Federal government contracting is a multi-billion-dollar industry in the United States. Companies provide a wide range of services to the federal government, ranging from information technology to janitorial services to management consulting. To the extent that any of these businesses exchange data with the federal government, they must comply with a wide range of cybersecurity laws and regulations.
In recent years, Congress and federal agencies have intensified their scrutiny of contractors' cybersecurity practices, in the aftermath of contractor Edward Snowden's leak of massive volumes of classified National Security Agency documents and the breach of millions of Americans' security clearance applications with the Office of Personnel Management. This chapter provides a broad overview of the laws and regulations that are most likely to affect the cybersecurity of government contractors.
In short, cybersecurity requirements for government contractors depend on the types of information they handle. All contractors that handle federal government information systems must comply with the recently overhauled Federal Information Security Management Act and the National Institute of Standards and Technology's Special Publication 800-53, which sets baseline requirements for cybersecurity of government information. Contractors that handle classified information must comply with much more stringent requirements set by the Defense Security Service in the National Industrial Security Program Operating Manual (NISPOM). Recently, government regulators have created new requirements for contractors that handle information that, while not classified, is considered sensitive enough to warrant protections beyond those in Special Publication 800-53. This new category, known as controlled unclassified information (CUI), likely will result in many federal contractors being required to significantly strengthen their cybersecurity practices.
8.1 Federal Information Security Management Act
In 2002, Congress passed the Federal Information Security Management Act (FISMA),1 which established a framework for agencies to manage their information security. In 2014, in light of the tremendously more complex web of cybersecurity threats, Congress overhauled FISMA with the passage of the Federal Information Security Modernization Act of 2014.2 FISMA's requirements affect not only the information security of government agencies but also their contractors and subcontractors.
FISMA delegates a great deal of responsibility for cybersecurity to individual federal departments and agencies, but it also centralizes many cybersecurity functions within the Office of Management and Budget and Department of Homeland Security. The Office of Management and Budget is charged with developing government-wide information security policies, standards, and guidelines, requiring agencies to adopt adequate information security protections, and coordinating with the National Institute of Standards and Technology on standards and guidelines (discussed below).3 The Department of Homeland Security is responsible for developing government-wide requirements on reporting security incidents, for annual agency cybersecurity reports, for risk mitigation requirements, for monitoring agency information security, and for providing operational and technical assistance to agencies.4
The updated FISMA also requires federal agency heads to take a number of steps to increase their agencies' cybersecurity. Among the responsibilities of each agency head are the following:
Implementing information security protections that are commensurate “with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of” information collected, used, or maintained by the agency or a contractor.
Ensuring that senior agency officials conduct information security risk assessments, implement necessary protections, and periodically test and evaluate information security controls.
Delegating information security compliance authority to agency chief information officers.
Overseeing agency information security training.
Annually reporting on the effectiveness of agency information security controls.
Holding all personnel accountable for complying with an agency-wide information security program.5
FISMA requires each agency to develop a comprehensive information security program that contains the following elements:
Periodic risk assessments.
Policies and procedures that are based on the risk assessments.
Subordinate plans for information security.
Security training for agency employees and contractors.
Annual testing and evaluation of information security policies and procedures.
Remedial action to correct security flaws.
Security incident detection, reporting, and response procedures.
Continuity of operations plans for information systems.6
Notably, the updated FISMA requires agencies to “expeditiously” notify the House and Senate Judiciary Committees of data breaches.7 The notices must be provided within thirty days of discovery of the breach, and must include:
a general description of the breach,
an estimate of the number of individuals whose information was disclosed,
an assessment of the risk of harm to those individuals,
a description of any circumstances that require a delay in notifying affected individuals, and
an estimate of when the agency will notify individuals.8
8.2 NIST Information Security Controls for Government Agencies and Contractors
FISMA delegates responsibility for specific information security standards to the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce. NIST has produced a number of detailed standards for various aspects of information security at government agencies and their contractors. Perhaps the two most influential NIST documents are Federal Information Processing Standards 200 and NIST Special Publication 800-53 (SP 800-53), which set baseline requirements for information security controls. These documents constitute the baseline information security standard for the federal government and its contractors and subcontractors that operate federal information systems. More sensitive information, such as classified information and defense information, is covered by even more stringent requirements, discussed later in the chapter.
