The U.S. Office of Management and Budget (OMB) on August 11 released draft guidance aimed at strengthening security controls, notification requirements, assessments, and systems monitoring related to federal agency acquisitions of products and services from the private sector.
“The intent of the proposed guidance is to take major steps toward implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk of potential incidents in the future,” the document states. “This proposed guidance also describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.”
The draft guidance comes on the heels of several high-profile data security breaches at federal agencies in recent months. Hackers were able to breach computer systems at the Office of Personnel Management and may have stolen the records of four million federal employees and retirees, in addition to as many as 21 million records of individuals who applied for security clearances. In addition, identity thieves were able to breach computers at the Internal Revenue Services in May and compromise as many as 334,000 taxpayer records.
The draft guidance is part of a two-pronged effort by the federal government to improve cyber protection for information systems operated by the government or by contractors working on behalf of the government, as well as the information systems of contractors that house, use, or transmit the controlled unclassified information of the federal government.
In June, the National Institute of Standards and Technology (NIST), in collaboration with the National Archives and Records Administration (NARA), issued final guidance on protecting sensitive federal information on nonfederal information systems. It establishes and implements the Controlled Unclassified Information (CUI) program to standardize the way the executive branch handles unclassified information that requires protection.
OMB’s draft guidance urges agencies to continuously review contract activities in the areas of security controls, cyber incident reporting, information system security assessments, information security continuous monitoring, and business due diligence.
“Performing increased business due diligence will help ensure the Government bases its decisions on the best available information about the risks involved in the program,” the guidance states. “Research to support business due diligence should encompass public record, publically available, and commercial subscription data to provide comprehensive information about current and prospective contractors and subcontractors to highlight potential security and other risks in the outsourced mission capability.”
For companies doing business with the government, the draft guidance provides a roadmap for agency expectations regarding new cybersecurity requirements and reporting responsibilities.
Feedback and suggestions on this proposed guidance are due by September 10, 2015. OMB expects to release final guidance sometime in the fall of 2015.