The GSA Final Rule got a lot of attention in the government services sector as it solidified the requirements related to security and third parties. The Final Rule makes it clear that upon winning a contract and to continue the contract ongoing performance and attestation is required of the Security program. Specifically the language states the following:
“…the rule requires contractors, within 30 days after contract award to submit an IT Security Plan to the contracting officer and contracting officer’s representative that describes the processes and procedures that will be followed to ensure appropriate security of IT resources that are developed, processed, or used under the contract. The rule will also require that contractors submit written proof of IT security authorization six months after award, and verify that the IT Security Plan remains valid annually. Where this information is not already available, this may mean small businesses will need to become familiar with the requirements, research the requirements, develop the documents, submit the information, and create the infrastructure to track, monitor and report compliance with the requirements.”
While the idea of 3rd party audits and attestations is common practice in the private sector, there are a few interesting considerations that businesses should consider adopting as appropriate based on the type of vendor.
“…ensure appropriate security of IT resources that are developed, processed, or used under the contract…”
Businesses when setting up agreements with third parties should be engaged at the relationship discovery stage and upon contract. Specifically architect what are the appropriate security safeguards for the type of vendor and what will be the scope of processes of the vendor. This is becoming more present across the spectrum of industries, but the maturity of the above process is just emerging in mature organizations.
“…verify that the IT Security Plan remains valid annually…”
Business relationships must be managed. Operational and performance metrics exist for each vendor and if a vendor misses a contractual agreement, there are usual fines and contract adjustments that result. The management of vendor operational information security to the agreed upon plan should also be executed. This is a great opportunity to establish a routine, efficient, and appropriate validation / attestation process.
The takeaway here is that the practices securing businesses must evolve to address the introduced risks of third parties. There is a need to be balanced in the requests to vendors and so a progressive security plan that reflects the relationship is appropriate.
Other thoughts / Considerations?
//cc at IT Compliance and Controls