On January 12, 2018, GSA (General Services Administration) posted a request for public comment regarding updates to the General Services Administration Acquisition Regulation that will include new cybersecurity compliance and reporting requirements for federal contractors that access data on unclassified systems.
Two regulations in particular will affect Tripwire customers that do business with GSA:
327. General Services Acquisition Regulation (GSAR); GSAR Case 2016-G511, Information and Information Systems Security
328. General Services Administration Acquisition Regulation (GSAR); GSAR Case 2016-G515, Cyber Incident Reporting
Regulation 327 for IT contractors that access unclassified systems will mandate that “contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities, and threats in accordance with the Federal Information Security Modernization Act (FISMA) of 2014 and associated Federal cybersecurity requirements.”
This appears to be exactly in line with DoD’s move to codify FISMA compliance for Controlled Unclassified Information (CUI) in the DFARS, so it seems likely that any new compliance requirements to help meet this guideline will be something similar to DoD contractor requirements around NIST SP 800-171.
Regulation 328 requires timely breach reporting if and when a contractor system has been successfully compromised. Contractors will then be required to report on this incident if “the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised.”
This will also require GSA contracting officers to have cyber incident reporting requirements within GSA contracts, as well as orders placed on GSA multiple award contracts.
The challenge of this requirement is having the resources to recognize a breached/compromised system when it happens. Products that can monitor systems for unauthorized changes and compliance adhesion go a long way in helping companies prepare for the upcoming changes.
Adding in vulnerability scanning to discover and remediate systems that have known vulnerabilities will help make sure systems stay secure.
When can GSA contractors expect these requirements to be enforced?
Given that the comment periods close for each cyber-related regulation on June and October 2018 respectively, we are encouraging our customers who support GSA to assess their current capabilities/resources immediately.
I expect that GSA’s contractors might be challenged most in the areas similar to their DoD counterparts. Based on feedback from Tripwire customers, the greatest struggle in meeting the 800-171 deadline was meeting the 14 “families” of security requirements for protecting the confidentiality of controller-unclassified information.
I expect these 14 security requirements to return in this civilian contractor rendition, as well.
Once these have been finalized, expect Tripwire to add them to the Tripwire Enterprise Policy Manager, which currently contains more than 1,000 policy platform combinations. These will continue to help continuously monitor and harden IT systems and provide guidance on how to maintain compliance.
Tripwire already provides out-of-the-box policy compliance testing for PCI, HIPAA, NERC CIP, SOX, COBIT, FISMA, DISA STIGS, FEDRAMP, NIST/FISMA, NIST sp 800-171, NIST sp 800-53, NIST sp 800-82, and many others.
To learn more about how Tripwire helps keep the federal government and its contractors secure, click here.