Edits recommended by FireEye

index.md

@@ -109,14 +109,14 @@ The agency’s CIO, CAO, Chief Information Security Officer, senior agency offic
 To support these efforts and to move towards greater uniformity, the Federal Acquisition Regulatory Council will amend the Federal Acquisition Regulation (FAR) to provide for inclusion of contract clauses that address, as appropriate, the guidance covered in sections 1-4 below in Federal procurement solicitations and contracts.
 
 #### 1. Security Controls
-For systems operated on behalf of the Government, the agency must require the contractor system to meet the appropriate baseline in NIST SP 800-53 as modified by the agency to meet its risk management requirements. Use of NIST SP 800-53 will provide a consistent approach across agencies. For CUI, the moderate baseline for confidentiality should be applied and adjusted for any specific protection requirements required by law, regulation, or government wide policy. When the contractor is operating the system to process data from more than one agency, or when there are non-government customers (e.g., cloud service providers), the agency should review the risk management and tailoring processes in NIST SP 800-37 and SP 800-53, which provide mechanisms to accommodate these situations.
+For systems operated on behalf of the Government, the agency must require the contractor system to meet the appropriate baseline in NIST SP 800-53 as modified by the agency to meet its risk management requirements. Use of NIST SP 800-53 will provide a consistent approach across agencies. Agencies shall encourage contractors to (i) adopt those controls identified in NIST SP 800.53 that are most likely to manage risk based on the threat environments of the agency and/or contractor and (ii) emphasize those controls that allow for rapid detection, response and containment of cyber incidents. For CUI, contractors should, at a minimum, apply the moderate baseline for confidentiality and adjust this baseline for any specific protection requirements required by law, regulation, government wide policy, and/or the unique threat environment of the contractor or agency. When the contractor is operating the system to process data from more than one agency, or when there are non-government customers (e.g., cloud service providers), the agency should review the risk management and tailoring processes in NIST SP 800-37 and SP 800-53, which provide mechanisms to accommodate these situations.
 
 For contractors’ internal systems used to provide a product or service for the Government but incidentally contain CUI, the application of NIST SP 800-53 controls is generally not appropriate. NIST recently published NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Agencies should require contractors whose internal information systems will process CUI incidental to developing a product or service for the agency to meet the requirements of NIST SP 800-171 rather than NIST SP 800-53.
 
 #### 2. Cyber Incident Reporting
 For purposes of this guidance, “cyber incident” means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Cyber incident reporting requirements for systems operated on behalf of the government and contractors’ internal systems are similar. The only distinction is that the reporting of cyber incidents affecting a contractor’s internal system is limited to incidents affecting CUI, not every cyber incident affecting the contractor system.
 
-Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data is critical to the Government’s ability to determine appropriate response actions and minimize harm from incidents. During the Councils’ consultation with agencies, it was determined that agency contracts often lack language governing when and how contractors are required to report information security incidents when they occur and when and how contractors should provide notification of breaches to affected individuals and third parties. At a minimum, agency contractual language regarding incident reporting shall include the following:
+Timely contractor reporting of all cyber incidents involving the loss of confidentiality, integrity, or availability of data is critical to the Government’s ability to determine appropriate response actions and minimize harm from incidents. During the Councils’ consultation with agencies, it was determined that agency contracts often lack language governing when and how contractors are required to report information security incidents (are information security incidents distinct from cyber incidents?) when they occur and when and how contractors should provide notification of breaches (are breaches different from information security incidents and cyber incidents?) to affected individuals and third parties. At a minimum, agency contractual language regarding incident (does incident refer to information security incidents, cyber incidents and breaches? Are of these terms synonymous?) reporting shall include the following:
 
  * Language to indicate that a cyber incident that is properly reported by the contractor shall not, but itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI;
  * The definition of what constitutes a cyber incident;
@@ -148,21 +148,23 @@ Agencies should consider the following when developing the requirements for asse
 
 Security assessments not only confirm that contractors are maintaining their security posture; they also allow the agency to validate the maintenance of the previously performed independent assessment.
 
-The agency should specify that the contractor will afford the agency access to the contractor’s facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract, regardless of location. Access shall be provided to the extent required to conduct an inspection, evaluation, investigation or audit and to preserve evidence of information security incidents. Finally, agencies should include contract language requiring that, prior to contract closeout, the contractor must:
+The agency should specify that the contractor will afford the agency access to the contractor’s facilities, installations, operations, documentation, databases, IT systems, devices, and personnel used in performance of the contract, regardless of location. Access shall be provided to the extent required to conduct an inspection, evaluation, investigation or audit and to preserve evidence of information security incidents (same question as above: is an information security incident different from a cyber incident?). Finally, agencies should include contract language requiring that, prior to contract closeout, the contractor must:
 
  * Certify and confirm the sanitization of government and government-activity-related files and information; and
- * Submit the certification to the Contracting Contracting Officer following the template provided in NIST SP 800-88 Guidelines for Media Sanitization.[^11]
+ * Submit the certification to the Contracting Officer following the template provided in NIST SP 800-88 Guidelines for Media Sanitization.[^11]
 
 The agency should then review the contractor’s sanitization certification to make sure any risk has been mitigated. To the extent that a contractor generated, maintained, transmitted, stored, or processed PII, the SAOP should review the certification.
 
-Agencies should identify in the contract solicitation how they expect the contractor to demonstrate in its proposal that it meets the requirements of NIST SP 800-171, including the security assessment for contractor internal systems. This can range, depending upon the impact level of the information at risk, from simple attestation of compliance to detailed description of the system’s security architecture, controls, and provision of supporting test data.
+Agencies should identify in the contract solicitation how they expect the contractor to demonstrate in its proposal that it meets the requirements of NIST SP 800-171, including the security assessment for contractor internal systems. This should include a description of the system’s security architecture, controls, and provision of supporting test data in varying levels of detail depending upon the level of information at risk.
 
 #### 4. Information Security Continuous Monitoring
 Due to the increase and complexity of information security incidents, and the need to react quickly, the Federal Government has prioritized Information Security Continuous Monitoring (ISCM), an initiative identified in NIST SP 800-53 and OMB Memorandum M-14-03.[^12] ISCM is defined in NIST SP 800-137[^13] “as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions” but is not limited to a specific program or technology. To assist agencies in establishing ISCM capabilities quickly, the DHS has created the Continuous Diagnostics and Mitigation (CDM) program and much of the information reported under ISCM is required under existing OMB guidance. If the agency determines that providing the DHS CDM capabilities to a contractor operating information systems on behalf of the Government is not feasible, the contract must ensure that at a minimum:
 
  * Contractor-operated systems meet or exceed the information security continuous monitoring requirements identified in M-14-03; and
  * The agency may elect to perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing.
 
+As CDM does not assess whether a system is already compromised, the agency may also require contractors to periodically evaluate their systems for indicators or other evidence of persistent threat actors.
+
 While existing contracts may direct the contractor to self-report required ISCM information to the agency, this approach may no longer be sufficient. Agencies and contractors must therefore work together to determine and implement an appropriate solution that fulfills the ISCM requirements. Agencies should work with DHS to ensure that the proposed solution fulfills the ISCM requirements identified in FISMA.
 
 For systems not operated on behalf of the Government – contractor’s internal systems used to develop a product or service – continuous monitoring is part of the security assessment requirement in NIST SP 800-171.