It’s been assumed for some time now that major components of the government contracting sector would fall in line with NIST standards for safeguarding controlled unclassified information (CUI), namely NIST Special Publication 800-171. Department of Defense was the first to implement the standard, beginning with updates to the Defense Federal Acquisition System (DFARS) contract regulations in the summer of 2016.
Other government agencies have been expected to follow DoD’s model, including the Department of Homeland Security (governed by HSAR contract regulations) and the General Services Administration (governed by GSAR). While previous FAR clauses called for the implementation of a small sampling of information security requirements, the adoption of NIST 800-171 Revision 1 would involve a total of 110 unique security requirements ranging from HR practices, facility security, and various IT controls.
GSAR Working Group Announces Their Intent
On January 12th, GSA posted the details of its semiannual regulatory agenda which outlines major rulemaking changes anticipated for 2018. In the agenda, GSA identified the need to align its current cybersecurity regulations with the proven definitions of CUI provided under previous executive orders as well as adopting information safeguards maintained by the National Institute of Standards and Technology (NIST).
Intended changes to the rule are outlined in the GSA’s Unified Agenda, posted on the Federal Register:
…This rule will require contracting officers to incorporate applicable GSA cybersecurity requirements within the statement of work to ensure compliance with Federal cybersecurity requirements and implement best practices for preventing cyber incidents. These GSA requirements mandate applicable controls and standards (e.g. U.S. National Institute of Standards and Technology, U.S. National Archive and Records Administration Controlled Unclassified Information standards).
The “applicable controls and standards” mentioned are, of course, NIST SP 800-171 Rev 1 and NARA’s definitions of controlled unclassified information (per the CUI Registry). These are the two major standards designed by NARA and NIST to be used by private sector businesses, and already serve as the basis for upcoming information security standards in numerous industries.
According to the OMB’s case summary for the proposed rule change: the new rule will cover cybersecurity requirements for internal contractor systems, external contractor systems, cloud systems, and mobile systems. Additionally, the rule will also update existing GSAR clauses 552.239-70 and 552.239-71, which dictate security for contractors who directly connect to GSA networks.
What This Means for Government Contractors
Contractors who are anxious to begin planning for the newly aligned rules need look no further than the equivalent DoD (DFARS) contract clauses written to govern this issue amongst the DoD industrial base. DFARS 252.204-7012 identifies appropriate controls for internal, external, and mobile contractor systems (NIST 800-171), as well as for cloud systems (using the FedRAMP Moderate baseline). The extensive DFARS clause also defines contractors’ incident reporting obligations, as well as subcontracting practices where CUI is retransmitted to a contractor’s supply chain.
GSA contractors who wish to gain a competitive advantage when the new GSAR rules are announced should begin implementing NIST 800-171, as well as the controls outlined in DFARS 252.204-7012. Many of the DFARS clause requirements already make use of federal reporting systems and security standards, and will likely be an accurate representation of the new GSAR requirements.
A full description of the proposed rule change is available on the reginfo.gov site. The initial meeting is scheduled for April of 2018, with a commentary period ending in August.
