Securing a government contract requires appropriate cybersecurity measures. These requirements have different aspects, including Federal standards, technical protocols, administrative protocols, and physical security protocols.
If you’re interested in securing a government contract and keen on learning more about cybersecurity for government contractors, this article will provide you with the current and future lay of the land to help guide you in your efforts to begin your endeavor.
Cybersecurity Guide for Government Contractors
This extensive guide is designed to provide government contractors with clarity for the government’s requirements for cybersecurity. The guide is designed to be read from start to finish to build on the precedents required by the government regarding cybersecurity.
False Claims Act (FCA)
The False Claims Act is the first thing to consider if you are a government contractor and need guidance on cybersecurity requirements.
Several pieces of legislation focus on strengthening the cybersecurity resilience of U.S. federal agencies and their contractors. One of the most important ones for you to be aware of is the False Claims Act (FCA).
While the Justice Department under President Biden has outlined how it plans to enforce the FCA, the False Claims Act’s inception predates this action, going back to the Civil War era when it was implemented to combat defense contractor fraud in 1863.
The False Claims Act, also called the “Lincoln Law,” imposes liabilities and penalties on individuals and/or companies seeking to defraud the federal government.
There is a precedent involving litigation against entities for failing to comply with federal requirements for cybersecurity, thus violating the FCA. This precedent deals with the violation of NIST 800-171 (which we detail later).
President Biden has also taken additional measures to bump the fitness of federal cybersecurity.
On May 12, 2021, the administration announced the Executive Order on Improving the Nation’s Cybersecurity (EO 14028). The Executive Order contains ten sections, nine of which deal with steps the government is to take to improve cyber resilience.
As an individual or company seeking to work with the federal government, you must remain well-educated and current on the risks and liabilities associated with non-compliance. Penalties levied against you can be both civil and criminal. As a result, the ramifications of failing to comply can be devastating to one’s reputation, livelihood, and future ability to do business with the government.
Cybersecurity Requirements for Government Contractors
In response to the increase in cybersecurity threats around the globe, the government decided to begin rolling out basic requirements contractors must adhere to in the event they seek to work with a federal agency.
On May 16, 2016, the FAR 52.204-21 clause was added to implement basic standards for safeguarding contractor information systems. So, what exactly is FAR 52.204-21 beside a confusing amalgamation of letters and numbers? Read further to learn more.
Federal Acquisition Regulation (FAR) 52.204-21
(FAR) 52.204-21 is a contract clause establishing basic cybersecurity standards contractors must adhere to if they seek work with a federal agency. The clause contains a set of fifteen cybersecurity protocols that involve the processing, storage, and transmission of information under the federal government's purview:
You'll need to remain compliant if you seek to provide a product or service to a federal agency.
FAR 52.204-21 protocols can be broken down into four main buckets:
- Technical protocols
- Administrative protocols
- Physical protocols
- Protocols involving a combination of one or more of the aspects mentioned above regarding cybersecurity
Cybersecurity Maturity Model Certification (CMMC)
The Federal Acquisition Regulation’s contract clause and the various controls (or requirements) form the basis for what is considered Level 1 of the Cybersecurity Maturity Model Certification (CMMC).
The key thing to remember here is that this is the bare minimum currently required to be considered for a government contract and serves as a stepping stone to future waves of regulation.
If you are securing a government contract, you must ensure that your company complies with these fifteen protocols and has documented policies, standards, and procedures.
In the event of an audit a contractor is found to be non-compliant, they may be subject to penalties for violating the False Claims Act.
There are seven protocols within the technical requirements of cybersecurity. These protocols involve taking various measures to authenticate and vet users who have access to information systems, appropriately limiting access accordingly, and limiting various functions and types of transactions authorized users are allowed to execute.
Contractors must also take steps to physically or logically separate publicly accessible systems components from internal networks and implement protections against cybersecurity threats. These safeguards must also be updated regularly when new releases become available and periodic scans of information systems must be documented and conducted.
