There are kinks in the chain — the supply chain. And after several high-profile cybersecurity breaches over the past few years, the federal government continues to crack down on potential risks with new rules and regulations that affect government agencies and contractors.
The proposal of a new Federal Acquisition Regulation (FAR) rule — which would mandate contractors and service providers supporting US government agencies to meet enhanced cybersecurity requirements, along the lines of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program — is the latest representation of this.
Currently, anyone handling sensitive information for the government is obligated to meet 15 basic cybersecurity requirements. However, the proposed changes aim to elevate cybersecurity standards and align them closer to the National Institute of Standards and Technology (NIST) Special Publication 800-171, which is already a requirement for Department of Defense (DoD) contractors that handle sensitive government information. However, it’s still unclear how compliance will be measured and monitored. If it tracks with the DoD CMMC program, there could be a mix of third-party assessment requirements and self-reporting.
Although these new expanded compliance measures will improve cyber and data security in the federal supply chain, many government agencies still face their own challenges. They operate on legacy systems and outdated network infrastructures, which may not meet modern, stringent security and compliance reporting requirements. Add in the rise of remote work and the use of external networks and devices and you risk having multiple access points that are less secure. Ensuring the integrity of the entire ecosystem, due to the interconnected nature of federal networks and reliance on contractors and third-party vendors to correctly and securely handle government data, is one part critical and one part challenging.
Zero-Trust Networking
The new requirements to move toward zero-trust networking are bringing to light just how much ground government agencies must make up. One of the biggest obstacles is the need for continuous monitoring. Network security requires an ongoing process to detect threats, vulnerabilities, and potential breaches. Many agencies lack the resources, tools, and expertise to effectively monitor their networks in real-time and respond promptly to emerging threats.
How should government contractors and agencies prepare for their respective security and compliance requirements?
The impending proposal of a FAR rule that introduces CMMC-like regulations for all contractors who handle sensitive government information highlights the increasing importance of enhanced network security and regulatory compliance across the federal supply chain. While this will help reduce the cybersecurity risk from contractors, US government agencies still have to address their own challenges in meeting current security and compliance requirements, starting with the steps above. This means that contractors and federal agencies must be proactive and stay ahead of the regulatory curve.
Protecting sensitive government information is paramount, and can be done by aligning cybersecurity requirements and incorporating established frameworks, such as NIST. By leveraging automation tools to perform security and compliance audits and through implementing principles supporting a zero-trust mindset, contractors and agencies can successfully adapt to the evolving cybersecurity landscape and contribute to a safer ecosystem.