Like federal employees, federal contractors are waiting for agencies to explain exactly what the OPM data breach affecting 4 million employees means for them.
“Everyone’s on standby to find out if they are impacted,” said Pam Walker, senior director for homeland security at the information industry’s IT Alliance for Public Sector. “I know companies are working with OPM” and the Office of Management and Budget, which is preparing governmentwide cybersecurity guidance. Much of the governmentwide work, Walker notes, was in progress before the OPM breach.
Contractor representatives say they’re monitoring the National Archives and Records Administration, whose Information Security Oversight Office posted a proposed rule in the Federal Register last month to update policy detailing how agencies should designate, safeguard, disseminate and dispose of information that by law or regulation is sensitive but not formally classified.
The National Institute of Standards and Technology is planning by the end of June to release final guidance, called SP 800-171, on protecting sensitive government information on contractors’ computers. “This work began more than a year ago and is focused on controlled but unclassified information in nonfederal information systems and organizations,” said spokeswoman Evelyn Brown.
At the Defense Finance and Accounting Service, spokesman Tom LaRock told Government Executive Wednesday that “while DFAS doesn't discuss specific security measures taken to protect our customer's Personally Identifiable Information, protection of that data is our top priority. We continually monitor our systems for unauthorized intrusions and continually update our cybersecurity tools and capabilities.”
“Additionally, we maintain a page on our public website where our customers can read about the latest DFAS-targeted email scams that cybercriminals are using in an attempt to gain customer's PII; and can also read tips on how they can protect their PII and themselves online,” LaRock said.
The IT Alliance’s Walker noted that the Pentagon is updating acquisition regulations aimed at safeguarding unclassified controlled technical information held in contractor computers and databases.
In March, the Homeland Security Department, whose network surveillance tool EINSTEIN detected the OPM breach, updated its own acquisition regulations for handling sensitive information to put new requirements in contracts, Walker noted. “We’re hearing from contractors that the government is starting to publish different contract clauses, and we can expect the government to become more stringent” in required electronic security standards in such areas as encryption and user authentication.
Stan Soloway, president and CEO of the Professional Services Council, told Government Executive, “A discussion has been taking place for some time on how to appropriately hold companies accountable for information protection generally, without being unreasonable by setting an expectation beyond what can be met.”
Soloway likens cyberthreats to a “drug-resistant flu that it is constantly presenting new capabilities. It requires constant vigilance, and everyone has a responsibility, whether in the private sector or in government.” Tools must include not just software but workforce education, he said.
As for liability, Soloway cites as a precedent the 2002 Support Anti-terrorism by Fostering Effective Technologies Act, which granted liability protections for contractors using certain anti-terrorism technologies and offered incentives for their development. “It would be simple enough to say contactors have to maintain all responsibility for all information protection,” he posited. “But what if a company that is not a technology company uses widely available commercial software for their financial management system? Can they really be held accountable?”
The continuing investigation of how the OPM breach occurred, he said, is at the stage of finding the black box after an airline crash. “We just don’t have the information yet, and we will need some time to figure out if there was something that should have been done” by contractors.