Under FIPS 200, agencies and contractors must implement minimum information security requirements. To implement these minimum information security requirements, agencies and contractors must select from security controls that are listed in SP 800-53. SP 800-53 is nearly 500 pages, and details dozens of security controls. Organizations select from the menu of controls based on whether their information systems are classified as low-impact, moderate-impact, or high-impact (with higher impact systems receiving the more stringent controls). Below is a list of the seventeen minimum information security requirements from FIPS 200, along with some of the corresponding categories of security controls as stated in SP 800-53:
Access control. Agencies and contractors must ensure that only authorized users, processes, and devices are permitted to access information systems. Security control categories include the following:
Access control policy and procedures
Account management
Access enforcement
Information flow enforcement
Separation of duties
Least privilege
Unsuccessful log-on attempts
System use notification
Previous logon notification
Concurrent session control
Session lock
Session termination
Supervision and review of access control
Permitted actions without identification or authentication
Security attributes
Remote access
Wireless access
Mobile access
External information system use
Information sharing
Publicly accessible content
Data mining protection
Awareness and training. Agencies and contractors must ensure that managers and personnel are adequately trained regarding information security. Security control categories include the following:
Security awareness and training policy and procedures
Role-based security training
Security training records
Contacts with security groups and associations
Audit and accountability. System audit records must enable monitoring, analysis, investigation, and reporting of unauthorized activity on an information system. Actions must be traceable to individual users. Security control categories include the following:
Audit and accountability policy and procedures
Audit events
Content of audit records
Audit storage capacity
Response to audit processing failures
Audit review, analysis, and reporting
Time stamps
Protection of audit information
Nonrepudiation
Session audit
Cross-organizational audit
Certification, accreditation, and security assessments. Periodic assessments of security controls will determine whether the current systems are effective and suggest corrections for deficiencies. Security control categories include the following:
Security assessments
System interconnections
Security certification
Continuous monitoring
Penetration testing
Configuration management. Federal agencies and contractors must establish and maintain baseline inventories and configurations of hardware, software, firmware, and other information systems. Security control categories include the following:
Baseline configuration
Configuration change control
Security impact analysis
Least functionality
Information system component inventory
Software usage restrictions
User-installed software
Contingency planning. Agencies and contractors are required to develop plans for operating information systems during emergencies, such as natural disaster, to ensure continuity of operations. Security control categories include the following:
Contingency plan
Contingency training
Contingency plan testing
Alternate storage site
Information system backup
Identification and authentication. Authorized users (and their devices and processes) must be accurately identified in order to prevent unauthorized access. Security control categories include the following:
Identification and authentication of organizational users
Device identification and authentication
Identifier management
Service identification and authentication
Incident response. Agencies and contractors must develop comprehensive plans to detect, contain, and respond to information security incidents and to report incidents to the appropriate officials and authorities. Security control categories include the following:
Incident response training
Incident response testing
Incident handling
Incident monitoring
Incident reporting
Incident response plan
Maintenance. Agencies and contractors must regularly maintain their information systems and security controls. Security control categories include the following:
Maintenance tools
Maintenance personnel
Timely maintenance
Media protection. Agencies and contractors must limit access to information system media to authorized users and permanently wipe information systems media before disposal. Security control categories include the following:
Media access
Media storage
Media sanitization
Media use
Media downgrading
Physical and environmental protection. Physical access to information systems must be restricted to authorized individuals. Organizations also must protect their information systems from environmental hazards and ensure that they have adequate environmental controls in the physical facilities that contain information systems. Security control categories include the following:
Physical access authorization
Monitoring physical access
Visitor access records
Emergency power
Fire protection
Temperature and humidity controls
Water damage protection
Planning. Information security plans must describe the security controls that the agency or contractor has implemented as well as the rules of behavior for those who access the information systems. Security control categories include the following:
System security plan
Rules of behavior
Privacy impact assessment
Central management
Personnel security. Agencies and contractors must take steps to ensure that employees and service providers who have access to information systems are trustworthy and meet specified security criteria. The organizations also should ensure that when an employee or service provider is transferred or terminated, the information systems are protected, and that personnel are formally sanctioned for failing to comply with information security policies and procedures. Security control categories include the following:
Personnel screening
Access agreements
Third-party personnel security
