The Office of Management and Budget issued proposed guidance Tuesday meant to strengthen federal cybersecurity standards when agencies acquire products or services involving sensitive information.
The proposed guidance aims to improve the protection of controlled unclassified information (CUI) by strengthening “government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems,” says the memo, posted to the Chief Information Officers Council’s CIO.gov website and Github. The draft guidance is open for public comment until Sept. 10.
OMB asked the CIO Council and the Chief Acquisition Officers Council earlier this year to review current acquisition and IT policies and practices for agencies when dealing with private contractors and vendors. That group walked away with a repository of best practices, which OMB is disseminating for reference around government, and guidelines for agencies to strengthen their security when outsourcing an IT system containing critical information.
In addition to the proposed updates to agency contracted IT security policy, the guidance also lays out steps agencies can take to perform “better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.”
The amended requirements found in the proposal include:
- Requiring contractor systems to meet the appropriate baseline in the National Institute of Standards and Technology’s SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations — which explains the risk management framework for security controls used to assess federal information systems — or NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, if the contractor uses its own internal systems to store CUI;
- Reporting cyber incidents in vendor systems the same way agencies would in their own system, unless it doesn’t involve federal CUI;
- Requiring certain cyber safeguards and an authority to operate prior to using an external system per NIST SP 800-37; and
- Providing continuous monitoring capabilities to third-party contractors if feasible.
Finally, the guidance would require agencies to perform better due diligence when dealing with contractors “to gain better visibility into, and understanding of, how contractors develop, integrate, and deploy their products, services, and solutions as well as how they assure integrity, security, resilience, and quality in their operations,” it says. Within 90 days the CIO and CAO councils working group would be required to provide U.S. CIO Tony Scott and Federal Procurement Policy Administrator Anne Rung recommendations to create a baseline for better IT acquisition due diligence.
OMB says it would review compliance of the new guidance during FedStat and CyberStat sessions, which OMB uses to coordinate budget plans with agency mission and management issues.
The guidance comes on the heels of the massive cyber breaches at the Office of Personnel Management announced in June that compromised the personal information of more than 22 million current and former federal employees, and federal security clearance applicants. Though the hackers, alleged by cybersecurity experts to have operated from China, breached internal OPM systems, investigations have linked the credentials the attackers used to OPM contractor KeyPoint Government Solutions, which was hacked last year.