The public feedback period is now closed. OMB is currently reviewing comments received and incorporating public feedback, as appropriate, to develop final guidance.
In early 2015 the Federal Chief Information Officers (CIO) Council and the Chief Acquisition Officers (CAO) Council created a working group to review current contract clauses and information technology (IT) acquisition policies and practices around contractor and subcontractor information system security. This interagency group was comprised of senior experts in acquisition, security, and contract management and their recommendations are included in this guidance to Federal agencies on implementing strengthened cybersecurity protections in Federal acquisitions.
We released this proposed guidance for public feedback on the open source platform GitHub to signal transparency in Federal policymaking and to reach a broad audience of stakeholders to assist in further enhancing this guidance. Similar public feedback processes for other OMB initiatives have been very successful in engaging and obtaining the views of the technology and security communities. OMB’s goal in this period of public feedback was to allow for a better understanding of the perspectives of the broader community and to identify areas for improvement to make this guidance even more meaningful and effective.
The intent of the proposed guidance is to take major steps toward implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk of potential incidents in the future. This proposed guidance also describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.
The public feedback period was 30 days and closed on September 10, 2015.
What prompted OMB to develop this guidance? While the Federal Government has taken significant across to enhance Federal assets, information, and systems against evolving cybersecurity threats, cyber threats have dramatically increased over the last few years. That is why in 2015 the Office of Management and Budget (OMB) tasked the Federal Chief Information Officers (CIO) Council and the Chief Acquisition Officers (CAO) Council to review current acquisition and information technology (IT) policies and practices around contractor and subcontractor information system security. An interagency group was formed to conduct the review and develop guidance to Federal agencies on implementing strengthened information security and privacy protections in Federal acquisitions.
How will the guidance strengthen information security within the government? The proposed guidance will strengthen government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems. In addition to this, the Guidance outlines a business due diligence service that agencies can use to help ensure they are contracting for secure products and services.
Are the performance problems of predecessor firms taken into account? Agencies currently have the legal authority to consider performance problems of predecessor firms and key employees into account when selecting vendors during the procurement process. Agencies must generally consider past performance or other “non-cost evaluation factor.” These “non-cost evaluation factors” include solicitation requirements that require contracts to contain clauses on protection, detection, and reporting of information security incidents. In addition, agencies must consider whether prospective vendors have a satisfactory performance record, along with the necessary organization, experience, accounting, technical and operational controls.
Are there restrictions on “foreign” participation in these Federal information technology contracts? Federal law restricts “foreign” participation in Federal procurement in several ways, but acquisitions of services are not subject to the Buy American Act (BAA) of 1933 or similar domestic content restrictions. In addition, 10 U.S.C. § 2327 prohibits contracts with companies in which foreign governments that support international terrorism have a “significant interest.”
How can people submit feedback and when is the deadline? The public feedback period closed on September 10, 2015.
This proposed memorandum provides guidance to Federal agencies on implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI),1,2 on behalf of the Federal government.
The threats facing Federal information systems have dramatically increased as agencies provide more services online, digitally store data, and rely on contractors for a variety of information technology (IT) services. The Federal Information Security Modernization Act of 2014 (FISMA),3 Office of Management and Budget (OMB) policy, and National Institute of Standards and Technology (NIST) standards and guidelines provide agencies with a framework for securing their information. This information can be on government information systems, contractor information systems, and contractor information systems that are part of an IT service operated on behalf of the Federal Government. The increase in threats facing Federal information systems demand that certain issues regarding security of information on these systems should be clearly, effectively, and consistently addressed in Federal contracts.
In early 2015, OMB tasked the Federal Chief Information Officer (CIO) Council and the Chief Acquisition Officer (CAO) Council (“the Councils”) to review current acquisition and IT policies and practices around contractor and subcontractor information system security. This review would inform recommendations for improvement, consistent with the 2014 Federal Information Security Modernization Act (FISMA),4 to ensure contractors provide adequate security for Federal information. To help perform this review, agencies shared with OMB contract language, policies, and related documents addressing cybersecurity. An interagency group comprised of senior experts in acquisition, security, and contract management recommended that existing agency contract language and other relevant information be available to other agencies and for OMB to issue guidance in the following areas to strengthen the protection of CUI held by Federal contractors:
In response to these recommendations, OMB has established a repository of agency information, including sample contract clauses on MAX.gov,5 that agencies are encouraged to review to gain insight into existing peer practices. OMB has developed this management memorandum to build on individual agency efforts, clarify applications of security controls, and provide government-wide guidance on the key issues identified by the working group for strengthening cybersecurity protections in their acquisitions.
