diff --git a/index.md b/index.md index c27b674..e3b9aa3 100644 --- a/index.md +++ b/index.md @@ -117,10 +117,12 @@ For purposes of this guidance, “cyber incident” means actions taken through Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data is critical to the Government’s ability to determine appropriate response actions and minimize harm from incidents. During the Councils’ consultation with agencies, it was determined that agency contracts often lack language governing when and how contractors are required to report information security incidents when they occur and when and how contractors should provide notification of breaches to affected individuals and third parties. At a minimum, agency contractual language regarding incident reporting shall include the following: - * Language to indicate that a cyber incident that is properly reported by the contractor shall not, but itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI; + * Language to indicate that a cyber incident that is properly reported by the contractor shall not, by itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI; * The definition of what constitutes a cyber incident; * The required timeline for first reporting to the agency; - * The types of information required in a cyber incident report to include: company and point of contact information, contract information, the type of information compromised; + * The types of information required in an initial cyber incident report to include: company and point of contact information, contract information, the type of information compromised; + * The required types and timeline for follow-up reporting to the agency, such as incident status and incident closure; + * The types of information required in follow-up cyber incident reports; * The contractor shall send only one report to each agency POC identified in the contracts, not a report for each contract from that agency. The report may contain information required by other agencies, so one report may satisfy the requirements of multiple agencies; and * Specific government remedies if a contractor fails to report according to the agreed upon contractual language. @@ -128,7 +130,7 @@ The specific requirements included in the contractual language shall be based on In determining the appropriate timeline and reporting information, agencies shall comply with Federal law, relevant OMB policies, and NIST standards and guidelines. Agencies must also consider the sensitivity of the information stored by the contractor, the potential damage caused by delays in reporting, the requirements in the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) Federal Incident Notification Guidelines,[^7] or other risk factors, as deemed appropriate by an agency. -At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract. All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system, but the contractor does not have to report all known or suspected cyber incidents. In addition to reporting to the SOC, the contractor shall also report the security incident to the: +At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team (CSIRT) or Security Operations Center (SOC) within the timeline agreed upon in the contract. All known cyber incidents in contractor internal systems must be reported if they affect CUI in the system, but the contractor does not have to report known or suspected cyber incidents that do not affect CUI. In addition to reporting to the SOC, the contractor shall also report the security incident to the: * Contracting Officer (CO); * Contracting Officer Representative (COR); @@ -136,14 +138,14 @@ At a minimum, contractual language shall ensure that all known or suspected cybe * Senior agency official for privacy (SAOP). #### 3. Information System Security Assessments -As part of the organization’s risk management process,[^8] contractors that are operating information systems or providing a service that generates, maintains, transmits, stores, or accesses information on behalf of Federal agencies are required to ensure certain safeguards and an Authority to Operate (ATO) are in place prior to operation of the system per NIST SP 800-37.[^9] If possible, based on a risk assessment and a review of existing ATOs granted to the contractor by the agency, agencies should use relevant existing ATOs an indication of common controls and capabilities for the performance of multiple contracts. Finally, many contractors operating in the commercial marketplace already receive a variety of independent assessments to protect other data and these should inform an ATO process that meets NIST standards and guidelines. +As part of the organization’s risk management process,[^8] contractors that are operating information systems or providing a service that generates, maintains, transmits, stores, or accesses information on behalf of Federal agencies are required to ensure certain safeguards and an Authority to Operate (ATO) are in place prior to operation of the system per NIST SP 800-37.[^9] If possible, based on a risk assessment and a review of existing ATOs granted to the contractor by the agency, agencies should use relevant existing ATOs an indication of common controls and capabilities for the performance of multiple contracts. Finally, many contractors operating in the commercial marketplace already receive a variety of independent assessments to protect other data and these may be used to inform an ATO process that meets NIST standards and guidelines. Agencies should consider the following when developing the requirements for assessing information systems that a contractor is operating on behalf of Federal agencies: * Agencies should first use Federal Information Processing Standard (FIPS)-199[^10] to assess the impact level of the data that is to reside in the contractor’s information system in order to determine what types of controls should be applied, followed by determining whether it is appropriate to obtain an independent security assessment; * Agencies may accept independent third-party verification of security assessment results, contractor, or government assessment evidence based on its risk assessment; * The assessment of privacy controls must be performed by the SAOP; and - * After performance under the contract has begun, agencies shall ensure agencies are granted access for security reviews on a periodic and event-driven basis for the life of the contract. + * After performance under the contract has begun, agencies and contractors shall ensure agencies are granted access for security reviews on a periodic and event-driven basis for the life of the contract. Security assessments not only confirm that contractors are maintaining their security posture; they also allow the agency to validate the maintenance of the previously performed independent assessment. @@ -154,7 +156,7 @@ The agency should specify that the contractor will afford the agency access to t The agency should then review the contractor’s sanitization certification to make sure any risk has been mitigated. To the extent that a contractor generated, maintained, transmitted, stored, or processed PII, the SAOP should review the certification. -Agencies should identify in the contract solicitation how they expect the contractor to demonstrate in its proposal that it meets the requirements of NIST SP 800-171, including the security assessment for contractor internal systems. This can range, depending upon the impact level of the information at risk, from simple attestation of compliance to detailed description of the system’s security architecture, controls, and provision of supporting test data. +In contract solicitations for services that could be met through the use of a contractor's internal system, agencies should identify how they expect the contractor to demonstrate in its proposal that it meets the requirements of NIST SP 800-171, including the security assessment for contractor internal systems. This can range, depending upon the impact level of the information at risk, from simple attestation of compliance to detailed description of the system’s security architecture, controls, and provision of supporting test data. #### 4. Information Security Continuous Monitoring Due to the increase and complexity of information security incidents, and the need to react quickly, the Federal Government has prioritized Information Security Continuous Monitoring (ISCM), an initiative identified in NIST SP 800-53 and OMB Memorandum M-14-03.[^12] ISCM is defined in NIST SP 800-137[^13] “as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions” but is not limited to a specific program or technology. To assist agencies in establishing ISCM capabilities quickly, the DHS has created the Continuous Diagnostics and Mitigation (CDM) program and much of the information reported under ISCM is required under existing OMB guidance. If the agency determines that providing the DHS CDM capabilities to a contractor operating information systems on behalf of the Government is not feasible, the contract must ensure that at a minimum: