Is Controlled Unclassified Information Out of Control? The OMB apparently thinks so. On August 11, 2015, the Obama administration, through the Office of Management and Budget (OMB), which is the largest office within the Executive Office of the President, published new draft guidance relating to improving cybersecurity protections in the federal acquisitions process. The draft memorandum discusses security controls, cyber incident reporting, security assessments, monitoring, and business due diligence. Federal contractors with confidential but unclassified information in their possession should consider reviewing the new guidance and work to get ahead of the coming requirements so that they do not find themselves in non-compliance with contractual obligations or at a competitive disadvantage to other federal contractors.
Specifically, the guidance provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.” CUI covers a wide variety of sensitive and confidential information, which, according to the recently issued proposed Federal Acquisition Regulation (FAR) rule, section 2002, et seq, includes any “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”
The Need for Guidance
The stated intent of OMB’s guidance is “to take major steps toward implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk of potential incidents in the future.” The proposed guidance recognizes that the “threats facing Federal information systems have dramatically increased as agencies provide more services online, digitally store data, and rely on contractors for a variety of information technology (IT) services.” This threat was highlighted in July with news reports that two breaches of the Office of Personnel Management (OPM) exposed sensitive information relating to at least 22.1 million individuals, including federal employees, private contractors, and their families and friends.
This draft guidance comes on the heels of proposed rules issued by other key federal agencies in response to Executive Order 13636, § 8, issued by President Obama in February 2013. Thus far, the National Archives and Records Administration (NARA) issued a proposed rule which will define the categories of CUI that government agencies and private contractors need to control. More recently, the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, released a draft Special Publication (SP) 800-171 which provides federal agencies with recommended requirements for protecting CUI when it is in the hands of private contractors. NIST has also released SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which addresses security controls used to assess federal information systems as part of the Security Assessment & Authorization (SA&A) process.
Five Areas of Guidance
OMB’s draft guidance adds to NARA and NIST’s proposed rules and guidelines for the protection of CUI. It does this by calling for amendments to the FAR to provide for the inclusion of terms in federal procurement solicitations and contracts that address five key areas.
- Security Controls.
OMB’s draft guidance calls for contractors to establish security controls on their information systems to protect CUI. Private contractors who operate systems on behalf of the Government will be required to meet the baseline in NIST SP 800-53, as modified by the appropriate agency. However, when private contracts use information systems that only incidentally contain CUI, application of NIST SP 800-53 controls is generally inappropriate and contractors should abide by NIS SP 800-171 instead.
- Cyber Incident Reporting.
New in OMB’s draft guidance is a proposal for the reporting of a “cyber incident.” The draft instructs agencies to require contract language that ensures the timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data. It also states that “[t]his approach to reporting will promote timely and meaningful information sharing that allows both the contractor and the agency to work closely together to investigate the incident, identify affected individuals, quickly respond to the incident and take other appropriate actions as necessary.”
- Information System Security Assessments.
Also new in the draft guidance are provisions for assessing a federal contractor’s security systems. The guidance requires agencies to develop security assessment protocols based on a number of different factors and requires the contractor to certify its measures and allow agencies access to its security measures as needed to conduct an inspection, evaluation, investigation, or audit.
- Information Security Continuous Monitoring.
Due to the increased number and complexity of information security incidents, the draft guidance directs agencies to provide contractors with capabilities under the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program. If the agency determines that is not feasible, then the agency must, in the alternative, ensure that the contractor-operated system meets or exceeds the information security continuous monitoring requirements identified in OMB Memorandum M-14-03 and the agency may elect to perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing.
- Business Due Diligence
Last but not least, OMB’s draft guidance recognizes that “[c]ybersecurity protections in Federal acquisitions can be further enhanced by performing increased business due diligence to gain better visibility into, and understanding of, how contractors develop, integrate, and deploy their products, services, and solutions as well as how they assure integrity, security, resilience, and quality in their operations.” The guidance requires agencies to use the findings of its business due diligence research in a shared service that GSA will create.
Finally, the draft guidance also points private contractors towards a repository of agency information that OMB has established which includes sample contract clauses.
Public comments on the proposed guidance are due on or before September 10, 2015 and may be submitted through OMB’s interactive platform, GitHub.