This memorandum also describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability. This includes incorporating robust business due diligence into the full acquisition, sustainment, and disposal lifecycles, starting with requirements definition, acquisition planning, and market research, through solicitation, source selection, and contract administration, and ending with retirement and disposal. Performing increased business due diligence will help ensure the Government bases its decisions on the best available information about the risks involved in the program. Research to support business due diligence should encompass public record, publically available, and commercial subscription data to provide comprehensive information about current and prospective contractors and subcontractors to highlight potential security and other risks in the outsourced mission capability. General Services Administration (GSA) shall develop a business due diligence information shared service that gives agencies a holistic view of organizations doing business with the Government. GSA will support efforts to standardize vendor common risk indicators, to include cybersecurity risk indicators, in support of agency enterprise risk management and complement existing agency-specific programs.
The following guidance applies to information collected or maintained by or on behalf of an agency, such as information on systems that are used or operated by a contractor on behalf of the agency and on contractor information systems not operated on behalf of an agency, but incidental to providing a product or service for an agency which may store, collect, maintain, disseminate, process or provide access to information provided by or developed for the agency in order to provide the product or service.
The guidance distinguishes between systems operated ‘on behalf of the Government’ and a contractor’s internal system used to provide a product or service for the Government. For purposes of this guidance:
The approach to protecting information and the responsibilities imposed on contractors is different in each of these situations. As explained below, systems operated on behalf of the Government are generally required to meet NIST SP 800-53 and conform to the same processes as do government systems. Systems operated for multiple users will likely require variations from the standard government processes or terms of service. Internal information systems are generally subject to the requirements described in NIST SP 800-171.6
The agency’s CIO, CAO, Chief Information Security Officer, senior agency official for privacy, and other key stakeholders shall immediately begin working together to apply the guidance below. Agencies should continuously review contract activities to ensure this guidance is being applied. Additionally, OMB will review compliance during FedStat and CyberStat sessions. To support these efforts and to move towards greater uniformity, the Federal Acquisition Regulatory Council will amend the Federal Acquisition Regulation (FAR) to provide for inclusion of contract clauses that address, as appropriate, the guidance covered in sections 1-4 below in Federal procurement solicitations and contracts.
For systems operated on behalf of the Government, the agency must require the contractor system to meet the appropriate baseline in NIST SP 800-53 as modified by the agency to meet its risk management requirements. Use of NIST SP 800-53 will provide a consistent approach across agencies. For CUI, the moderate baseline for confidentiality should be applied and adjusted for any specific protection requirements required by law, regulation, or government wide policy. When the contractor is operating the system to process data from more than one agency, or when there are non-government customers (e.g., cloud service providers), the agency should review the risk management and tailoring processes in NIST SP 800-37 and SP 800-53, which provide mechanisms to accommodate these situations.
For contractors’ internal systems used to provide a product or service for the Government but incidentally contain CUI, the application of NIST SP 800-53 controls is generally not appropriate. NIST recently published NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Agencies should require contractors whose internal information systems will process CUI incidental to developing a product or service for the agency to meet the requirements of NIST SP 800-171 rather than NIST SP 800-53.
For purposes of this guidance, “cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Cyber incident reporting requirements for systems operated on behalf of the government and contractors’ internal systems are similar. The only distinction is that the reporting of cyber incidents affecting a contractor’s internal system is limited to incidents affecting CUI, not every cyber incident affecting the contractor system.
Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data is critical to the Government’s ability to determine appropriate response actions and minimize harm from incidents. During the Councils’ consultation with agencies, it was determined that agency contracts often lack language governing when and how contractors are required to report information security incidents when they occur and when and how contractors should provide notification of breaches to affected individuals and third parties. At a minimum, agency contractual language regarding incident reporting shall include the following:
The specific requirements included in the contractual language shall be based on Federal law, OMB policies, NIST standards and guidelines, and other applicable standards and policies. This approach to reporting will promote timely and meaningful information sharing that allows both the contractor and the agency to work closely together to investigate the incident, identify affected individuals, quickly respond to the incident and take other appropriate actions as necessary.
In determining the appropriate timeline and reporting information, agencies shall comply with Federal law, relevant OMB policies, and NIST standards and guidelines. Agencies must also consider the sensitivity of the information stored by the contractor, the potential damage caused by delays in reporting, the requirements in the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) Federal Incident Notification Guidelines,7 or other risk factors, as deemed appropriate by an agency.
