Preparing for federal supply chain security standardization
In 2021, the Biden Administration published the Executive Order on Improving the Nation’s Cybersecurity (EO 14028), setting off an agency-wide security initiative with the ultimate objective of standardizing security requirements across the Department of Defense (DoD) and the Federal Civilian Executive Branch (FCEB) supply chain.
For organizations contracting with FCEB agencies, implementing basic cyber hygiene practices from now is critical and will be a competitive differentiator over the next few years.
Standardizing security to protect federal networks
For companies within the defense industrial base (DIB), the Cybersecurity Maturity Model Certification (CMMC) has been a watchword since 2019. Changes in leadership and to the framework itself create consternation, confusion, and challenges. The FCEB agency supply chain should prepare for upcoming changes to the federal contracting process and future cybersecurity compliance requirements.
Executive Order 14028
EO 14028 was the catalyst for the FCEB supply chain cybersecurity initiatives. Within the context of the Federal Acquisition Regulation (FAR), EO 14028 directed several agencies to review the standardized contract language around cybersecurity requirements.
The proposed joint rule
In Fall 2022, the DoD, General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) proposed a joint rule under the Federal Acquisition Regulation (FAR) to apply the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) program uniformly across all Federal contracts. Specifically, the proposed rule states:
This rule is one element of a larger strategy to improve the Government’s efforts to identify, deter, protect against, detect and respond to increasing sophisticated threat actions targeting Federal contractors.
Although no further action has been taken on this proposed rule, it foreshadows greater oversight and security attestations across the entire contractor base.
Reading the regulatory tea leaves
Businesses who ignore the cybersecurity compliance harbingers are the ones that will find themselves losing business-critical contracts. Companies should consider the importance of the phrase “larger strategy to improve” networks. By combining this phrase with EO 14028’s initiatives, companies can see that applying CUI rules uniformly is only the first step.
Currently, the National Institute of Standards and Technology (NIST) is reviewing its Special Publication (SP) 800-171, the framework defining how organizations can achieve CMMC certification.
These revisions point to a wider adoption of the NIST SP 800-171 and 800-53 controls, meaning that organizations contracting across the FCEB supply chain should start reviewing their current security posture in preparation.
Cost-efficient security-first compliance
Companies that work with FCEB agencies or with FCEB contractors should start thinking about the costs associated with compliance. While these compliance initiatives may take a few years to become a reality, organizations should recognize how much time and money it takes to implement policies, processes, and technologies.
While estimated costs range wildly depending on a company’s size and business model, most practitioners agree that the overall costs to prepare for the CMMC audit range from $20,000 – $60,000. However, these numbers do not incorporate the costs associated with outsourcing a gap assessment or the audit itself.
To appropriately budget for the inevitable audits, organizations across the FCEB supply chain should build out plans to uplevel their security posture over the next two to four years.
Phase One: Identifying CUI
The data protection initiatives across the FCEB supply chain will likely mirror the ones that apply to the DIB. In other words, contractors need to identify two types of information:
- Federal Contract Information (FCI): Non-public information collected, created, or received a part of a government contract.
- Controlled Unclassified Information (CUI): Information specifically marked or identified as covered by the CUI program.
Identifying CUI is the core of all agency supply chain cybersecurity initiatives, yet it remains one of CMMC’s most hotly contested issues.
First, CUI applies to twenty groupings, each containing multiple CUI categories. For example, within the Property Business Information grouping are the following CUI categories:
- Entity Registration Information
- General Proprietary Business Information
- Ocean Common Carrier and Marine Terminal Operator Agreements
- Ocean Common Carrier Service Contracts
- Proprietary Manufacturer
- Proprietary Postal
Additionally, agencies may not always clearly identify or mark CUI, which is a current frustration across the DIB. Companies that think they need to worry about cybersecurity compliance as part of their contracts should start identifying CUI from now.
The key issue for most companies managing CUI is that the entity or individual who creates it is responsible for protecting and handling it. While the agency should guide companies about what information is and is not CUI, they may not always provide this to a contractor. As organizations seek to achieve the compliance posture required to maintain a contract, they often err on the side of caution, meaning that they assume information is CUI rather than leaving it unmarked and risking a compliance violation.
Phase Two: Isolating CUI
Most organizations try to isolate CUI from other data as much as possible. By doing this, they reduce the audit scope and the costs associated with it. Assuming that the FCEB supply chain requirements parallel the CMMC requirements, organizations want to minimize the number of systems that interact with CUI. As they prepare for the inevitable cybersecurity compliance requirements, they should be looking for technologies that give them control over data when sharing it internally and externally.
By isolating CUI, organizations can focus their monitoring activities more precisely, enabling them to pay extra attention to this data. Isolation can include anything from network segmentation to implementing a secure workspace that only employees and contractors who work with protected data use. For example, a workspace leveraging end-to-end encryption (E2EE) might be used only for business units that handle CUI. By using a secure communications technology that protects CUI from the moment someone creates, the organization maintains control over how it protects the data, even when sharing with external third parties (like its FCEB agency customer).
By shrinking CUI’s footprint across the company’s systems, it reduces cybersecurity risk and audit costs.
Phase 3: Maintaining control over data
Fundamentally, organizations need to ensure that they maintain control over CUI, no matter who uses it. In a digitally collaborative world, the “share with a link” functionality often means that companies lose control over what people do with information once it leaves their network and environment.
While traditional enterprise technologies offer settings that help mitigate these risks, configuring them can be burdensome. Further, even with these settings configured, the organization may not be able to maintain total control over what external parties do with files or folders.
Any technology implemented should enable the organization to control and document:
- User access to CUI, including files and documents
- Devices used to access CUI, including location and browser
- When someone accessed CUI, including date and time of day
- What users can do with the files and folders, including downloading, viewing, commenting, or editing
- Revocation of access, including user and device
Secure CUI to achieve compliance
As a business objective, any organization that wants to maintain a lucrative contract will need to secure CUI. Organizations within the FCEB supply chain need to assume that they will face the same challenges as their peers within the DIB.
The federal government has clearly indicated that it intends to improve its own security by focusing on its supply chain issues, so waiting until a written mandate appears simply means that companies have less time over which they can spread out costs. By beginning their preparations now, they can ultimately reduce the financial burden while achieving their business, security, and compliance goals.