There is currently a single protocol that is fully classified as administrative, and this involves imposing controls on information that is “posted or processed on publicly accessible information systems.”
These protocols involve a combination of technical and administrative efforts.
They include verifying and controlling the number of connections to external information systems and identifying various information system users.
Contractors must also take steps to “monitor, control, and protect organizational communications” at key external and internal boundaries.
Finally, contractors must have processes that promptly “identify, report, and correct” any discovered flaws.
There is currently a single protocol that falls solely under the classification as “physical.” This protocol involves limiting physical access to information systems to authorized individuals only.
These protocols have both an administrative and physical component to them.
The first involves setting up processes to sanitize or destroy media containing sensitive information before disposal or “for release and reuse”.
The second involves controlling access to information systems by having an escort system for visitors and establishing processes for monitoring, logging, and auditing visitor access.
It should also be noted that compliance with FAR 52.204-21 alone does not relieve a contractor of their duties to comply with any other requirements specified by a federal agency or established by Executive Order 13556, which details requirements for the control of unclassified information.
Additionally, it is safe to assume that any requirements you as a contractor are responsible for would also transfer to any potential subcontractors beneath you.
DFARS 252.204-7012 is a clause published in October 2016 -- just five months after the addition of FAR 52.204-21. The “D” in DFARS represents the fact that it was established by the Department of Defense, which has pretty much led the way in cybersecurity compliance.
DFARS is the clause that requires compliance with the National Institute of Standards and Technology’s Special Publication 800-171 (also referred to as NIST SP 800-171 or NIST 800-171).
In addition to all contractors and subcontractors needing to comply with NIST 800-171, DFARS also included additional requirements for reporting cyber incidents, isolating and submitting malicious content for analysis, and conducting damage assessments.
So, what exactly is NIST 800-171? Well, it’s the most current set of regulations that government contractors are required to comply with.
NIST 800-171 brought about several changes and specifications for government contractors to comply with regarding the protection of controlled unclassified information (CUI). So, in addition to FAR 52.204-21 compliance, contractors must also comply with a total of 110 protocols grouped into a set of fourteen families.
NIST 800-171 compliance is the gold standard regarding cybersecurity regulations. It relates to all information and media, from emails and other electronic files to sales orders and physical documentation such as blueprints.
NIST 800-171 was established to provide agencies with a solid framework that they can all follow to protect CUI adequately. Before these implementations, every agency was pretty much kind of just doing its own thing.
As mentioned above, the NIST 800-171 can be broken down into 14 families, each containing several controls (aka requirements). These families are as follows:
1. Access Control
The access control entails establishing protocols regarding who can access your data and ensuring that there are appropriate permissions set up for authorized individuals. This family contains a set of 22 controls in total.
2. Awareness and Training
The Awareness and Training family, as one can assume, involves having processes in place to ensure that your employees are adequately educated and trained on how to handle information systems, address various potential threats, and understand data and security boundaries. There are a total of three controls in this family.
3. Audit & Accountability
The Audit and Accountability family requires contractors to take several steps to ensure accountability, such as keeping records of access (both authorized and unauthorized) and having a system in place which can help identify any potential violations. There are a total of 9 controls under the Audit and Accountability family.
4. Configuration Management
Configuration Management requires that contractors properly construct and document the construction of their networks and safety protocols. There are nine controls under this family.
5. Identification and Authentication
Identification and Authentication is a family similar in theory to the Access Control family. However, the key difference is that this family doesn’t just require you to set up access controls. It requires you to detail the validation methods used to authenticate users in the first place. There are a total of 11 controls in this family.
6. Incident Response
The Incident Response family is a part of the clause that requires you to have certain measures and documentation in place in the event of a breach or security threat. This family contains three controls.
The Maintenance family requires contractors to establish and document a routine for regular maintenance of systems as well as establish leads for who is to carry out this work. This family contains six controls.
