reversal from earlier proposals -- which started coming out in 2012 -- the final "Basic Safeguarding of Contractor Information Systems" regulations do not cover sensitive information itself, but rather the systems that store information.

The changes were made in response to industry concerns that nearly all information in company systems would be regulated, because data elements are hard to label and segregate. 

"The focus of the final rule is shifted from the safeguarding of specific information to the basic safeguarding of certain contractor information systems," William Clark, director of the Office of Governmentwide Acquisition Policy, said in the regulation, which was released Monday. "It is not necessary to draw a fine line as to what information was 'generated for the government,' when the information is received, or whether the information is marked."

Additional contractor rules -- including information-specific mandates -- will build upon the basics required by Monday's stipulation, he said. 

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Per the new guidelines, a "covered contractor information system" is a company-owned tool that processes, stores or transmits nonpublic information provided by the government that relates to a specific contract. 

That information is now called "federal contract information," the rule states. This is a new class of information some contractors say adds confusion to an already-confusing array of data classification-levels

According to Clark, "federal contract information” means information not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites). 

Alan Chvotkin, counsel for the Professional Services Council, which represents federal contractors, said he welcomed the “long overdue governmentwide rule on basic hygiene” for protecting government data. 

"What I don't welcome is it creates a new category of information," he said. "It doesn't use words that are in any other set of cybersecurity guidance." 

Clark characterizes the new rule as one part of a set of concerted cyber regulatory efforts already happening or forthcoming. 

The federal contracting guidebook will, for example, incorporate new National Archives and Records Administration directions for labeling material as "Controlled Unclassified Information," or CUI, which are being finalized.

In addition, a data breach rule for contractors the White House drafted last summer will be adopted, once formalized. That governmentwide guidance is intended to bolster protections for CUI -- the new catchall phrase for sensitive but not classified information -- in systems operated by contractors that service the government. 

Chvotkin said the Archives directions should have been handed down before the system safeguards rule for the sake of compatibility. 

"If this is a preview of where they are going, OK. But it's out of order," he said. "I wish we had the other rule first. It's like trying to put a jigsaw puzzle together without being able to see what the final picture on the outside of the box looks like."

There had been frustration in government and industry over the 4-year wait for the IT safeguards.

"I hope the rest of the picture isn't three years out," Chvotkin said.

These Contractor Information Security Rules Are Still Up In the Air:
December 2015 -- Pentagon interim rule, “Safeguarding Covered Defense Information And Cyber Incident Reporting
August 2015 -- Pentagon interim rule,  “Network Penetration Reporting and Contracting for Cloud Services," Defense Department grants an extension in December 2015
November 2010 -- White House executive order, National Archives and Records Administration must issue instructions on "Controlled Unclassified Information"

Some security experts say, overall, the system protections will broaden the responsibility of suppliers in a positive way compared to what has been required in years past. 

One drawback, however, is that system safeguards do not always minimize the risk of data breaches. Attackers often jump from system to system until they find the data they are after. 

Take the example of Target, where thieves reportedly penetrated a heating and air conditioning vendor's computer to gain the credentials for the store's payment system. Target was in compliance with the payment card industry's IT system safeguards when the big box store was hacked in 2013.

"They built their networks to isolate payment card data flow," said John Dickson, a principal at Texas-based cyber consulting firm Denim Group and a former Air Force intelligence officer. "In the case of Target, the attackers were not bound by the scope" of a system, so there becomes a problem "if you fixate on certain types of systems at the expense of other systems."

The system controls listed in the contractor rule pertain to tools like host servers, workstations and routers, not "perimeter devices."

Government officials say that phasing in the various cyber rules could simplify regulations.  

"All of these actions should help, among other things, clarify the application of the Federal Information Security Management Act," which is the main cyber law for agencies, "and the National Institute of Standards and Technology information systems requirements to contractors and, by doing so, help to create greater consistency, where appropriate, in safeguarding practices across agencies," Clark said. 

In recent years, system hacks at vendors have resulted in the exposure of personal information on more than ten million citizens and government employees.

In June 2015, The Associated Press reported a breach at background check provider KeyPoint affected as many 390,000 current and former Homeland Security Department employees, contractors and job applicants.

A separate intrusion at KeyPoint that traced back to 2013 also may have leaked data on more than 48,000 DHS employees. In 2014, background check company USIS detected a hack that confiscated the personal information on possibly 31,000 personnel at DHS, the National Geospatial-Intelligence Agency, Immigration and Customs Enforcement and the U.S. Capitol Police.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.