Baseline Cybersecurity Requirements for Federal Contractors

Federal contractors are held to extremely high information security standards. With the recent introduction of new “Basic Safeguarding” standards for contractor information systems, many firms will find their contracts with the federal government terminated unless they can verify compliance.

The new rules will apply to contractors working with federal agencies including the Department of Defense, General Services Administration, and NASA. Various requirements for ensuring compliance are now spelled out in the Federal Acquisition Regulation.

Fifteen new specifications have been spelled out in six categories:

Access Control

Information systems access should be limited to authorized users, processes that act on behalf of those users, or devices – which can include other information systems.

• • Information system access should be limited to those types of functions and transactions that authorized users should be permitted to execute.
• • Systems must verify and control connections to and the use of external data (“information.”)
• • Systems must identify users, processes, and devices accessing and using information systems.
• • Information posted or processed through publicly available systems should be controlled.

Identification and Authentication

Information systems access should be limited to authorized users, processes that act on behalf of those users, or devices – which can include other information systems.

• • Organizations must authenticate the identities of users, processes, or devices as a prerequisite to providing access to organizational information systems.
• • They must destroy or otherwise “sanitize” information system media containing sensitive contract data before disposal or reuse.

Media Protection

Organizations must limit to authorized personnel only the physical access to information systems, their equipment, and the operating environment involved.

Physical Protection

• • Organizations must maintain audit logs of physical access, maintain control and manage access to physical devices, and escort all visitors and monitor their activities.
• • They must control, protect, and maintain the appropriate monitoring of organizational communications – such as data transmitted or received at the organizational boundaries (external and internal.)

System and Communication Protection

• • Organizations must implement subnetworks for those system components that are accessible to the public and logically or physically separated from the internal network.
• • They must identify, report, and correct flaws in covered information systems in a prompt and timely way.

System and Information Integrity

• • Organizations must provide protection from malicious code throughout the organization’s information systems.
• • They must update protections for malicious code whenever new releases are available.
• • They must perform periodic scans of the information system as a whole and real-time scans of files received from external sources (e.g. when downloaded, executed, or opened.)

ISSQUARED offers two managed security services to help organizations meet these requirements:

SIEM As-a-Service

SOC As-a-Service

Understanding Managed SIEM

Timely notification of critical security events is the key focus of the SIEM. Managed security services make it possible to leverage existing virtualized architecture to host the SIEM without having to deploy in-house expertise for building, managing, and maintaining it.

With compliant managed security services, key services like reporting, alerting, configuring, and fine-tuning related functionality are performed by experts. This cost-effective, OpEx-focused model furnishes capabilities at a small fraction of what in-house expertise would cost.

Understanding SOC as a Service

Most compliance standard have at their core a strict monitoring requirement – that is, a cybersecurity expert must periodically review event logs. Managed security services help you to scale this intensive requirement at a reasonable cost via an outsourcing model.

When comparing SOC vendors, it’s essential to focus on those with U.S.-based operations and staff. Due to the sensitive nature of so much federal contractor data, regulations may bar you from using managed security services that are based in other countries.

When you approach regulatory compliance challenges from the perspective of managed security services, you can reach and maintain world class standards. Doing so does not require capital outlay, costly hiring, or a resource-intensive recruitment process.

With ISSQUARED, your new compliance and reporting capabilities can be up and running fast.