Cybersecurity Laws and Standards for Government Contractors
Government contractors are required to comply with a variety of cybersecurity laws and standards in order to protect the data of their customers and partners. In this article, we will discuss some of the most important regulations that contractors need to be aware of.
How Do You Become Compliant with Cybersecurity Laws?
An IT Company can help your business with audits, assessments and the selection of qualified cybersecurity companies. They are professionals that can get your compliance lined up.
The Federal Information Security Management Act (FISMA) was signed into law by President George W. Bush in 2002 to protect government agencies from cyberattacks. FISMA is intended to ensure that federal information systems are secure, reliable, and compliant with policy standards. FISMA comprises a set of requirements that agencies must meet in order to protect their data, including the development and implementation of risk management programs, the establishment of security controls, and the regular reporting of incidents.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) released the Cybersecurity Framework in 2014 as a guide for organizations to protect their systems and data. The framework is voluntary, but it is widely adopted by both the public and private sectors. It consists of five core functions: identify, protect, detect, respond, and recover.
One of the key components of the framework is the cybersecurity risk management process, which involves identifying and assessing risks to an organization’s information systems, determining the likelihood of those risks occurring, and then protecting against them.
The framework is a critical element of NIST guidance on cybersecurity for federal agencies (see below), and it has been incorporated into the General Services Administration’s (GSA) acquisition rules as well as the Defense Federal Acquisition Regulation Supplement (DFARS).
NIST Special Publication 800-171
In December 2015, NIST released Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” This publication lays out specific security requirements for contractors that handle controlled unclassified information (CUI).
CUI is information that is not classified, but must be protected due to its sensitivity. The publication applies to all nonfederal organizations and systems that handle CUI, including state and local governments, private companies, and academic institutions.
The requirements in Special Publication 800-171 are based on the NIST Cybersecurity Framework, and they include: security categorization and control selection; system security plans and updates; risk assessment and management; continuous monitoring and reporting; incident response and investigation capabilities; personnel security policies and procedures, including training requirements; physical security controls for devices that process CUI data; software development guidelines to prevent malware from being introduced during the development process; awareness, training, and education programs to educate employees about cybersecurity threats; and contractor incident reporting.
Cybersecurity Act of 2015
Section 1646 of the National Defense Authorization Act for Fiscal Year 2016 (NDAA) amends the National Security Act of 1947 to require both federal employees and employees of government contractors working under a covered contract to report “cyber incidents” involving “covered defense information.”
A “cyber incident” is defined as “an act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse a system or network controlled by the United States or a covered contractor.”
The term “covered contractor” includes any contractor that has been granted a security clearance by the federal government. The term “covered defense information” is broadly defined as any information that a contractor accesses, handles, transmits, or stores in connection with covered contracts.
The NDAA classifies violations of the reporting requirements as a prohibited act under the federal Computer Fraud and Abuse Act (CFAA). Contractors that fail to report cyber incidents face civil penalties and other enforcement remedies, including injunctive relief, adverse publicity, and suspension or termination of contracts.