8. Media Protection
When we talk about media in the sense of cybersecurity, we’re not talking about the news. This family requires contractors to set up and document processes on how any sensitive media (electronic or hardcopy) are stored, accessed, and backed up. This family contains nine controls.
9. Personnel Security
Personnel security specifically deals with the process of how employees and authorized users are screened before gaining access to information systems. For instance, are they getting background checks? This family contains two controls.
10. Physical Protection
The Physical Protection family deals with who has physical access to your information systems and requires that a process is documented and put into place. This family contains six controls.
11. Risk Assessment
The Risk Assessment family maintains that risk assessments must be conducted on a regular and ongoing basis to verify compliance with NIST 800-171.
This can be done via methods such as simulation. The Risk Assessment family contains a total of three controls.
12. Security Assessment
The Security Assessment is similar to the Risk Assessment family in that assessments are required on an ongoing and regular basis.
However, instead of specifically focusing on possible risks, this family deals with security measures, ensuring protocols in place are effective and assessing whether improvements are needed. There are a total of four controls in this family.
13. System and Communications Protection
The System and Communications Protection family requires that contractors regularly monitor and control sensitive information internally and at external transmission points. This family is a doozy and contains a total of 16 controls.
14. System and Information Integrity
The System and Information Integrity family requires contractors to assess how nimble they are in the event of a security threat or breach. This family contains a total of seven controls.
There are many requirements put in place that government contractors must remain compliant with. However, this will just get your foot in the door. To maintain compliance for future years, government contractors must be proactive in preparing for future waves of regulation.
Future Cybersecurity Requirements for Government Contractors
According to the Department of Defense, plans are already in place to gradually shift away from the NIST 800-171 framework to the CMMC framework.
It is estimated that by 2026, contractors looking to do business with the DoD will require CMMC compliance.
Since the rollout of DFARS 252.204-7012, three new pieces of regulation have recently been introduced to commence the 5-year phased rollout of the CMMC. While they are not yet requirements, they will be in the future, and as a result, it’s important to prepare for the transition.
DFARS 252.204-7019 (The “Crawl” Phase of CMMC)
DFARS 254.404-7019 is put in place to prepare government contractors for the gradual shift to the CMMC framework.
It says that if you are working under a contract that includes DFARS 252.204-7012, you will be required to conduct an assessment of your compliance which includes a summary level score (Basic, Medium, or High) into the DoD’s Supplier Performance Risk System (SPRS).
You must also ensure that your summary level score remains current and no older than three years throughout the life of your contract.
DFARS 252.204-7020 (The “Walk” Phase of CMMC)
DFARS 252.204-7020 is letting you know that you need to be prepared for the potential of a government audit. In addition, if you have any subcontractors, you must ensure that they have additionally uploaded their assessments into the SPRS in the event they handle CUI.
You should be aware of a few requirements of the 7020. The first is that government agencies will begin to require a Basic Assessment Score from companies wishing to be awarded contracts.
It also states that if you are awarded a contract, you may run into a scenario where the DoD eventually requires a Medium or High Score Assessment. If this is the case, you will be responsible for allowing the DoD access to your facilities, systems, and personnel.
The regulation makes it clear that if you have any subcontractors, you will also need to include a clause in any “subcontracts or contractual instruments” and ensure that they maintain compliance with SPRS reporting.
DFARS 252.204-7021 (The “Run” Phase of CMMC)
DFARS 252.204-7021 is the final phase that officially requires CMMC compliance to be awarded a government contract. This is expected to take effect on October 1, 2025. Before this date, the Offices of the Undersecretary of Defense for Acquisition & Sustainment [OUSD(A&S)] are required to approve that any new acquisitions meet CMMC requirements.
It also requires that any company awarded a government contract maintains the CMMC certification required throughout its contract. This also will remain the case for any subcontractors.
It is highly encouraged that any company seeking a government contract take the time to research potential assessors who can help you in your path to CMMC compliance.
Suppose you’re wondering where to get started. In that case, you should be aware that the CMMC Accreditation Body (CMMC-AB) currently has a marketplace website and has the title of being “the only authoritative source for entities authorized to perform CMMC assessments.”
