On January 12, 2018, GSA (General Services Administration) posted a request for public comment regarding updates to the General Services Administration Acquisition Regulation that will include new cybersecurity compliance and reporting requirements for federal contractors that access data on unclassified systems.

Two regulations in particular will affect Tripwire customers that do business with GSA:

327. General Services Acquisition Regulation (GSAR); GSAR Case 2016-G511, Information and Information Systems Security

328. General Services Administration Acquisition Regulation (GSAR); GSAR Case 2016-G515, Cyber Incident Reporting

Regulation 327 for IT contractors that access unclassified systems will mandate that “contractors protect the confidentiality, integrity, and availability of unclassified GSA information and information systems from cybersecurity vulnerabilities, and threats in accordance with the Federal Information Security Modernization Act (FISMA) of 2014 and associated Federal cybersecurity requirements.”

This appears to be exactly in line with DoD’s move to codify FISMA compliance for Controlled Unclassified Information (CUI) in the DFARS, so it seems likely that any new compliance requirements to help meet this guideline will be something similar to DoD contractor requirements around NIST SP 800-171.

Regulation 328 requires timely breach reporting if and when a contractor system has been successfully compromised. Contractors will then be required to report on this incident if “the confidentiality, integrity, or availability of GSA information or information systems are potentially compromised or where the confidentiality, integrity, or availability of information or information systems owned or managed by or on behalf of the U.S. Government is potentially compromised.”

This will also require GSA contracting officers to have cyber incident reporting requirements within GSA contracts, as well as orders placed on GSA multiple award contracts.

The challenge of this requirement is having the resources to recognize a breached/compromised system when it happens. Products that can monitor (Read more...)