Implementation of new cybersecurity guidelines for federal agencies with potential effects for government contractors


The new guidelines include a requirement for an agency to report a “major incident” within one hour of the occurrence of the event.

In early December, the Office of Management and Budget (“Office of Management and Budget”)OMB“) published the “Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements” for Federal Agencies (the “Advice”).

The annual guidelines are required under the Federal Information Security Modernization Act of 2014 (“FISMA”), which requires that cybersecurity incident reporting guidelines be in place for federal agencies.

Although not a direct regulation on private entities, the Guide reflects the federal government’s growing attention to cybersecurity and data protection. For example, a number of federal agencies have recently implemented new breach notification rules for banking organizations and service providers. The Ministry of Justice (“DOJ”) also recently enacted a new initiative to apply cybersecurity requirements and data protection standards to government contractors.

The federal government has faced a growing number of threats over the past year, including the continued fallout from the SolarWinds hack and a separate hack attributed to China that both compromised a number of federal agencies.

Consistent with the federal government’s focus on cybersecurity in the face of increasing nefarious activity, the Guide implements new data protection principles to monitor and mitigate threats and introduces new threat notification requirements. violations.

It is important to note that the guidance will likely have an indirect effect on private entities. The Guide does not apply directly to private entities, however, any private entity that engages with the federal government as a government contractor will likely meet these requirements as contractual provisions. This is because the federal agencies to which the guidelines apply directly will likely pass the requirements on to private entities that provide services to the federal government.

Data Protection Principles

The Guide is based on four principles, which the OMB identified in its memorandum.

First, agencies are urged to adopt a “zero trust architecture,” meaning policies and procedures that assume technology will fail or assume bad actors attempt to gain access to systems. For example, agencies will need to use phishing-resistant multi-factor authentication. Additionally, the agencies will maintain inventories of every device operating or licensed for government use and encrypt all domain requests and HTTP traffic.

A zero-trust architecture also includes consistent and rigorous testing of all technology systems, even if they are not necessarily connected to the Internet.

Second, agencies will move away from self-attestation testing (testing that is verified only by the tested party) towards more thorough and scrupulous testing. These measures will likely include manual and automated penetration testing.

Third, assessments under FISMA will move towards risk-based analysis. This is in line with what privacy and data protection laws require of private companies – weighing the risks of data processing and the sensitivity of information, against the benefits of data processing and the controls in place .

OMB hopes this change will focus the federal government’s mitigation strategy on the highest cybersecurity threats and risks facing the federal government.

Finally, the Guide will encourage agencies to use automation in their reporting and incident management. Specifically, the Guide directs agencies to report data in an automated, machine-readable way.

Incident Response

Importantly, the Guide puts in place strict security incident reporting requirements, which is the biggest change to the Guide.

An agency must report a major incident to the Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (“CISA”) and CAMO within one hour of the agency’s determination that such an incident has occurred. Even though the agency initially reported the incident as a non-major incident, once it is determined to escalate to the “major” level, the agency must make another report to CISA and OMB.

According to the Guidelines, a “major incident” includes: (1) any incident that could manifestly harm the interests of national security, foreign relations, the economy, the public trust, civil liberties or the public health ; or (2) a breach involving personally identifiable information that is misused, deleted, or otherwise compromised, is likely to manifestly harm national security interests, foreign relations, the economy, the public trust, civil liberties or public health.

An incident is automatically considered major, however, if there is unauthorized modification, deletion, exfiltration or access to the personally identifiable information of 100,000 or more individuals. Therefore, any such violation must be reported to CISA and OMB within the hour, regardless of the agency’s independent assessment.

If a major incident occurs, an agency must also notify its appropriate congressional committees and the Office of the Inspector General within seven days of the incident.

Effect on private entities

While the Guide’s scope does not apply directly to private entities, it further represents the federal government’s increased emphasis on cybersecurity and data breach response.

If federal agencies are required to meet certain cybersecurity requirements, those federal agencies will likely pass those requirements on to government contractors as well.

Private entities that work with or for federal agencies as government contractors or that receive federal funding should expect to see enhanced contractual cybersecurity requirements that are consistent with the Guidance.


Comments are closed.