National Association of Government Contractors

GSA to Tighten Cybersecurity Requirements

Many Federal contractors may find themselves with new stringent cybersecurity requirement  to comply with after the General Services Administration (GSA) announced it is tightening the rules for protecting sensitive, non-classified data.

The GSA cybersecurity requirements mandate that contractors protect unclassified information from cybersecurity vulnerabilities in accordance with the Federal Information Security Modernization Act (FISMA) and National Institute of Standards and Technology (NIST) requirements. In addition, the GSA is tightening its requirements for the reporting of cybersecurity breaches.

The rules cover internal contractor systems, external contractor systems, cloud systems, and mobile systems. The public comment period on the new requirements runs from April to June of 2018.

In the guidance provided, contractors are requested to focus on the 110 security protocols set forth in the NIST SP 800-171 security requirements. Controlling and monitoring access to privileged accounts are central components of these guidelines–and more importantly, are critical components in maintaining a strong security posture. Privileged accounts are the most powerful accounts in any organization, providing broad access to systems and devices. Those credentials are increasingly sought out, stolen, and exploited in successful cyberattacks. Securing access to these accounts across all platforms and system types is fundamental to adequate security.

While there are still questions about how compliance will be assessed, acquisition regulations require contractors to put a security plan in place that demonstrates how they'll work towards implementing the NIST SP 800-171 recommendations.

The GSA's announcement comes on the heels of the Department of Defense's (DoD) notice in October 2016, that it was requiring all military contractors to comply with NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations."

What is NIST 800-171?

The basic concept is that unclassified information needs the same level of protection whether it resides in a governmental or non-governmental system. The point is to apply security policies in a consistent way across Federal and non-Federal systems. 

The 81-page NIST 800-171 publication provides a consistent set of security policies that cover everything from access control to incident response, personnel awareness, and training.

GSA Following DOD

Specifically, the GSA is proposing to update the General Services Acquisition Regulation (GSAR) on cybersecurity requirements and reporting. Integrating these requirements into the formal GSAR allows the GSA to receive public comments during the rulemaking process.

The new rule will require that contractors incorporate applicable GSA cybersecurity requirements into the statement of work to ensure compliance.

In terms of reporting, the rules establish a contractor's responsibility to report any cyber incident where the confidentiality, integrity, or availability of information is potentially compromised. Additionally, it sets timeframes and specific procedures for reporting cyber incidents. There are additional rules for cyber incidents involving personally identifiable information.



« Back to News

News & Tips
Government contractor news & industry tips from a source you can trust. Sign up for our weekly updates to stay informed and get involved. Easily unsubscribe at any time.

Our Insider's Guide Series was developed as an easy-to-understand series of guides to assist you through the government procurement process.

National Association of Government Contractors
1250 Connecticut Ave NW
Suite 200
Washington, DC 20036
Phone: 202-465-3750
Toll Free: 1.800.979.NAGC
LinkedIn Facebook Twitter

FedEx Shipping Discount
Office Depot Member Program
American Express
OneMain Financial Loans
Paychex Payroll Processing
NAGC Health

Privacy Policy | Subscriber Agreement & Terms of Use | Purchase Policy | Data & Cookies
Copyright © 2004 - 2018 National Association of Government Contractors.   All Rights Reserved. Geotrust RapidSSL