Hot on the heels of the OPM breach, which was likely breached thanks to weak security controls on a contractor network, the White House has issued a proposed set of baseline cyber security controls for contractors:

“The proposed guidance will strengthen government agencies’ clauses regarding the type of security controls that apply, notification requirements for when an incident occurs, and the requirements around assessments and monitoring of systems,” said proposal from the Office of Management and Budget (OMB).
The new rules are part of a broad effort to secure government networks in the wake of a spate of cyberattacks at high-profile agencies and contractors.

In the recent digital assault on the U.S. government that exposed more than 22 million people’s data, suspected Chinese hackers were able to crack Office of Personnel Management networks after lifting a contractor’s security credentials.

That contractor, KeyPoint Government Solutions, is one of two major background check processors that were breached in separate incidents last year. The other contractor, U.S. Investigations Services, has since lost some of its government contracts.

Combined, the digital hits exposed files on roughly 70,000 federal employees, many of whom held security-clearance-level positions with the DHS.

With its updated guidelines, the administration is hoping to prevent future contractor breaches as the government increasingly turns to these outside companies to “for a variety of information technology services,” the OMB said.

The White House believes part of the problem has been inconsistency in the data security standards for federal contracts.