At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract. All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system, but the contractor does not have to report all known or suspected cyber incidents. In addition to reporting to the SOC, the contractor shall also report the security incident to the:
As part of the organization’s risk management process,8 contractors that are operating information systems or providing a service that generates, maintains, transmits, stores, or accesses information on behalf of Federal agencies are required to ensure certain safeguards and an Authority to Operate (ATO) are in place prior to operation of the system per NIST SP 800-37.9 If possible, based on a risk assessment and a review of existing ATOs granted to the contractor by the agency, agencies should use relevant existing ATOs an indication of common controls and capabilities for the performance of multiple contracts. Finally, many contractors operating in the commercial marketplace already receive a variety of independent assessments to protect other data and these should inform an ATO process that meets NIST standards and guidelines.
Agencies should consider the following when developing the requirements for assessing information systems that a contractor is operating on behalf of Federal agencies:
Security assessments not only confirm that contractors are maintaining their security posture; they also allow the agency to validate the maintenance of the previously performed independent assessment.
The agency should specify that the contractor will afford the agency access to the contractor’s facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract, regardless of location. Access shall be provided to the extent required to conduct an inspection, evaluation, investigation or audit and to preserve evidence of information security incidents. Finally, agencies should include contract language requiring that, prior to contract closeout, the contractor must:
The agency should then review the contractor’s sanitization certification to make sure any risk has been mitigated. To the extent that a contractor generated, maintained, transmitted, stored, or processed PII, the SAOP should review the certification.
Agencies should identify in the contract solicitation how they expect the contractor to demonstrate in its proposal that it meets the requirements of NIST SP 800-171, including the security assessment for contractor internal systems. This can range, depending upon the impact level of the information at risk, from simple attestation of compliance to detailed description of the system’s security architecture, controls, and provision of supporting test data.
Due to the increase and complexity of information security incidents, and the need to react quickly, the Federal Government has prioritized Information Security Continuous Monitoring (ISCM), an initiative identified in NIST SP 800-53 and OMB Memorandum M-14-03.12 ISCM is defined in NIST SP 800-13713 “as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions” but is not limited to a specific program or technology. To assist agencies in establishing ISCM capabilities quickly, the DHS has created the Continuous Diagnostics and Mitigation (CDM) program and much of the information reported under ISCM is required under existing OMB guidance. If the agency determines that providing the DHS CDM capabilities to a contractor operating information systems on behalf of the Government is not feasible, the contract must ensure that at a minimum:
While existing contracts may direct the contractor to self-report required ISCM information to the agency, this approach may no longer be sufficient. Agencies and contractors must therefore work together to determine and implement an appropriate solution that fulfills the ISCM requirements. Agencies should work with DHS to ensure that the proposed solution fulfills the ISCM requirements identified in FISMA.
For systems not operated on behalf of the Government – contractor’s internal systems used to develop a product or service – continuous monitoring is part of the security assessment requirement in NIST SP 800-171.
Cybersecurity protections in Federal acquisitions can be further enhanced by performing increased business due diligence to gain better visibility into, and understanding of, how contractors develop, integrate, and deploy their products, services, and solutions as well as how they assure integrity, security, resilience, and quality in their operations. GSA has been working with agencies to explore and pilot the use of public records, publicly available, and commercial subscription data to support business due diligence analyses. Such analyses are consistent with the guidelines in NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, which calls for agencies to frame, assess, respond to, and monitor information and information system-related security and supply chain risks using a holistic, organization-wide risk management process.
NIST SP 800-171: Controlled Unclassified Information is any information that law, regulation, or Government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. ↩
[http://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf] (http://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf) ↩
[https://www.congress.gov/bill/113th-congress/senate-bill/2521/text] (https://www.congress.gov/bill/113th-congress/senate-bill/2521/text) ↩
See 44 U.S.C. 3553 “information collected or maintained by or on behalf of an agency or information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. ↩
[https://community.max.gov/x/xwIiLg] ([https://community.max.gov/x/xwIiLg) ↩
[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf] (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf) ↩
[https://www.us-cert.gov/incident-notification-guidelines] (https://www.us-cert.gov/incident-notification-guidelines) ↩
[http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf] (http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf) ↩
ibid. (http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf) ↩
[http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf] (http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf) ↩
[http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf] (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf) ↩
[https://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-03.pdf] (https://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-03.pdf) ↩
[http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf] (http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf) ↩