Stronger GSA Federal Contractor Cyber Security Rules Are Coming

The General Services Administration (GSA) is planning to tighten up federal contractor cyber security requirements regarding sensitive non-classified data, according to a Federal Register Notice dated January 12. The rules would cover internal contractor systems, external contractor systems, cloud systems, and mobile systems.

Technically, the proposed rules aren’t “new.” The GSA wants to update the General Services Administration Acquisition Regulation (GSAR) to include existing GSA federal contractor cyber security requirements that did not previously go through the rulemaking process. This would allow the GSA the benefit of receiving public comments and ensure that the final rules are included in subsequent updates to the GSAR. There will be two public comment periods; the public can comment on the information security rules from April to June 2018 and on the incident response rules from August to October.

In addition to tightening up reporting requirements for federal contractor cyber security breaches, the new rules would require federal contractors to protect sensitive non-classified information in accordance with the Federal Information Security Modernization Act (FISMA) and the National Institute of Standards and Technology (NIST) requirements. Specifically, all federal contractors would be required to adhere to NIST SP 800-171 security requirements, just as DoD contractors are now required to do under DFARS, which went into effect on December 31. Applying NIST SP 800-171 requirements to all federal contractors would ensure uniformity in cyber security requirements and reporting.

Understanding NIST SP 800-171

NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is 81 pages long and outlines 110 security controls across 14 categories, including:

• Access control
• Employee awareness and training
• Configuration management
• Risk assessment
• Security assessment
• Incident response

The crux of NIST SP 800-71 is that it applies to information that is unclassified yet sensitive. Under the GSA’s proposed rules, federal contractors that currently handle classified information will have to extend their security controls to cover additional systems, as DoD contractors were made to do to comply with DFARS. Contractors that do not currently handle classified data, on the other hand, will have a lot more work to do; some will need to completely rework their security controls to comply with NIST SP 800-171.

While these rules have not yet been enacted, there is every reason to believe that the GSA’s proposal will be approved in some form. Complying with a new, tougher set of standards will be challenging, but in the end, it will end up benefiting federal contractors. Right now, there is no uniformity to federal contractor cyber security standards; they are set by individual agencies. The GSA’s new standards will apply to every agency, which means that contractors who do business with multiple federal agencies will have to follow only one set of rules.

Is your organization compliant with all of the controls in NIST SP 800-171? Compliance can be complex, which is why it’s best to enlist the help of a professional IT audit and cyber security firm such as Continuum GRC. We create sustainable NIST 800-171 based compliance partnerships with our clients. Our proven methodology and project plan, powered by our proprietary IT Audit Machine IRM GRC software solution, will help you achieve compliance on budget and on schedule.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Complying with SEC, NFA FINRA Cyber Security Standards

 Both the SEC, NFA and FINRA have indicated that they will put heavy emphasis on cyber security enforcement throughout 2018. While FINRA is explicit – among other things, it publishes a cyber security checklist and a detailed report on best practices – the SEC’s guidance is far more general. This causes some confusion among affected companies regarding how to develop controls and internal policies in line with SEC, NFA FINRA cyber security standards.

Owing to different data environments, risks, and vulnerabilities, the precise details of SEC, NFA FINRA cyber security compliance will vary at every enterprise, but there are a few general best practices that all organizations should adhere to:

Use an Integrated Risk Management Approach to Policymaking

FINRA mentions in its Report on Cybersecurity Practices that “A sound governance framework with strong leadership is essential,” and the SEC, NFA focuses on “governance and risk assessment” during its cyber security audits. Organizations should develop their SEC, NFA FINRA cyber security policies using an integrated risk management approach. IRM eliminates silos and fosters a top-down, data-centric, and risk management-based culture throughout the organization.

Have Clear, Consistent Security Policies

In its latest risk alert, the SEC, NFA reported that nearly all of the firms it audited had written cyber security policies. However, most of them had issues, such as contradictory and/or vague policies and policies that were not being uniformly enforced. Security policies and protocols must be clear, consistent, and make sense in light of the organization’s data environment and individual vulnerabilities and risks.

