OMB Information Security Guidance Targets Private Contractors and Their Supply Chain

    Sep 08, 2015

    The U.S. Office of Management and Budget (OMB) on August 11 released draft guidance aimed at strengthening security controls, notification requirements, assessments, and systems monitoring related to federal agency acquisitions of products and services from the private sector. 

    “The intent of the proposed guidance is to take major steps toward implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk of potential incidents in the future,” the document states.  “This proposed guidance also describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.”

    The draft guidance comes on the heels of several high-profile data security breaches at federal agencies in recent months.  Hackers were able to breach computer systems at the Office of Personnel Management and may have stolen the records of four million federal employees and retirees, in addition to as many as 21 million records of individuals who applied for security clearances.  In addition, identity thieves were able to breach computers at the Internal Revenue Services in May and compromise as many as 334,000 taxpayer records.

    The draft guidance is part of a two-pronged effort by the federal government to improve cyber protection for information systems operated by the government or by contractors working on behalf of the government, as well as the information systems of contractors that house, use, or transmit the controlled unclassified information of the federal government.

    In June, the National Institute of Standards and Technology (NIST), in collaboration with the National Archives and Records Administration (NARA), issued final guidance on protecting sensitive federal information on nonfederal information systems.  It establishes and implements the Controlled Unclassified Information (CUI) program to standardize the way the executive branch handles unclassified information that requires protection.  

    OMB’s draft guidance urges agencies to continuously review contract activities in the areas of security controls, cyber incident reporting, information system security assessments, information security continuous monitoring, and business due diligence. 

    “Performing increased business due diligence will help ensure the Government bases its decisions on the best available information about the risks involved in the program,” the guidance states.  “Research to support business due diligence should encompass public record, publically available, and commercial subscription data to provide comprehensive information about current and prospective contractors and subcontractors to highlight potential security and other risks in the outsourced mission capability.”

    For companies doing business with the government, the draft guidance provides a roadmap for agency expectations regarding new cybersecurity requirements and reporting responsibilities.

    Feedback and suggestions on this proposed guidance are due by September 10, 2015.  OMB expects to release final guidance sometime in the fall of 2015.

    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International