There are kinks in the chain — the supply chain. And after several high-profile cybersecurity breaches over the past few years, the federal government continues to crack down on potential risks with new rules and regulations that affect government agencies and contractors.
The proposal of a new Federal Acquisition Regulation (FAR) rule — which would mandate contractors and service providers supporting US government agencies to meet enhanced cybersecurity requirements, along the lines of the Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program — is the latest representation of this.
Currently, anyone handling sensitive information for the government is obligated to meet 15 basic cybersecurity requirements. However, the proposed changes aim to elevate cybersecurity standards and align them closer to the National Institute of Standards and Technology (NIST) Special Publication 800-171, which is already a requirement for Department of Defense (DoD) contractors that handle sensitive government information. However, it's still unclear how compliance will be measured and monitored. If it tracks with the DoD CMMC program, there could be a mix of third-party assessment requirements and self-reporting.
Although these new expanded compliance measures will improve cyber and data security in the federal supply chain, many government agencies still face their own challenges. They operate on legacy systems and outdated network infrastructures, which may not meet modern, stringent security and compliance reporting requirements. Add in the rise of remote work and the use of external networks and devices and you risk having multiple access points that are less secure. Ensuring the integrity of the entire ecosystem, due to the interconnected nature of federal networks and reliance on contractors and third-party vendors to correctly and securely handle government data, is one part critical and one part challenging.
The new requirements to move toward zero-trust networking are bringing to light just how much ground government agencies must make up. One of the biggest obstacles is the need for continuous monitoring. Network security requires an ongoing process to detect threats, vulnerabilities, and potential breaches. Many agencies lack the resources, tools, and expertise to effectively monitor their networks in real-time and respond promptly to emerging threats.
How should government contractors and agencies prepare for their respective security and compliance requirements?
- Prioritize all network devices. It's become a habit to assess for vulnerabilities only at the perimeter. Our recent study of cybersecurity professionals across US military, federal government and critical national infrastructure revealed that 96% of organizations prioritize configuring and auditing firewalls but not routers or switches. This means that only 4% assess switches and routers, leaving these devices exposed to potentially significant and unidentified risks. According to zero-trust best practices, it is essential to assess all these devices to prevent lateral movement across networks.
- Segment networks. Implementing network segmentation can mitigate the impact of a potential breach by compartmentalizing sensitive information and limiting lateral movement within the network. By segregating networks based on access levels and data classification, organizations can reduce the possible attack surface and minimize the impact of a breach.
- Utilize compliance audits and assurance automation tools. This is one way for contractors and agencies to prepare for audits. Regular assessments should be conducted to identify vulnerabilities, assess risks, and ensure compliance with network security requirements. These assessments can identify gaps in network security controls and allow for prompt remediation. Using tools that provide exact technical fixes for misconfigurations is also essential.
The impending proposal of a FAR rule that introduces CMMC-like regulations for all contractors who handle sensitive government information highlights the increasing importance of enhanced network security and regulatory compliance across the federal supply chain. While this will help reduce the cybersecurity risk from contractors, US government agencies still have to address their own challenges in meeting current security and compliance requirements, starting with the steps above. This means that contractors and federal agencies must be proactive and stay ahead of the regulatory curve.
Protecting sensitive government information is paramount, and can be done by aligning cybersecurity requirements and incorporating established frameworks, such as NIST. By leveraging automation tools to perform security and compliance audits and through implementing principles supporting a zero-trust mindset, contractors and agencies can successfully adapt to the evolving cybersecurity landscape and contribute to a safer ecosystem.