diff --git a/index.md b/index.md index 2ba7a98..0e27d23 100644 --- a/index.md +++ b/index.md @@ -118,7 +118,7 @@ For purposes of this guidance, “cyber incident” means actions taken through Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data is critical to the Government’s ability to determine appropriate response actions and minimize harm from incidents. During the Councils’ consultation with agencies, it was determined that agency contracts often lack language governing when and how contractors are required to report information security incidents when they occur and when and how contractors should provide notification of breaches to affected individuals and third parties. At a minimum, agency contractual language regarding incident reporting shall include the following: - * Language to indicate that a cyber incident that is properly reported by the contractor shall not, but itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI; + * Language to indicate that a cyber incident that is properly reported by the contractor shall not be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI; * The definition of what constitutes a cyber incident; * The required timeline for first reporting to the agency; * The types of information required in a cyber incident report to include: company and point of contact information, contract information, the type of information compromised; @@ -129,12 +129,7 @@ The specific requirements included in the contractual language shall be based on In determining the appropriate timeline and reporting information, agencies shall comply with Federal law, relevant OMB policies, and NIST standards and guidelines. Agencies must also consider the sensitivity of the information stored by the contractor, the potential damage caused by delays in reporting, the requirements in the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) Federal Incident Notification Guidelines,[^7] or other risk factors, as deemed appropriate by an agency. -At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract. All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system, but the contractor does not have to report all known or suspected cyber incidents. In addition to reporting to the SOC, the contractor shall also report the security incident to the: - - * Contracting Officer (CO); - * Contracting Officer Representative (COR); - * Chief Information Security Officer (CISO); and - * Senior agency official for privacy (SAOP). +At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract. All known cyber incidents in contractor internal systems must be reported to the contracting office of the affected agency and/or organization if they involve the CUI in the system, but the contractor does not have to report all known or suspected cyber incidents. #### 3. Information System Security Assessments As part of the organization’s risk management process,[^8] contractors that are operating information systems or providing a service that generates, maintains, transmits, stores, or accesses information on behalf of Federal agencies are required to ensure certain safeguards and an Authority to Operate (ATO) are in place prior to operation of the system per NIST SP 800-37.[^9] If possible, based on a risk assessment and a review of existing ATOs granted to the contractor by the agency, agencies should use relevant existing ATOs an indication of common controls and capabilities for the performance of multiple contracts. Finally, many contractors operating in the commercial marketplace already receive a variety of independent assessments to protect other data and these should inform an ATO process that meets NIST standards and guidelines. @@ -165,7 +160,7 @@ Due to the increase and complexity of information security incidents, and the ne While existing contracts may direct the contractor to self-report required ISCM information to the agency, this approach may no longer be sufficient. Agencies and contractors must therefore work together to determine and implement an appropriate solution that fulfills the ISCM requirements. Agencies should work with DHS to ensure that the proposed solution fulfills the ISCM requirements identified in FISMA. -For systems not operated on behalf of the Government – contractor’s internal systems used to develop a product or service – continuous monitoring is part of the security assessment requirement in NIST SP 800-171. +For systems not operated on behalf of the Government – contractor’s internal systems used to develop a product or service – monitoring is part of the security assessment requirement in NIST SP 800-171. #### 5. Business Due Diligence Cybersecurity protections in Federal acquisitions can be further enhanced by performing increased business due diligence to gain better visibility into, and understanding of, how contractors develop, integrate, and deploy their products, services, and solutions as well as how they assure integrity, security, resilience, and quality in their operations. GSA has been working with agencies to explore and pilot the use of public records, publicly available, and commercial subscription data to support business due diligence analyses. Such analyses are consistent with the guidelines in NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, which calls for agencies to frame, assess, respond to, and monitor information and information system-related security and supply chain risks using a holistic, organization-wide risk management process.