Mitigating the threats posed to US critical infrastructure by cyberattacks has been one of the greatest security challenges undertaken by recent presidential administrations. However, these risks appear to have peaked during President Joe Biden’s first year in office, which saw unprecedented disruption in multiple sectors of the economy due to ransomware infections.
As a result, the Biden administration, through the issuance of several executive orders, has strengthened federal oversight of cybersecurity measures that are required of both government agencies and the contractors that work with them. Last May, one such order, issued in response to the SolarWinds attack, not only removes barriers to threat intelligence sharing between federal agencies and information and communications technology companies (ICT) that provide services to government, but it also calls for streamlining cybersecurity requirements for providers across the spectrum.
“Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cybersecurity requirements for cloud services. Standardizing common cybersecurity contractual requirements across all agencies will streamline and improve compliance for vendors and the federal government,” said the ordered bed.
Given that Russia is widely believed to have been the author of SolarWinds and that cyberattacks will likely be carried out against American companies following the sanctions imposed on the country following its invasion of Ukraine last week, government contractors must ensure they have the necessary safeguards in place.
According to John Slye, advisory research analyst for software solutions provider Deltek, compliance with these new regulations will require contractors to implement policies, such as Zero Trust, that require users to be authenticated and validated at all times. each time they access a network or application, as well as to improve their incident tracking, reporting and response postures.
“It really depends on the clarity of mandates and the flexibility agencies have to respond to them,” Slye says. “Historically, if you’ve watched this industry for a while, it’s an evolutionary process. One of the challenges has been either you have ambiguous standards, no standards at all, or there are standards What we see now is a sort of continuous fusion around common standards.
Slye says the government still needs to address the incongruities that exist in different standards between civilian agencies as well as the Department of Defense (DOD) and the intelligence community in order to help contractors more adequately address areas where their cybersecurity programs may be lacking.
“If they are different from sector to sector, how do they adapt to these differences? And when certain standards evolve and are not yet fully clear, how do they help to help these agencies meet those standards? Slye asks. “It’s an opportunity as well as a risk to say, ‘how do we help inform, how do we partner with agencies, so that we can help shape the standards in this evolving process?’
On a positive note, Slye says the latest White House memoranda encouraged agencies and vendors to work together to help shape these cybersecurity standards and even gave them the ability to communicate with the government, via the Office of Management and Budget (OMB) or the Cybersecurity and Infrastructure Agency (CISA), why they can’t meet certain standards and work with them to help “move the ball forward”.
“It’s not an all or nothing (proposal). There are deadlines, but they also say that if you are struggling to meet the standards, we will work together to move forward,” he adds.
For those who want to stay ahead of the curve on this issue, Slye recommends contactors to focus on both internal and external.
“Internally, you can read the standards and make sure you’re building in the security you need. If there are patches that need to be made, you need to make sure that you keep your patches up to date, so the security of your internal operations is on one side,” he says. “On the other hand, you have clients that you are under contract to support or you have a vested interest and a common goal. Most of the time it is not just a very transactional relationship: many Entrepreneurs have been working with these agencies for years and you need to build a relationship of trust and collaboration.So, looking outward, entrepreneurs should talk to their agencies…and ask them, ‘How can we help?’
Additionally, according to Slye, the development of the Cybersecurity Maturity Model certification within the DOD, which will require contracts awarded in the future to meet certain internal and external cybersecurity standards, which will raise the bar for all suppliers.
“Everyone is going to have to deal with some area of cybersecurity in order to hold a DOD contract,” says Slye. “Naturally, if you’re only doing things that aren’t IT-related, you might just need to be able to show that you’re doing basic cybersecurity – tracking patches, using passwords, Basic stuff. If you do real computer work or weapons systems work, you will get a higher standard that you will have to raise and you will have to meet certain NIST standards to keep control of that classified information. caught everyone’s attention is that the DOD said it would be all contracts for the entire defense industrial base This whole process is still evolving, but I don’t think that that need will disappear, and we’re going to see continued movement toward raising the cybersecurity bar for all contract holders with appropriate caveats that would make sense.
Joel Griffin is the editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].