Agencies could have a template for data breach contract clauses as early as this fall, according to a detailed draft policy.
Until now, federal standards, White House polices and governmentwide information security laws have offered departments and contractors a jumble of information security regulations from which to choose.
The new proposed provisions for “Improving Cybersecurity Protections in Federal Acquisitions” are meant to ensure government data is kept safe no matter whether it’s inside an agency-owned system or a corporate vendor’s system. The release, first previewed late last month, still leaves much of the exact language up to each agency’s discretion.
“The proposed guidance will strengthen government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems,” the draft states.
Contractors and other members of the public have until Sept. 10 to provide suggestions for changes to the policy. Individuals can either submit comments on the community forum GitHub. After receiving feedback, the White House will issue final guidelines this fall.
Upon publication, the agency’s chief information officer, chief acquisition officer, chief information security officer, senior privacy officer, and other relevant officials “shall immediately begin working together to apply the guidance,” the proposal sates.
If agencies fail to incorporate cyber clauses, the penalty is more carrot than stick. White House officials will sit down with agency leaders in face-to-face meetings, called CyberStat sessions, to discuss network information security lapses and assist them on improvements.
The proposal follows recently revealed deep…