White House Plans to Regulate Contractor Computer Security
August 27, 2012
The Obama administration has drafted plans to require federal contractors to adopt specific cybersecurity safeguards for company equipment that transmits government information.
The proposed regulations come as the White House considers issuing an executive order that would regulate computer security at all critical businesses. Industry backlash stopped Congress from mandating such reforms.
NASA, the Defense Department and the General Services Administration, which purchases goods and services for agencies across government, released the draft rules Friday. Under the plan, doing business with the government would be contingent on agreeing to protect corporate-owned devices and federal data on websites.
This regulation “would add a contract clause to address requirements for the basic safeguarding of contractor information systems that contain or process information provided by or generated for the government (other than public information),” the proposal states.
The provision calls for only a few computer protections and leaves vendors substantial flexibility, which troubles some computer security experts. Specifically, the administration wants “current and regularly updated” malware blockers, such as antivirus or antispyware mechanisms, as well as “prompt” installation of software patches and other security updates. Federal data posted to company Web pages must be secured through passwords or other technological restrictions.
Information and equipment also would have to be sheltered by one physical element, such as a locked case, and one digital defense, such as a login.