In an ongoing effort to provide consistent security and dissemination controls for government data flowing through non-federal systems, contractors to the General Services Administration (GSA), both primes and their subs, will soon be expected to adhere to Executive Order 13556 “Controlled Unclassified Information”.
The Department of Defense (DoD) was the first executive branch to align with EO13556 through the Defense Federal Acquisition Regulations DFARS 252.204-7012 and its call for its contractors to implement protections for Controlled Unclassified Information (CUI) as defined in NIST SP 800-171. The intent is to ensure appropriate collaboration between authorized parties by managing “inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI Registry”. The registry is maintained by the National Archives and Records Administration.
On November 28 2017, NIST published SP 800-171A – “Assessing Security Requirements for Controlled Unclassified Information.” Designed to “help organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in Special Publication 800-171”, this guideline streamlines the assessment process and helps those organizations struggling with compliance.
The anticipated broadening of federal contractor cybersecurity obligations beyond DoD and into the GSA occurred when adherence to General Services Acquisition Regulation (GSAR) was proposed in January 2018. It is expected that the scope of the new regulation will follow DFARS 252.204-7012 to include cybersecurity requirements for internal, external, mobile and “cloud systems” following applicable FedRAMP controls.
Regulation 327 GSAR Case 2016-G511, Information and Information Systems Security “mandate contractors protect the confidentiality, integrity, and availability of unclassified GSA information” in accordance with the Federal Information Security Modernization Act (FISMA). Regulation 327 further states, “This rule will require contracting officers to incorporate applicable GSA cybersecurity requirements within the statement of work to ensure compliance with Federal cybersecurity requirements and implement best practices for preventing cyber incidents. These GSA requirements mandate applicable controls and standards (e.g. U.S. National Institute of Standards and Technology, U.S. National Archive and Records Administration Controlled Unclassified Information standards).”
Government solicitations may soon prove to be additional overhead for some organizations or for others, an opportunity to gain a competitive advantage. During the evaluation process, those that fail to meet minimum requirements (or struggle to do so) will be deemed inferior or disqualified altogether. Conversely, those exceeding the minimum requirements may well be favored given all other criteria being equal.
The implications are not trivial. Annually, the GSA contracts are worth well above $40 billion across +16500 entities, each with individual GSA schedules and solicitation responses that could be affected. In the same manner that the GSA has followed the DoD, the Department of Homeland Security, governed by Homeland Security Acquisition Regulation (HSAR) will most likely be the next of several other agencies to follow.