Feds Finalize Basic Cyber Hygiene Rules for Contractor Systems


Some industry members say the marching orders are not in lockstep.

Long-awaited rules to guard contractor systems containing nonpublic government data against hackers have been finalized. Federal officials describe the regulations as one step in a series of cybersecurity regulatory actions for civilian and defense suppliers.

But some industry members say the marching orders are not in lockstep. 

In a reversal from earlier proposals -- which started coming out in 2012 -- the final "Basic Safeguarding of Contractor Information Systems" regulations do not cover sensitive information itself, but rather the systems that store information.

The changes were made in response to industry concerns that nearly all information in company systems would be regulated, because data elements are hard to label and segregate. 

"The focus of the final rule is shifted from the safeguarding of specific information to the basic safeguarding of certain contractor information systems," William Clark, director of the Office of Governmentwide Acquisition Policy, said in the regulation, which was released Monday. "It is not necessary to draw a fine line as to what information was 'generated for the government,' when the information is received, or whether the information is marked."

Additional contractor rules -- including information-specific mandates -- will build upon the basics required by Monday's stipulation, he said. 

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Per the new guidelines, a "covered contractor information system" is a company-owned tool that processes, stores or transmits nonpublic information provided by the government that relates to a specific contract. 

That information is now called "federal contract information," the rule states. This is a new class of information some contractors say adds confusion to an already-confusing array of data classification-levels

According to Clark, "federal contract information” means information not intended for public release, that is provided by or generated for the government under a contract to develop or deliver a product or service to the government, but not including information provided by the government to the public (such as on public websites). 

Alan Chvotkin, counsel for the Professional Services Council, which represents federal contractors, said he welcomed the “long overdue governmentwide rule on basic hygiene” for protecting government data. 

"What I don't welcome is it creates a new category of information," he said. "It doesn't use words that are in any other set of cybersecurity guidance." 

Clark characterizes the new rule as one part of a set of concerted cyber regulatory efforts already happening or forthcoming. 

The federal contracting guidebook will, for example, incorporate new National Archives and Records Administration directions for labeling material as "Controlled Unclassified Information," or CUI, which are being finalized.

In addition, a data breach rule for contractors the White House drafted last summer will be adopted, once formalized. That governmentwide guidance is intended to bolster protections for CUI -- the new catchall phrase for sensitive but not classified information -- in systems operated by contractors that service the government. 

Chvotkin said the Archives directions should have been handed down before the system safeguards rule for the sake of compatibility. 

"If this is a preview of where they are going, OK. But it's out of order," he said. "I wish we had the other rule first. It's like trying to put a jigsaw puzzle together without being able to see what the final picture on the outside of the box looks like."

There had been frustration in government and industry over the 4-year wait for the IT safeguards.

"I hope the rest of the picture isn't three years out," Chvotkin said.

These Contractor Information Security Rules Are Still Up In the Air:
December 2015 -- Pentagon interim rule, “Safeguarding Covered Defense Information And Cyber Incident Reporting
August 2015 -- Pentagon interim rule,  “Network Penetration Reporting and Contracting for Cloud Services," Defense Department grants an extension in December 2015
November 2010 -- White House executive order, National Archives and Records Administration must issue instructions on "Controlled Unclassified Information"

Some security experts say, overall, the system protections will broaden the responsibility of suppliers in a positive way compared to what has been required in years past. 

One drawback, however, is that system safeguards do not always minimize the risk of data breaches. Attackers often jump from system to system until they find the data they are after. 

Take the example of Target, where thieves reportedly penetrated a heating and air conditioning vendor's computer to gain the credentials for the store's payment system. Target was in compliance with the payment card industry's IT system safeguards when the big box store was hacked in 2013.

"They built their networks to isolate payment card data flow," said John Dickson, a principal at Texas-based cyber consulting firm Denim Group and a former Air Force intelligence officer. "In the case of Target, the attackers were not bound by the scope" of a system, so there becomes a problem "if you fixate on certain types of systems at the expense of other systems."

The system controls listed in the contractor rule pertain to tools like host servers, workstations and routers, not "perimeter devices."

Government officials say that phasing in the various cyber rules could simplify regulations.  

"All of these actions should help, among other things, clarify the application of the Federal Information Security Management Act," which is the main cyber law for agencies, "and the National Institute of Standards and Technology information systems requirements to contractors and, by doing so, help to create greater consistency, where appropriate, in safeguarding practices across agencies," Clark said. 

In recent years, system hacks at vendors have resulted in the exposure of personal information on more than ten million citizens and government employees.

In June 2015, The Associated Press reported a breach at background check provider KeyPoint affected as many 390,000 current and former Homeland Security Department employees, contractors and job applicants.

A separate intrusion at KeyPoint that traced back to 2013 also may have leaked data on more than 48,000 DHS employees. In 2014, background check company USIS detected a hack that confiscated the personal information on possibly 31,000 personnel at DHS, the National Geospatial-Intelligence Agency, Immigration and Customs Enforcement and the U.S. Capitol Police.