Changes for Federal IT Security Proposed With Impact for Government Contractors

On March 16, Congressman Jim Langevin (D-RI) introduced legislation that would reform the way IT security would be monitored and managed within the federal government.  The legislation also would overhaul the Federal Information Security Management Act of 2002 (FISMA), and has important implications for government contractors.  The bill, known as the Executive Cyberspace Coordination Act, comes on the heels of a report indicating that the federal government is “not prepared” for cybersecurity threats of the 21st century. The bill is one of several cybersecurity measures pending in congress.  The legislation has received bipartisan support and is similar to a bill introduced in the Senate in February.

The legislation would create a National Office of Cyberspace (NOC) in the White House, headed by a presidential appointee confirmed by the Senate. The NOC would operate a “Federal Cybersecurity Practice Board”, responsible for (1) issuing security controls, in coordination with the National Institute of Standards and Technology (or NIST), for government-networked computers and information infrastructure, (2) evaluating federal information security risks, and (3) developing minimum security standards for products and services procured and used by the government. 

With respect to the proposal to reform FISMA, that statutory scheme has been criticized by security professionals as a “paperwork” exercise that focused too heavily on mechanical compliance processes as opposed to actual security controls. Under the new legislation, federal agencies would be required to implement an information security program that uses “automated technical monitoring of information infrastructure used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”. The new focus would be on real-time monitoring of the effectiveness of security controls and continuous identification of deficiencies and potential security risk.  

Many government contractors are watching this legislation carefully. It includes a proposal to revise the Federal Acquisition Regulation (FAR) in order to establish minimum information security requirements for procurement of IT products and services, and a proposal to adopt policies for evaluating and mitigating supply chain security risks associated with products or services acquired by agencies. More generally, the bill would apply yet-to-be-developed security requirements to any federal agreement that supports the operation and assets of an agency.

The security requirements would apply to government contractors and grantees that collect, use, manage, store, or disseminate information on behalf of an agency, or that use or operate an information system or information infrastructure on behalf of the agency. Whether and to what extent contractors and grantees engage in the foregoing activity has been a source of confusion, both within and outside the government, particularly as it relates to compliance with FISMA. Data security conditions (including FISMA terms) increasingly are incorporated into federal agreements, catching some contractors and grantees off guard. Moreover, as the private sector moves toward a cloud computing platform, the evolving federal cybersecurity policies likely will affect how organizations use cloud services in the performance of contracts and grants.  Organizations may need to start treating cloud service providers as subcontractors, and contractually impose federal data security requirements on these providers. It is too early to tell how these and other important issues ultimately will play out under the new legislation.

The legislation includes other salient items, as follows:

• Annual audits: Requires agencies and contractors to obtain an annual independent audit of their information security programs for overall effectiveness and compliance with FISMA.

• Federal Chief Technology Officer (Federal CTO): Establishes a Federal CTO, appointed by the President and confirmed by the Senate, to work across agencies and the private sector on information technology considerations with regard to federal budgets, and with regard to research and development programs for information technology-related matters.

• Critical infrastructure: Defines “critical information infrastructure” and provides authority to the Secretary of Homeland Security to issue measures for the protection of information systems that control critical infrastructure. Importantly, the legislation does not appear to give Homeland Security an “internet kill switch” and related control over private systems.

• Educational programs: Establishes a “Cyber Challenge Program” to support educational programs designed to engage students and the workforce in skill sets relevant to advanced cybersecurity capability.

Authored by Christopher Wolf