Mitigating the threats presented to U.S. critical infrastructure by cyberattacks has been one of the biggest security challenges undertaken by the last several presidential administrations. However, these risks seem to come to a head during President Joe Biden’s first year in office, which saw unprecedented disruptions to several sectors of the economy due to ransomware infections.
As a result, the Biden administration, through the issuance of several executive orders, has increased federal oversight of cybersecurity measures that are required of both government agencies and the contractors that collaborate with them. Last May, one of these orders, which was issued in response to the SolarWinds attack, not only removes barriers to the sharing of threat information between federal agencies and those information and communications technology (ICT) companies who provide services to the government, but it also calls for streamlining cybersecurity requirements for vendors across the spectrum.
“Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements. Standardizing common cybersecurity contractual requirements across agencies will streamline and improve compliance for vendors and the Federal Government,” the order reads.
Given that Russia is largely believed to have been the perpetrator behind SolarWinds and that cyberattacks will likely to be carried out against U.S. businesses in the wake of sanctions placed on the country following its invasion of Ukraine last week, government contractors need to ensure they have the necessary protections in place.
According to John Slye, Advisory Research Analyst for software solutions provider Deltek, adhering to these new regulations will require contractors to implement policies, such as Zero Trust, which require users to be authenticated and continuously validated anytime they access a network or application, as well as improve upon their incident tracking, reporting and response postures.
“It really comes down to how clear the mandates are and how much flexibility agencies have in responding to them," Slye explains. “Historically, if you have watched this industry for any length of time, it is an evolutionary process. One of the challenges has been you’ve either got ambiguous standards, no standards at all or there are conflicting standards. What we are seeing now is a continual kind of coalescing around some common standards.”
Slye says that the government still needs to address the incongruities that exist in different standards across civilian agencies as well as the Department of Defense (DOD) and intelligence community in order to help contractors more adequately address the areas where their cybersecurity programs may be lacking.
“If they are different across different sectors, how do they adapt to those differences? And when there are standards that are evolving and not yet fully clear, how do they help support those agencies in meeting those standards?” asks Slye. “It is an opportunity as well as a risk to say, ‘how do we help inform, how do we partner with the agencies, so that we can help shape the standards in this evolutionary process?”
Evolving Policies
On a positive note, Slye says the latest memorandums from the White House have encouraged agencies and vendors to work together to help mold these cybersecurity standards and have even provided them with the flexibility to communicate with the government, through the Office of Management and Budget (OMB) or the Cybersecurity and Infrastructure Agency (CISA), why they can’t meet certain standards and work with them to help “keep the ball moving forward.”
“It is not an all or nothing (proposition). There are some deadlines, but they also say if you have trouble meeting the standards, we will work together to move forward,” he adds.
For those that want to stay ahead the curve on this issue, Slye recommends contactors to take both an internal and external focus.
“Internally, you can read the standards and make sure that you are building in the security you need. If there are patches that need to be made, you need to make sure you are keeping your patches updated, so keeping your internal operations secure is one side,” he says. “On the other side, you have customers that you are either under contract to support or you have a vested interest and a shared goal. Most of the time, this is not just a relationship where it is very transactional: A lot of contractors have worked with these agencies for years and you have to build trust and a collaborative relationship. So, outwardly facing, contractors should talk with their agencies… and ask them, ‘how can we help?’”
In addition, according to Slye, the development of the Cybersecurity Maturity Model Certification within the DOD, which will require those awarded contracts in the future to meet certain internal and external cybersecurity standards, which will raise the bar for all vendor.
“Everyone is going to have to deal with some area of cybersecurity in order to hold a DOD contract,” Slye explains. “Naturally, if you are just doing things that are not IT-related you may just need to be able to show that you’re doing basic cybersecurity – keeping up with patches, using passwords, basic stuff. If you are doing real IT work or weapons systems work, then you will get a higher standard that you have to raise and you will have to meet certain NIST standards to keep control of that classified information. What got everybody’s attention is that DOD said this is going to be every contract across all the defense industrial base. This entire process is still being evolved, but I don’t think that need is going to go away, and we are going to see a continued move toward raising the bar for cybersecurity for all contract holders with appropriate caveats that would make sense.”
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].