Cybersecurity for Government Contractors

IN THIS ARTICLE

What is the status of the Biden Cybersecurity Executive Order?

What are the CMMC requirements?

What is the DoD zero trust architecture approach?

How to prevent future hacks with government contractor cyber security requirements?

[Use our Bloomberg Government datasets, proprietary tools, and expert analysis to fill your pipeline and grow your business now. Request a demo.]

As the federal government continues to enhance its partnership with the private sector to protect against malicious cyber actors, Bloomberg Government examines this government-wide endeavor and provides insights for contractors on the status of key initiatives the unique challenges impacting the cybersecurity landscape, and more.

What is the status of the Biden Cybersecurity Executive Order?

President Biden signed a National Security Memorandum (NSM) to improve the “Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” as required in his Executive Order (E.O.) 14028, Improving the Nation’s Cybersecurity, which outlines the following:

1. Requires service providers to share cyber incidents and threat information.
2. Creates a standardized playbook for cyber incident response.
3. Improves the ability to detect malicious cyber activity on federal networks.

At a recent Bloomberg Government event, The Cybersecurity Landscape: Bridging the Gap, Sonny Hashmi, commissioner of the U.S. General Services Administration’s Federal Acquisition Service, discussed the progress that the GSA has made in implementing the Biden executive order for cybersecurity. A few of the major takeaways include vendor assessment programs and communities of practice.

“We’re continuing to develop ways to help agencies reduce cyber supply chain risk through vendor assessment programs so that when we engage with the vendor community, we have a threat or risk profile,” Hashmi said. “We’re not only working with U.S. companies, but we’re also working with companies and suppliers across the globe – we need to understand where those risks, including cybersecurity risks, corporate foreign ownership risk, and so forth need to be further investigated.”

Hashmi added that his organization has also developed the Government-Wide Cyber Supply Chain Risk Management Acquisition Community of Practice, explaining that “this is an important body for agencies to come together and really understand what practices need to be implemented to not only understand but mitigate a long-standing risk that might exist in their overall supply chain.”

These developments are especially important because as hackers have become more sophisticated, so have the tools to stop them. Agencies need to protect data at every stage, from the moment it is collected, to when it is transmitted, to where it is stored, and finally until it is deleted.

“Each piece of this puzzle has to do the right things and connect the dots between all the other pieces,” Hashmi said. “And so, as we start to continue to understand deeper risks, we also need to understand that sometimes it takes time to move the needle in the right directions. But I’m very, very excited and positive in the progress that’s already been made, and especially the support from Congress in this recent budget process to continue to make investments in this space.”

Bloomberg Government’s Contracts Intelligence Tool

Reveal contractors that are positioned to help agencies develop a zero-trust approach to cybersecurity. Try BGOV today.

What are the CMMC requirements?

The cybersecurity maturity model certification safeguards sensitive national security information. The Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework – comprising three levels – to protect the defense industrial base from increasingly frequent and complex cyberattacks. David McKeown, senior information security officer, and deputy CIO for cybersecurity at the Department of Defense, shared during The Cybersecurity Landscape: Bridging the Gap that “[DoD is] doing the right thing to protect the right data at the right levels for those three levels versus trying to throw a blanket over all 220,000 companies that are out there.”

DoD CMMC requirements can now be broken down into three levels for the 220,000 companies that have defense contracts:

• Level 1 – Evaluate your company using 17 controls and submit assessment to Supplier Performance Risk System (SPRS).
• Level 2 – Leverage third-party assessment organization (3PAO) evaluating criteria based on NIST requirement 800-171 to get certified.
• Level 3 – Undergo 3PAO assessment of their ability to safeguard controlled unclassified information (CUI) and additional assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) that will look at NIST requirement 800-172

What is the DoD zero trust architecture approach?

The Office of Management and Budget (OMB) released a Federal strategy to move the U.S. Government toward a “zero trust” approach to cybersecurity. This memorandum sets forth a Federal zero trust architecture (ZTA) strategy, requiring agencies to meet specific cybersecurity standards and objectives by the end of fiscal year (FY) 2024 to reinforce the government’s defenses against increasingly sophisticated and persistent threat campaigns.

“It is going to be a major culture shift [at DoD],” said McKeown. “We have started with defining a DoD zero trust reference architecture that we use within the department. We published that over a year ago – just prior to the SolarWinds incident being announced. We were on the path already within the department to start implementing zero trust.”

Under zero trust, user access is limited, and identity verification is required to contain damage if a device or system is compromised.

“Zero trust will stop you from escalating your privileges, it segments you from other parts of the network, it restricts you to specific servers, and it makes it harder for you to break out and just wander around aimlessly within the network,” McKeown explained.

The cyber strategy also calls for an inventory of devices authorized for government use, so that security teams can detect and respond to incidents on those devices. In short, a zero-trust approach trusts no one.

“We have several pilots that have already been accomplished and several more underway,” McKeown added. “We have fought for dollars within the department to realign towards this new security architecture, from our old perimeter-based, signature-based architecture to this new zero trust environment. It is a great initiative.”

How to prevent future hacks with government contractor cyber security requirements?

The GSA is leading governmentwide efforts to strengthen cybersecurity for customer agencies by leveraging strategies and standards set forth by DoD. In fact, GSA recently signed a memorandum of understanding (MOU) with the Defense Innovation Unit (DIU) that will make it easier for federal agencies to access innovative technology solutions through its multiple award schedule. All these efforts, including holding contractors accountable for new and required cybersecurity obligations means a strengthened infrastructure to prevent future hacks.

The top five cybersecurity requirements that contracting firms should be familiar with are:

1. Federal Information Security Modernization Act
2. FAR 52.204-21
3. DOD Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012
4. NIST 800-171
5. CMMC 2.0

Finally, encouraging healthy procurement competition and fostering a supportive environment for businesses of all sizes are essential to remaining on the leading edge of cybersecurity developments.

“We want to continue to drive and develop a thriving marketplace of new entrants and new innovative companies, because that is going to be vitally important so that we don’t get the same few players and the same known solutions,” Hashmi said. “We want to make sure that we don’t create an environment where it’s so hard for these smaller businesses to do business with the federal government. The burden is so large that we start losing innovation, losing new entrants, losing new abilities for us to move the needle.”

[Gather recompete data, place of performance information, security clearance requirements and more with the most powerful search tools on the market. Request a demo.]