By the Numbers: Cyber Security for Government Contractors
According to recent research by Zippia (verified against the Bureau of Labor Statistics), over 5,294 government contractors are currently employed with the United States federal government.
Now, it should be no surprise that government contracting is fiercely competitive. But competition isn’t the only obstacle. Entities seeking government contracts must meet stringent requirements to qualify for employment with government agencies. This compliance, naturally, often requires a great deal of legwork and effort that many companies find difficult to undertake.
While many companies already have various protocols in place, there is a specific set of requirements and regulations which must be painstakingly adhered to qualify for employment with a federal agency.
It’s no secret that government contracts are highly sought after. As a result, the marketplace is extremely competitive.
One surefire way to give your application the extra edge it needs is by going above and beyond regarding cybersecurity protocols.
While transitioning from the NIST 800-171 framework is inevitable, implementing the standards remains an essential step in your journey to becoming CMMC compliant.
Fortunately, the National Institute of Standards and Technology offers companies several nifty resources on their website to aid their efforts. These resources include:
- A CUI Plan of Action Template can help structure your efforts to record your compliance journey. It is also formatted in a way that can be easily transferred into project management systems.
- A CUI SSP Template which serves as a form of high-level documentation for your system and its compliance journey, and
- A Mapping Framework that provides a detailed mapping between the NIST’s Cybersecurity Framework (CSF) subcategories and NIST 800-171’s CUI requirements.
However, the truth is that it is easy to become overwhelmed by the prospect of compliance. Furthermore, whether you’ve met every regulation and control detail (no matter how ambiguous), including the various nuances, can be daunting.
As a result, many companies seek guidance from a trusted third party to ensure they have checked all necessary boxes.
VisioneerIT is a trusted company that can help guide and advise you throughout the process.
Contact us if you’re interested in learning more about how we can help secure government contractors through proper cybersecurity protocol.
8 Major Cybersecurity Requirements Contractors Need to Bid for…. (n.d.). Trimble Viewpoint. Retrieved November 23, 2022, from https://www.viewpoint.com/blog/cybersecurity-requirements-government-contacts
Controlled Unclassified Information. (n.d.). Www.dcsa.mil. Retrieved November 23, 2022, from https://www.dcsa.mil/mc/isd/cui/#:~:text=What%20is%20CUI%3F
5 Steps to DFARS Compliance. (n.d.). Info.cybersheath.com. Retrieved November 23, 2022, from https://info.cybersheath.com/5-Actions-to-DFARS-Compliance
Cybersecurity obligations for government contractors – focus on them before the government focuses on you | Insights | DLA Piper Global Law Firm. (n.d.). DLA Piper. Retrieved November 23, 2022, from https://www.dlapiper.com/en/us/insights/publications/2021/09/cybersecurity-obligations-for-government-contractors-focus-on-them/#_ftn1
Executive Order on Improving the Nation’s Cybersecurity | CISA. (n.d.). Www.cisa.gov. Retrieved November 23, 2022, from https://www.cisa.gov/executive-order-improving-nations-cybersecurity#:~:text=Executive%20Order%20(EO)%2014028%2C
NIST 800-171 Overview. (n.d.). Www.youtube.com. Retrieved November 23, 2022, from https://www.youtube.com/watch?v=G9bZl-SznLs
Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020, February 21). Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Csrc.nist.gov. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
The Evolution of FAR 52.204-21 to CMMC. (n.d.). Blog.corserva.com. Retrieved November 23, 2022, from https://blog.corserva.com/far-dfar-cmmc
52.204-21 Basic Safeguarding of Covered Contractor Information Systems. | Acquisition.GOV. (n.d.). Www.acquisition.gov. https://www.acquisition.gov/far/52.204-21
CyberAB > Home. (n.d.). Cyberab.org. https://cyberab.org/
The White House. (2021, May 12). Executive order on improving the nation’s cybersecurity. The White House. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/