Risk assessment. Agencies and contractors must periodically conduct assessments of their information security, considering their operations, assets, and individuals. Security control categories include the following:
Security categorization
Vulnerability scanning
Technical surveillance countermeasures survey
System and services acquisition. Agencies and contractors must ensure that they have sufficient resources for information security, use a system development life cycle process for information security, restrict use and installation of software, and ensure that their third-party providers maintain adequate information security. Security control categories include the following:
Allocation of resources
Acquisition process
Software usage restrictions
User-installed software
Developer configuration management
Tamper resistance and detection
System and communications protection. Organizations must monitor and protect their information systems at external boundaries and key internal boundaries, and employ architectural designs, software development techniques, and systems engineering principles that promote information security. Security control categories include the following:
Security function isolation
Denial of service protection
Boundary protection
Transmission confidentiality
Cryptographic key establishment and management
Session authenticity
Covert channel analysis
System and information integrity. Agencies and contractors are required to identify, report, and correct flaws in the information system; protect information systems from malicious code; and monitor security alerts and advisories and respond appropriately. Security control categories include the following:
Flaw remediation
Malicious code protection
Information system monitoring
Software, firmware, and information integrity
Predictable failure prevention
8.3 Classified Information Cybersecurity
In addition to the general cybersecurity requirements of FIPS 200 and SP 800-53, contractors face heightened requirements if they are dealing with sensitive government information. The most restrictive requirements apply to contractors that handle classified information.
Cybersecurity requirements for contractors that handle classified government information are set by the Defense Security Service (DSS). DSS publishes the National Industrial Security Program Operating Manual (NISPOM), which sets the rules for industry's access to classified information.
Chapter 8 of NISPOM establishes the information security requirements for contractor information systems that are used to capture, create, store, process, or distribute classified information. Among the key requirements of Chapter 8 are the following:
Information security program. The contractor must maintain a risk-based set of management, operational, and technical controls, including policies and procedures to reduce security risks, information security training for all users, testing and evaluation of all security policies and procedures, incident detection and response plans, continuity of operations plans, and a self-inspection plan.
System security plan. The contractor must have a system security plan that documents its information security protections and controls, and includes supporting documentation (e.g., a risk assessment, plan of action, and configuration checklist).
IS security manager. The contractor must designate a qualified IS security manager who is responsible for implementing the IS program, monitoring compliance, verifying self-inspections, certifying in writing that the system security plan has been implemented and controls are in place, briefing users on their information security responsibilities and ensuring necessary training.
Information system users. All users are required to comply with the security program, be accountable for their actions on an information system, not share authentication mechanisms, protect authentication mechanisms at the highest classification level and most restrictive category of information to which that mechanism permits access, and be subject to monitoring of activity on a classified network.
Assessment and authorization. Contractors must work with the government agency to assess security controls in order to receive an authorization to handle classified information. A contractor will be re-evaluated for authorization to handle classified information at least once every three years. All security-related changes must be approved in advance by the government agency.
Systems and services controls. Contractors must allocate “sufficient resources” to information security. As part of their routine assessment and self-inspection, contractors must assess and monitor security controls.
Risk assessment. Contractors must conduct a comprehensive risk assessment, categorizing the potential impact level for confidentiality based on the information's classification, and monitoring changes to the information system that may affect security.
Personnel security. Employees who access classified systems must meet the security requirements (e.g., a clearance). Once an employee no longer requires access to the system, the authentication credentials must be disabled. The contractor must review audit logs to determine whether any employees fail to comply with security policies.
Physical and environmental protection. Contractors must limit physical access to information systems, protect the physical plant, and protect against environmental hazards.
Configuration management. Contractors must implement baseline configurations and information system inventories.
Maintenance. Contractors must perform necessary maintenance, such as patch management, and provide controls on the tools and personnel used for the maintenance
Integrity. Contractors must protect systems from malicious code.
Media protection. Contractors must mark all media with level of authorization until a classification review is conducted, and limit access to the classified information.
Incident response. Contractors must implement incident detection processes and immediately report any incidents to government agencies.
Authentication and access. Contractors must identify users, authenticate them, and limit access to authorized users, accounting to the types of transactions and functions to which each user is permitted access.
