Federal contractors may soon be required to meet heightened requirements for information security under two new proposed rules issued by the General Services Administration (GSA). The first proposed rule, GSAR Case 2016-G511 “Information and Information Systems Security,” will require that federal contractors “protect the confidentiality, integrity and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities and threats in accordance with the Federal Information Security Modernization Act of 2014 and associated Federal cybersecurity requirements.” This proposed rule builds on new cybersecurity requirements mandated by the Department of Defense for federal contractors, DFARS Section 252.204-7012 which recently became effective.
Like other emerging data security regulations such as the GDPR, NY DFS cyber security regulations, the DFARS rule, and HIPAA, the proposed rule will apply to “internal contractor systems, external contractor systems, cloud systems and mobile systems.” It will mandate compliance with applicable controls and NIST standards. If, as expected, the proposed rule mirrors the DFARS rule, contractors may also need to initiate a vendor management program to ensure that sub-contractors are complying with applicable standards or potentially lose federal contractors status.
A second proposed rule, GSAR Case 2016-G515 “Cyber Incident Reporting,” will require contractors to report any cyber incident “where the confidentiality, integrity or availability of GSA information or information systems are potentially compromised.” This definition mirrors the HIPAA reporting obligations and is broader than reporting requirements under most state breach notification laws. A timeframe for reporting cyber incidents is not set in the proposed rule, but will be established in the future, along with information on the contents of required incident reports and points of contact for filing the report. The proposed rule will also establish requirements for contractors to preserve images of affected systems and impose training requirements for contractor employees. The proposed rule is scheduled to be released in August 2018, and the public will have 60 days to comment on the proposed rule.
Information security and cyber incident reporting regulations are quickly promulgating both in the US and worldwide, and beginning to align around certain basic requirements including, the requirement of a written information security plan, security controls that adhere to NIST, ISO or other well-known standard, breach reporting requirements, and a duty to ensure that sub-contractors are in compliance with applicable controls. The new proposed GSA rules are a continuation of a trend toward a kind of generally accepted principles for information security.