The rules governing the security of the information technology systems of contractors and the private sector are in a continual state of flux as the federal government struggles to get its arms around an ever-changing landscape.
The government has approached this challenge from myriad angles with rulemaking and reporting by multiple agencies, particularly those having a greater stake in ensuring and enforcing an effective cyber security regime. It is important to stay abreast of the recent developments coming from various quarters.
In February, the
The framework is essentially a digestible distillation of existing
The core describes five functions that an organization should perform to achieve the specific cyber security outcomes: identify, protect, detect, respond and recover.
Each function is further divided into categories and subcategories with informative resources for guiding activities within each function. An organization can compare its current cyber security practices with those outlined in the framework core to create its profile and examine the extent to which it meets desired outcomes based on the organization's risk profile.
The framework is voluntary, and it is too early to tell whether organizations will find it useful and adopt it. Many large or sophisticated organizations will likely find that the maturity of their existing practices outpaces it. However, small to medium size organizations will likely find the framework a suitable starting point for developing best practices.
A key deliverable mandated by the administration is a study and report conducted jointly by the
The report urges agencies not to be penny-wise, pound-foolish when buying products and services because adequate cyber security will reduce the overall cost of ownership in the long run. In other words, spending more money upfront on a product or service that incorporates greater protections will often save the agency from an even more costly data breach. Hence, the report advises that agencies incorporate specific practices in their acquisition procedures to ensure that cyber security receives sufficient consideration in procurement decisions.
To this end, the report made several recommendations.
First, organizations should institute baseline cyber security requirements as a condition of contract award for appropriate acquisitions. The report suggests that meeting the baseline would be an element of responsibility for a contractor and that the federal government simply should not do business with a company that does not meet the baseline. The report also recommends expressing the baseline in terms of technical requirements - in contrast with the "processes" defined in the framework - and performance measures to ensure the baseline is maintained.
Secondly, companies should include cyber security in acquisition training. The report urges this training for both government procurement personnel and relevant contractor personnel, with welldefined training standards in the Federal Acquisition Regulation.
They should develop common cyber security definitions for federal acquisitions. The report recognizes the growing problems caused by inconsistent FAR definitions.
It recommends instituting a federal acquisition risk management strategy. That identifies a hierarchy of risks for different acquisitions and to develop a common application of cyber security procurement rules for similar types of acquisitions.
There should be a requirement to buy from original equipment manufacturers, their authorized resellers or other trusted sources. The report acknowledges counterfeit parts increase risk.
Lastly, there should be increased government accountability for cyber risk management. The report recommends incorporating it into acquisition planning and contract administration.
The prudent contractor will see this report as a harbinger of greatly increased scrutiny of a contractor's cyber security initiatives and will seek to stay ahead of any pending requirements.
The rule requires the reporting of any "cyber incident" within 72 hours of detection. "Cyber incident" is defined as "actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the technical information residing therein," which suggests a consummated external intrusion or "hack" into a company's network.
However, the actual reporting requirements suggest that inadvertent release, which does not seem to be encompassed in the express definition of "cyber incident," may also require a report. The reporting requirement also describes possible cyber incidents and includes "possible exfiltration, manipulation or other loss or compromise" of relevant information.
The tension between sections covering definitions and reporting requirements has caused some confusion as to whether a reporting obligation has been triggered. The best practice is to report any incident that could reasonably be construed as falling under the definition in the rule. Indeed, the rule is clear that a properly reported cyber incident shall not by itself be construed as evidence that the contractor has failed to establish adequate cyber security safeguards.
Most Popular Stories
- Islamic State Obliterating Cultural Landmarks in Mosul
- The 2014 Fastest-Growing 100
- 'Lucy's' Super Powers Tops 'Hercules' at Box Office
- Boehner Says Impeachment Talk Is Democrat Scam
- You're So Vain: Microsoft to Launch First 'Selfie Phone'
- U.S. Home Price Gains Slow for 6th Month in a Row
- VW Site Could Mean Another 2,000 Jobs for Chattanooga
- RV Sales See Highest Increase Post Great Recession
- Merck Profit More Than Doubles in Q2
- Report: China to Declare Qualcomm a Monopoly