Audit and accountability. Contractors must create audit records to enable monitoring of activity on their systems.
System and communications protection. Contractors must monitor, control, and protect organizational communications.
In 2011, as cyber threats to classified information increased in frequency and magnitude, President Obama issued Executive Order 13587, entitled Structure Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. The executive order seeks to “ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and systems security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government.”
The executive order requires all agencies that operate or access classified computer networks to designate a senior official for classified information sharing and safeguarding, implement an insider threat detection and prevention program, and perform self-assessments of compliance. In response to the executive order, DSS amended NISPOM in May 2016 to require contractors that handle classified information to create an insider threat program. Contractors must create an insider threat program plan that describes:
the contractor's capability to gather relevant insider threat information;
the contractor's procedures to report that an individual potentially poses an insider threat; to deter employees from becoming insider threats; and to mitigate insider threat risks; and
corporate-wide plans to address requirements for cleared facilities.
Contractors must conduct annual self-inspections and certifications of their insider threat programs, and they must report behaviors that indicate insider threats. They also must implement a system or process that identifies negligence or carelessness in handling classified information. Contractors are further required to provide insider threat awareness training to all cleared employees at least once a year.
8.4 Covered Defense Information and Controlled Unclassified Information
Even if information is not classified, it may be subject to more stringent cybersecurity requirements if it is sufficiently sensitive. In 2010, President Obama issued Executive Order 13556, which called for adequate safeguards of “controlled unclassified information” (CUI), which it defined as “unclassified information throughout the executive branch that requires safeguarding or dissemination controls[.]” The National Archives and Records Administration (NARA) is responsible for implementing the safeguards throughout the executive branch, and as of publication of this book was finalizing its rules for handling of CUI.
Additionally, in 2015, the Defense Department overhauled its contractor cybersecurity rules for its sensitive, yet unclassified information.9 The rules apply to agencies and contractors that handle “covered defense information,” which is the Defense Department's version of CUI. The Defense Department's regulations define “covered defense information” as unclassified information that falls into one of the following categories:
Controlled technical information, which is defined as “technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release disclosure, or dissemination.”
Critical information, which are specific facts identified through operations security process about “friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment.”
Export control of unclassified information regarding items, commodities, technology, or software “whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives.”
Other information identified in the contract “that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Governmentwide policies.”
In practice, “covered defense information” is so broad that it can include virtually all aspects of a defense contractor's business, even its contract with the Defense Department. Even if a defense contractor does not handle any classified information, it likely is covered by these new cybersecurity rules. For that reason, the new regulations were met with significant consternation among the defense contracting community.
The two primary requirements of the new Defense Department regulations are an expedited security incident reporting requirement and compliance with a more stringent NIST security framework for sensitive but unclassified information. Under the new regulations, contractors and subcontractors that handle covered defense information are required to “rapidly report” cyber incidents to the Defense Department within 72 hours of discovery.10 This is among the shortest breach reporting requirements in the United States, and it puts significant pressure on defense contractors to quickly gather the necessary information after discovering an incident.
The regulations broadly define “cyber incident” as “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.”11 Accordingly, the reporting requirement applies not only to data breaches, but any attacks or incidents that could harm covered defense information on the contractor's network or systems.
The new regulations also require contractors and subcontractors handling covered defense information to comply with NIST's Special Publication 800-171 (SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. As seen below, SP 800-171's requirements are far more extensive than the general contractor requirements under SP 800-53. After defense contractors voiced a great deal of concern regarding compliance with SP 800-171, the Defense Department agreed to allow contractors until December 31, 2017, to get into compliance with the new standard.
NARA's proposed rule would require contractors that handle CUI also to comply with SP 800-171. Moreover, in August 2015, the Office of Management and Budget issued proposed guidance in which it instructs agencies to require contractors that handle CUI to comply with SP 800-171. In short, SP 800-171 will eventually become the de facto cybersecurity standard for many federal contractors.
Below are the key security requirements of the new standard for contractors that handle covered defense information, as stated in SP 800-171:
Access control.
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
Limit information system access to types of transactions and functions that authorized users are permitted to execute.
Control the flow of (controlled unclassified information, or “CUI”) in accordance with approved authorizations.
