Data Security Requirements for Federal Contractors

by Patrick Knight | Aug 03, 2018

Approaching data security requirements for federal contractors

Federal contractors are private entities that fulfill governmental needs. As such, they are trusted with sensitive, private federal information which makes them obvious targets for cyber attacks. The government has recently ramped up data security requirements for federal contractors, demanding more software, hardware and accountability from them.

Recent changes in data security requirements for federal contractors

Data security requirements for federal contractors are complicated and stringent. The Security and Privacy Controls document for federal IT is 462 pages long with 109 specific security requirements – and that’s not to mention various supplementary compliance publications. Beginning in 2018, contractors are expected to be compliant with new regulations laid out in NIST 800-171. You should have legal counsel and security experts to help you manage compliance, but here’s an overview of a few of the government’s recent data protection requirements:

  • Insider threat detection: The National Institute of Standards and Technology require federal contractors to implement an insider threat program. It’s a given that employees pose a serious risk to federal information, so contractors are required to provide training on identifying and reporting insider threats. They can also deploy software to detect and assess insider risk to decrease their security risk level.
  • Encrypt high level data sets: Until recently, many contractors didn’t have an effective classification system for their information. The new regulations require organizations to do a risk assessment across their data and provide proof of encryption for risk-prone data.
  • Report cyber incidents: Organizations working on behalf of the government are required to rapidly report all cyber incidents directly to the Department of Defense. The account includes a detailed cyber incident report, the malicious software, and any media the DoD requests. Reports are required for any attacks on the system – not just the contract data – to help the DoD gauge overall risk to its information.
  • Access control policy: Contractors are also required to implement an access control policy. Users should be restricted from accessing sensitive data unless it directly relates to their job. Employers should set up alerts to be notified if those access controls are violated, and immediately investigate.
  • Monitor users: Contractors are now being required to implement employee monitoring software to detect security risks. Approved software identifies suspicious user activity and detects unauthorized access. The technology can initiate undetected screen recording to capture a full picture of a suspicious incident. The software can also deploy multi-factor authentication and data encryption to boost security. Employee monitoring software can detect risk early on and alert management to intervene; it can even automatically shut down access and computer systems to prevent an attack.

Veriato provides government-compliant monitoring software that can help you meet requirements and create a secure workforce.

Growing threats to data security

As technology advances so do the threats to it. More complex information systems can be more secure – but also provide more risk points insider threats and hackers can try to exploit. More government contracts and contractors widen the risk even further. As the Internet of Things is embraced by contractors, those attack points multiply. Phones, tablets, watches and speakers can all become sources of risk to sensitive government information. Additionally, escalating global conflicts mean more parties are interested in harming the government or the citizens whose data is in the custody of contractors.

The Department of Defense and National Institute of Standards and Technology are constantly assessing risk of information through federal contractors. As technology becomes more intricate, contractors can expect more regulations and requirements to roll out when it comes to information security compliance.

Assessing Risk

The latest government regulations help contractors understand how to identify the risks posed to sensitive information. These organizations are held to a high security standard to protect not only the government, but also the citizens. Data security should be more than checking boxes every so often; it should be a way of operating a business. If federal contractors approach data security from a position of mitigating and managing risk, compliance will most likely follow.