Federal Agencies Increasing FISMA Security Requirements in Contracts and Grants to Respond to Mounting Cyber Security Threats

Share Article

Organizations that obtain contracts or grants from the U.S. Government are required to implement internal IT security programs that meet FISMA requirements and associated ongoing continuous monitoring, risk management and reporting requirements.


Corporations, non-profit organizations and state government agencies that partner with Federal government agencies will need to determine how best to comply with these new and more rigorous information security and privacy requirements.

SecureIT, a leading provider of cybersecurity services for government agencies, corporations and nonprofit organizations, reports a major trend in federal government contracting regarding information technology security. Aside from issuance of new contracts and grants for increased security requirements, federal government agencies are issuing modifications to existing contract and grant holders to require these organizations to comply with the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Privacy Act, the National Institutes of Standards and Technology (NIST) Risk Management Framework and the Federal Risk and Authorization Management Program (FedRAMP). Historically, contracts and grants for information technology related services included references to FISMA and possibly the federal agency’s IT security policy. However the emerging trends indicate:

Federal agencies are being more specific regarding the security and privacy requirements to include the security controls to be implemented and the associated evidence of implementation and monitoring. For example, Health and Human Services (HHS), Centers for Medicare & Medicaid Services (CMS) issued new guidance in April 2013 and has begun to notify current contract holders.

Agencies are extending the scope to non-IT grants and contracts that may include processing or storage of any government-provided information or information collected on the public;

FISMA metrics defined by the Department of Homeland Security (DHS) and required of all federal agencies are being flowed down to agency contract and grant holders which require implementation of SCAP-compatible tools and production of monthly risk and compliance reports;

Contracts and grants that use cloud computing solutions must ensure the solution providers meet FedRAMP security requirements; and

In some cases, current contract and grant holders are provided an opportunity to determine and justify the cost impacts of the proposed modifications.

These steps are being taken in response to a number of factors, some of which include:

a) Recent cyber security attacks against major U.S. corporations and services such as Twitter combined with the advanced persistent threats (APT) targeted at U.S. federal government agency information technology assets have increased the urgency of determining risk and implementing security protections.

b) The Office of Management and Budget (OMB) along with the Department of Homeland Security (DHS) have defined a rigorous set of metrics on which to measure the effectiveness of U.S. government agency security programs. With federal agency use of contracted services for IT solutions, business process outsourcing, and data analysis, agencies must obtain these metrics from their vendors to report the overall posture to DHS.

c) Congress is currently in the process of approving amendments to the FISMA Act that will strengthen the recognition that the federal government computing environment is highly networked and expands beyond traditional borders requiring new strategies to ensure effective Government-wide management and oversight of information security risks that must include coordination with the private sector.

d) The Federal Government’s plan to reform information technology calls for a shift to contracted services for cloud computing solutions.

Federal agencies are in the process of determining how to appropriately specify cyber security and privacy requirements in contracts and grants with service providers and business partners. This activity is being performed by each agency based on the manner in which the agency has implemented its IT security program. Some agencies such as the Department of Veterans Affairs (VA) have prepared checklists to aid in the process of determination of applicable security requirements for contracts. Some acquisition best practices have surfaced to aid agencies through this process supplementing revisions to Federal Acquisition Regulations (FAR) to keep pace with the changing landscape of business and IT service models. Some federal agencies intend to extend the reach of their security operations centers requiring the installation of monitoring equipment in contractor’s IT facilities to enable monitoring and periodic security vulnerability assessments.

Corporations, non-profit organizations and state government agencies that partner with Federal government agencies will need to determine how best to comply with these new and more rigorous information security and privacy requirements. Strategies may vary from hardening existing IT infrastructures and implementing compliant information security programs to selecting IT business partners that are already familiar with and provide IT solutions that already comply with U.S. federal government cybersecurity requirements.

SecureIT assists corporations, non-profits, and state/local government agencies to interpret requirements in contracts and grants and device cost-effective strategies that achieve compliance while aligning with overall business and IT strategic goals. SecureIT provides a suite of cybersecurity services and solutions to assist organizations to develop and implement compliant security programs; obtain authorization to operate (ATO) contractor-owned IT systems to process U.S. government information; and perform continuous monitoring of networks, systems and security controls to manage risk and provide evidence required of federal agencies.

About SecureIT

Understand the Threat. Implement your Strategy. Manage your Risk. Comply with Regulations.

SecureIT is a leading provider of cybersecurity management consulting and technical services to government agencies, corporations and non-profit organizations. Through its offering of security governance; risk management; engineering and operations; compliance; and training, SecureIT enables its customers to implement and operate a risk-based approach to managing information technology while achieving compliance with applicable security and privacy regulations. Built from a management consulting pedigree and combined with deep security expertise, SecureIT has the insights to identify opportunities, strategies, and solutions that enable our customers to mitigate risks and provide resilience while improving operational efficiency.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

David Trout
(703) 230-0725
Email >
Follow us on
Visit website