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Use nonprivileged accounts or roles when accessing nonsecurity functions.
Prevent nonprivileged users from executing privileged functions and audit the execution of such functions.
Limit unsuccessful logon attempts.
Provide privacy and security notices consistent with applicable CUI rules.
User session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.
Terminate (automatically) a user session after a defined condition.
Monitor and control remote access sessions.
Employ cryptographic mechanisms to protect confidentiality of remote access sessions.
Route remote access via managed access control points.
Authorize remote execution of privileged commands and remote access to security-relevant information.
Authorize wireless access prior to allowing such connections.
Protect wireless access using authentication and encryption.
Control connection of mobile devices.
Encrypt CUI on mobile devices.
Verify and control/limit connections to and use of external information systems.
Limit use of organizational portable storage devices on external information systems.
Control information posted or processed on publicly accessible information systems.
Awareness and training.
Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Audit and accountability.
Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
Ensure that the actions of individual information system users can be uniquely traced to those users so that they can be held accountable for their actions.
Review and update audited events.
Alert in the event of an audit process failure.
Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
Provide audit reduction and report generation to support on-demand analysis and reporting.
Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Protect audit information and audit tools from unauthorized access, modification, and deletion.
Limit management of audit functionality to a subset of privileged users.
Configuration management.
Establish and maintain baseline configurations and inventories of organizational information systems (e.g., hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Establish and enforce security configuration settings for information technology projects employed in organizational information systems.
Track, review, approve/disapprove, and audit changes to information systems.
Analyze the security impact of changes prior to implementation.
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
Apply denial-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Control and monitor user-installed software.
Identification and authentication.
Identify information system users, processes acting on behalf of users, or devices.
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Use multifactor authentication for local and network access to privileged accounts and for network access to nonprivileged accounts. Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts.
Prevent reuse of identifiers for a defined period.
Disable identifiers after a defined period of inactivity. Enforce a minimum password complexity and change of characters when new passwords are created.
Prohibit password reuse for a specified number of generations.
Allow temporary password use for system log-ons with an immediate change to a permanent password.
Store and transmit only encrypted representation of passwords. Obscure feedback of authentication information.
Incident response.
Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
Test the organizational incident response capability.
Maintenance.
Perform maintenance on organizational information systems.
Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Check media containing diagnostic and test programs for malicious code before the media are used in the information system.
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Supervise the maintenance activities of maintenance personnel without required access authorization.
Media protection.
Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
Limit access to CUI on information system media to authorized users.
Sanitize or destroy information system media containing CUI before disposal or release for reuse.
Mark media with necessary CUI markings and distribution limitations.
Control access to media containing CUI and maintain accountability for media during transport out of controlled areas.
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Control the use of removable media on information system components.
Prohibit the use of portable storage devices when such devices have no identifiable owner.
Protect the confidentiality of backup CUI at storage locations.
Personnel security.
Screen individuals prior to authorizing access to information systems containing CUI.
Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Physical protection.
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Protect and monitor the physical facility and support infrastructure for those information systems.
Escort visitors and monitor physical activity.
Maintain audit logs of physical access.
Control and manage physical access devices.
Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).
Risk assessment.
Periodically assess the risk to organizational operations (mission, functions, image, or reputation, etc.), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
Remediate vulnerabilities in accordance with assessments of risk.
Security assessment.
Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application. Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
System and communications protection.
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Separate user functionality from information system management functionality.
Prevent unauthorized and unintended information transfer via shared system resources.
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny-all, permit-by-exception).
Prevent remote devices from simultaneously establishing nonremote connections with the information system and communicating via some other connection to resources in external networks.
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Establish and manage cryptographic keys for cryptography when used to protect the confidentiality of CUI.
Prohibit remote activation of collaborative computing devices, and provide indication of devices in use to users present at the device.
Control and monitor the use of mobile code.
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
Protect the authenticity of communications sessions.
Protect the confidentiality of CUI at rest.
System and information integrity.
Identify, report, and correct information and information system flaws in a timely manner.
Provide protection from malicious code at appropriate locations within organizational information systems.
Monitor information system security alerts and advisories and take appropriate actions in response.
Update malicious code protection mechanisms when new releases are available.
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Identify unauthorized use of the information system.