Cybersecurity Requirements for Government Contractors

Cybersecurity Requirements for Government Contractors

As a government contractor you are a subject to a number of compliance requirements that are necessary to become a holder of either a  GSA Schedule or another federal acquisition vehicle, and to continue being one during the entire term of contract duration.

Check if you Qualify to be a GSA Contractor

In recent years, cybersecurity became one of the most vital compliance provisions on the list. Every business that provides services or sells products to federal agencies is required to fulfill the cyber security requirements for government contractors.

In this article we provide a brief overview of these requirements, and provide cyber security guidelines for contractors.

What is cybersecurity in government contracts?

GSA and DoD cyber security requirements vary. However, in many cases, cybersecurity encompasses a number of typical measures and practices that aim to maintain the safety of federal contracts 

Cybersecurity requirements and procedures typically include:

  • User authorization techniques (hardware or software).
  • Limited access to certain portions of information. Only authorized users are permitted to access certain data and functions.
  • Control over the number and source of internet connections.
  • Identifying the incoming internet connection.
  • Limiting physical access to vital information infrastructure equipment and hardware.
  • Providing uninterrupted power source to information infrastructure hardware.

Why manage cybersecurity

The digital age has come. Security of your finances, your business contracts, and even your company as a whole depends on how well your digital assets are protected. Managing cybersecurity and specifically government IT security standards today is vital for many reasons.

  • Secure network and digital infrastructure prevents data loss
  • Well-managed cybersecurity in your company means your financial information cannot be stolen or intercepted during transmission
  • Managing cybersecurity also prevents breaches into your infrastructure by malicious agents, including Denial of Service attacks.
  • Finally, your online services, EDI services, and business processes that rely on digital services (either third-party or in-house) retain stability, and can operate under any circumstances.

In the context of federal acquisition, ensuring the security of government contracts allows you to handle them more smoothly and efficiently; transactional safety of contractual vehicles is one the GSA’s and DOD’s primary goals and concerns.

Specific Cybersecurity Requirements for Contractors

Currently, there are four main sources of requirements for federal contractor security. 

  • Federal Information Security Modernization Act (FISMA)
  • FAR 52.204-21
  • DOD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
  • NIST 800-171; Migration to CMMC (2.0)

Let’s take a closer look at each one, because the topic is quite technical and requires a bit of understanding.

The Federal Information Security Modernization Act

The aim of Federal Information Security Modernization (FISMA) Act of 2014 was to modernize the approach to cybersecurity in government business.

Specifically, the Act does the following:

  • Provides the Department of Homeland Security (DHS) the authority to develop, oversee and administer the implementation of information security policies for non-national security federal Executive Branch systems, including providing technical assistance and deploying technologies to such systems.
  • Tells DHS to provide assistance to agencies in developing and implementing new cybersecurity needs.
  • Directs the Office of Management and Budget’s to revise policies regarding notification of individuals affected by federal agency data breaches.
  • Amends and clarifies the OMB oversight authority over federal agency information security practices.
  • Requires OMB to amend or revise OMB A-130 to “eliminate inefficient and wasteful reporting”.

FAR 52.204-21—Basic Safeguarding of Covered Contractor Information Systems

The FAR 52.204-21 describes the cybersecurity safeguarding requirements and procedures that you, as a government contractor should follow and comply with.

The regulation states that every contractor must apply a number of basic safeguarding procedures and fulfill federal contractor security requirements explicitly specified in the FAR, in order to protect covered contractor information systems.  Not all of the information system your business may have is a subject to FAR 52.204-21; is only the part related  storing, processing or transmitting the government contract related information.

These are the bare minimum security measures to have in place,  according to the FAR:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012

When it comes for DoD cybersecurity requirements, you should refer to DFARS 252.204-7012. This document establishes a number of requirements that are obligatory in terms of cyber security government contracts for the Department of Defense.

Specifically, a government contractor must:

  • Take measure on ensuring security of defense information within the contract, that is stored or transmitted by means of hardware, software or network systems of the contractor.
  • Provide reports on cybersecurity breaches incidents that may affect covered contractor information system, or defense information. Provide reports if the incident affected contractor’s ability to perform its required critical support or to provide real-time services.
  • If malicious software is detected, it must be isolated and submitted to DoD Cyber Crime Center with a corresponding report.
  • Provide any additional information about cybersecurity incidents upon request.
  • Make sure all subcontractors of the contractor are acknowledged of the DFARS 252.204-7012 clause.

NIST 800-171 and the Migration to CMMC 2.0

NIST 800-171 addresses cybersecurity and shows how the General Services Administration contractors and subcontractors of federal agencies should manage Controlled Unclassified Information (CUI).

It is worth noting that NIST 800-171 was developed based on DFARS, through the extension of DFARS 252.204-7012 that is called Cybersecurity Maturity Model Certification (CMMC), currently version 2.0. CMMC treats the certification process as a verification for meeting FAR government security contracting requirements.

Managing cyber security for companies with government contracts

When it comes to cyber security, government contracts require the same or even more scrupulous management as all other federal government compliance requirements. Surely, doing this 100% in-house is possible, but do you really have the required resources to allocate to regular monitoring and handling of security issues?

Hiring an agent to maintain your compliance as a government contractor is a viable and affordable option even for small businesses. Price Reporter is such a federal contracting agent. We helped thousands of companies get on GSA and secure GSA contracts. Requirements for security for government contractors are strict, but we know them  thoroughly, to minute details. Visit our GSA website and request a consultation. We are glad to help you with cybersecurity requirements.

Click to rate
[Total: 1 Average: 5]
Leave feedback

Your email address will not be published. Required fields are marked *