The White House issued voluntary cybersecurity standards for critical infrastructure developed by the National Institute of Standards and Technology that are aimed at improving industry awareness and reporting of cyber breaches and hacks.

      The guidelines are currently optional for industry, but are expected to become mandatory for a large number of federal contractors, particularly in the reporting to the government of cyber data theft and infiltrations. Previously, only certain vendors dealing with government data were mandated to report breaches.

      Government suppliers, who had input into the guidelines, feel they are flexible and not too burdensome, according to NextGov.

      But Alan Chvotkin, executive vice president for the Professional Services Council, told NextGov the new rules are significant and there could be extra costs and questions of liability for the suppliers.

      The new standards are meant to align with recent cybersecurity recommendations developed by the Defense Department and General Services Administration.

      Those recommendations raise a number of questions for contractors, Elizabeth Ferrell, partner at McKenna Long law firm in DC, wrote in a Feb. 4 article. “It is unclear, for example, whether specific types of acquisitions, including small business set-asides, will be exempt from these recommendations,” Ferrell wrote.

      Also, it’s not clear how the recommendations will be implemented, or what the consequences will be for contractors who do not implement the government’s standards, she added.

More information:
NIST framework: http://www.nist.gov/cyberframework/NextGov article: http://goo.gl/kG6LE8
McKenna Long article: http://goo.gl/pIfboH