Responding to recent data breaches and new information security threats, federal government agencies are promising to do more in 2015 to implement and require improved information security and protect against cyber threats, and contractors will play a critical role in this effort. In congressional testimony on April 22, the Office of Personnel Management’s (OPM) chief information officer told lawmakers that OPM plans to impose specific changes to protect sensitive information from cyber threats after two high-profile hacks exposed personal information of thousands of individuals seeking security clearances last year. OPM explained to Congress that it will require contractors to employ network architecture that segregates and firewalls sensitive data – such as classified data and personal identification information (PII) – from other less sensitive or non-sensitive data. The hearing comes in the wake of recent changes to federal law governing agencies’ obligations to secure and protect electronic data from cyber-attacks including theft, malware and espionage.
The Department of Defense (DoD) also recently released its cyber strategy announcing its commitment to strengthen its cybersecurity capabilities from both an internal protection perspective and as part of national defense strategies. DoD’s cyber strategy seeks to implement and manage five strategic goals:
- Build and maintain ready forces and capabilities to conduct cyberspace operations
- Defend the DoD information network, secure DoD data and mitigate risks to DoD missions
- Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyber-attacks of significant consequence
- Build and maintain viable cyber options and plan to use those options to control conflict escalation and shape the conflict environment at all stages
- Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability
Among many planned implementation measures, DoD intends to include heightened information security requirements for contractors handling DoD sensitive and classified information.
The testimony and strategy announcement highlight some of the government’s most critical concerns and priorities for preventing and neutralizing cyber threats. As GAO has pointed out in a report on cybersecurity, strategies are not entirely consistent across agencies. Contractor compliance is a key part of any data security strategy, and every government contractor should be both familiarizing itself with the evolving data security environment and looking for ways to optimize its ability to securely handle data and flexibly adapt to the various requirements agencies may impose to protect their assets. Contractors can get ahead of the curve by analyzing their current network architecture, identifying the types of sensitive information they gather and use, assessing whether information relating to government contracts is at risk based on current infrastructure and having processes in place for mitigating vulnerabilities. Contractors also should be aware of and ensure compliance with the various cybersecurity clauses in their contracts, including all agency notice requirements. Members of Thompson Hine’s Government Contracts and Privacy & Data Security groups can help contractors with these assessments.