The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines—including minimum requirements for federal information systems. At the end of February, NIST released its Final Draft of Special Publication (SP) 800-171A—Assessing Security Requirements for Controlled Unclassified Information.

First proposed in November 2017, the publication means to provide agencies and contractors with guidance regarding how to conduct assessments under the prominent cybersecurity standard NIST SP 800-171—Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This standard acts as the foundation for how contractors must protect all forms of Controlled Unclassified Information (CUI).

Continue Reading Final Draft of NIST SP 800-171A Still Open for Comments

In mid-January, the General Services Administration (GSA) released their Semiannual Regulation Agenda. Within this agenda, GSA announced plans to update requirements in the General Services Administration Acquisition Regulation (GSAR)—concerning reporting cyber incidents that potentially affect GSA or its contractors.

The agency will be turning to the Federal Information Security Modernization Act of 2014 (FISMA), along with other cyber regulations, as a model on how to update its policies. These updates would be improvements to the existing cyber incident reporting policy within GSA Order CIO 9297.2—i.e. GSA Information Notification Policy. By integrating these updated policies into the GSAR, contracting officers would be required to include cyber incident reporting requirements within all of their procurement contracts. Continue Reading General Services Administration Announces Plans to Update Cybersecurity Requirements for Contractors

  • MoneyGram and Ant Financial mutually terminate $1.2 billion proposed merger
  • CFIUS’s concerns focused on cyber and information security
  • Scrutiny of buyers’ information security processes is likely to increase

On January 2, 2018, U.S.-based MoneyGram International announced that its proposed acquisition by Ant Financial, a Chinese company owned by Alibaba, was being blocked by the U.S. Committee on Foreign Investment in the United States (CFIUS).  CFIUS is the U.S. government’s inter-agency committee tasked with reviewing foreign entities’ purchases of and investments in U.S. companies when the transaction could pose a threat to U.S. national security.

Continue Reading CFIUS Continues Focus on Information Security, Blocks Chinese Acquisition of MoneyGram

As recent malware, ransomware and distributed denial of service attacks have made clear, the cyber threats posed to governments and commercial entities are real and growing. Critical infrastructure such as power plants, airports and communication systems are vulnerable to attacks on the cyber battlefield, as are banks, manufacturers, and law firms, among other commercial entities. In an attempt to address these risks, the U.S. government is imposing heightened cyber-security requirements on contractors, some of which are summarized below. But, in light of the growing cyber threats posed by nation states, subnational groups and bored teenagers, even companies that are not subject to these new requirements should evaluate the sufficiency of their current cyber security protocols and consider taking steps such as the simplified four-step “starter plan” – train, maintain, test and repeat – laid out below to address vulnerabilities.

Continue Reading DoD’s Efforts to Secure Information on Contractor Systems Continues, But All Companies Are at Risk and Should Take Steps Now to Protect Themselves