White House issues cybersecurity rules for contractors

The Obama administration has released draft guidelines that would require government contractors handling sensitive data to meet baseline security requirements and report digital intrusions to authorities.

The rules would also allow the Department of Homeland Security (DHS) to deploy its own network monitoring programs at a contractor if it is not meeting the necessary standards.

“The proposed guidance will strengthen government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems,” said the proposal from the Office of Management and Budget (OMB).

The new rules are part of a broad effort to secure government networks in the wake of a spate of cyberattacks at high-profile agencies and contractors.

In the recent digital assault on the U.S. government that exposed more than 22 million people’s data, suspected Chinese hackers were able to crack Office of Personnel Management networks after lifting a contractor’s security credentials.

That contractor, KeyPoint Government Solutions, is one of two major background-check processors that were breached in separate incidents last year. The other contractor, U.S. Investigations Services, has since lost some of its government contracts.

Combined, the digital hits exposed files on roughly 70,000 federal employees, many of whom held security-clearance-level positions with the DHS.

With its updated guidelines, the administration is hoping to prevent future contractor breaches as the government increasingly turns to these outside companies “for a variety of information technology services,” the OMB said.

The White House believes part of the problem has been inconsistency in the data security standards for federal contracts.

Agencies have issued varying guidelines that have only served to complicate things, said Christian Henel, a government contract attorney with Thompson Hine. 

"There have been some standards that agencies have enforced, but each one has control over which standard they enforce and why," he said. "It’s not been uniform. OMB is attempting to remedy that."

The new rules would direct agencies to ensure that contractors operating government systems are following security processes set by the National Institute of Standards and Technology.

If companies are found to not be properly monitoring their own networks, the guidelines would allow for federal agencies to go in with their own examination tools.

Henel said this clause might lead to some pushback from contractors.

"I could see that as being potentially burdensome," he said.

Finally, the rules would make companies report more, although not all, cyberattacks to the government.

“At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency,” the OMB said.

The public has until Sept. 10 to comment on the draft. The final guidelines are expected sometime this fall.