Conduct Regular Risk Assessments

FINRA considers risk assessments to be “foundational tools” in firms’ cyber security arsenals. Because the threat environment is continually changing, organizations must perform risk assessments on a regular basis to ensure that their technical controls and SEC, NFA FINRA cyber security policies and procedures are up to date.

Conduct Regular Employee Security Training

An organization’s biggest security vulnerability is its own people; most of the time, hackers break into systems not through brute force attacks but social engineering schemes such as phishing emails. For this reason, both the SEC, NFA and FINRA emphasize the importance of well-trained employees to preventing cyber attacks. Cyber security awareness training should be conducted on a regular and ongoing basis.

Make Sure Your Business Associates Are Secure

Over 60% of enterprise data breaches are traced back to third-party vendors of larger organizations, and SEC, NFA FINRA cyber security standards do not allow companies to pass the buck if one of their business associates is breached. FINRA’s report specifically instructs organizations to “manage cybersecurity risk exposures” by “exercising strong due diligence across the lifecycle of their vendor relationships,” and the SEC, NFA looks at “vendor management” during security audits.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Gartner Is Shifting Its Focus Toward IRM, and You Should, Too

Over the summer, Gartner announced that it was moving its focus away from GRC and launching a new Magic Quadrant for integrated risk management, or IRM:

IRM enables simplification, automation and integration of strategic, operational and IT risk management processes and data. IRM goes beyond the traditional, compliance-driven GRC technology solutions to provide actionable insights that are aligned with business strategies, not just regulatory mandates.

Is this, as Gartner calls it, the end of the GRC era? Yes and no. Gartner’s announcement is part of a larger market shift towards adopting a risk-based, data-centric approach throughout the enterprise before any GRC or cyber security activities begin. This has always been the most prudent, proactive way to approach GRC and cyber security; if you do not understand what data you have, where it resides, and how it’s being processed and stored, it’s impossible to secure it. IRM also offers numerous advantages that go beyond better GRC and cyber security.

The data concentric  risk focus has been the foundation of our services and solutions since the company was founded,  said Michael Peters, CEO. You can trace this back to the year 2000 when I first embarked on my life’s work to change the industry and disrupt the dominant paradigms for risk management and cyber security.

Following are five reasons why organizations should embrace an IRM-first approach to data governance, compliance, and security.

IRM Eliminates Silos & Promotes a Security-Focused Culture

In a digital world where every employee operates a computer, cyber security and compliance are now everyone’s responsibility, from the C-suite down to the reception desk, and even extending to third-party vendors. IRM fosters a top-down, security-focused and risk management-based culture throughout the organization, eliminating silos and enabling organizations to identify situations where a risk factor in one area affects other areas.

IRM Improves Effectiveness & Cuts Costs

IRM identifies redundancies and inefficiencies in organizational GRC and cyber security, allowing organizations to eliminate processes that add no value, allocate funds and human resources more effectively, improve GRC and cyber security functions on all levels, and free up employees to work on projects that further the organization’s goals.

IRM Uncovers Opportunities

Risk isn’t always negative; businesses need to take risks to grow. By integrating risk management into overall organizational strategy, IRM treats risk management as a business driver, not a business cost. It allows organizations to see how risk management, compliance, and data security can further their business goals and uncovers opportunities to take calculated risks.

IRM Allows Organizations to Rapidly Respond to a Changing Regulatory Environment

The EU’s new General Data Protection Regulation (GDPR) is arguably the most sweeping data privacy law to date – and it is highly unlikely to be the last. As more transactions are digitized, more massive breaches on the scale of Equifax and Uber will occur, and consumers in the U.S. will pressure federal and state governments to enact similar protections. Organizations that take an IRM-based approach will be in a better position to comply with new data privacy legislation. Additionally, they will enjoy a competitive advantage in a market where customers are aware of data security risks and demanding that their data be handled securely.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.