regulatory matters

GSA Tightens Cybersecurity Standards: What Contractors Need to Know

The General Services Administration (GSA) is raising the bar for cybersecurity, implementing latest requirements for contractors handling Controlled Unclassified Information (CUI). These changes, outlined in the IT Security Procedural Guide CIO-IT Security-21-112 Revision 1, mirror aspects of the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) but introduce key differences that contractors must understand.

Beyond CMMC: A Broader Cybersecurity Net

Even as CMMC currently focuses on controls from NIST Special Publication 800-171 rev. 2, GSA’s guidance expands the scope to include controls from NIST SP 800-171 rev. 3, 800-172 rev. 3 and 800-53 rev. 5. This means a more comprehensive set of cybersecurity practices is now expected. The inclusion of NIST 800-53 rev. 5 controls is specifically triggered when Personally Identifiable Information (PII) is involved.

Risk-Based Flexibility: A Departure from CMMC Rigidity

Unlike the more prescriptive nature of CMMC, GSA’s framework allows for a risk-based approach. Contractors can potentially seek deviations from specific cybersecurity requirements, subject to GSA approval. This flexibility acknowledges that a one-size-fits-all approach isn’t always practical or effective. This contrasts with the CMMC program’s more rigid adherence to defined controls.

The Five-Phase GSA Assessment Process

GSA’s assessment process is detailed and demanding, mirroring the complexity of CMMC assessments. It’s structured around five phases:

Prepare: Establishing system scope, confirming information types, and assessing overall readiness.
Document: Fully documenting system architecture, security requirements, and creating a System Security Plan Package (SSPP).
Assess: Independent third-party assessment of implemented controls, conducted by a FedRAMP-accredited 3PAO or a GSA-approved assessor.
Authorize: GSA evaluates residual risk and determines if the system can process CUI.
Monitor: Ongoing monitoring and submission of recurring deliverables to maintain CUI protection.

Key deliverables throughout the process include FIPS 199 categorization, Security Assessment Reports (SARs), Plans of Action & Milestones (POA&Ms), and regular vulnerability scans.

Implications for Federal Contractors

These changes have significant implications for companies working with the federal government. Even contractors already preparing for CMMC need to evaluate the additional requirements imposed by GSA. The new guidance applies immediately to new contracts, at the discretion of the contracting officer.

Did you know? GSA’s expertise in IT acquisitions and collective buying power are leveraged to ensure products meet security and risk management expectations.

Future Trends: A Convergence of Cybersecurity Frameworks?

The emergence of GSA’s CMMC-like framework signals a broader trend toward standardized cybersecurity requirements across the federal government. We can anticipate further convergence of these frameworks in the future, potentially leading to a more unified approach to protecting sensitive information. This could involve:

Increased Harmonization: Efforts to align CMMC, GSA’s framework, and other federal cybersecurity standards.
Automation of Compliance: Greater use of automated tools for continuous monitoring and assessment of cybersecurity controls.
Focus on Supply Chain Security: Expanded requirements for subcontractors to demonstrate cybersecurity maturity.
Emphasis on Zero Trust Architectures: Adoption of Zero Trust principles to minimize the attack surface and enhance security.

The Department of War (DoW) has already mandated CMMC certification for contracting opportunities, and it’s likely other agencies will follow suit with similar, or harmonized, requirements.

FAQ

Q: Is CMMC certification enough to meet GSA’s requirements?
A: Not necessarily. GSA’s framework includes broader requirements than CMMC, so contractors need to assess both sets of standards.

Q: What is CUI?
A: Controlled Unclassified Information is unclassified data that requires protection, as defined by federal regulations.

Q: Who can conduct the independent assessments required by GSA?
A: FedRAMP-accredited 3PAOs or assessment organizations approved by the GSA OCISO.

Q: What is NIST SP 800-171?
A: NIST Special Publication 800-171 outlines security requirements for protecting CUI in nonfederal systems.

Pro Tip: Start reviewing your systems and assessing your compliance with GSA’s cybersecurity requirements now to avoid potential delays or disqualification from future contracts.

To learn more about preparing for these changes, explore resources from GSA and NIST. Stay informed and proactive to ensure your organization remains a trusted partner to the federal government.

The Rise of Banks in the Private Credit Space

The financial landscape has undergone significant shifts in recent years, with banks facing competition from private credit firms, also known as “direct lenders.” As banks navigate these changes, they eye the growing U.S. private credit market, valued at nearly $2 trillion. This exploration marks their renewed interest in private credit, a space that’s rapidly evolving on Wall Street. Banks have initiated high-profile collaborations with private credit firms, signaling a strategic pivot to reclaim their position in lending. What lies ahead in this dynamic interplay between traditional banks and private credit entities?

Understanding Private Credit: A Quick Overview

Private credit, primarily bilateral loans to non-public companies, emerged prominently post-2008 financial crisis. The Basel III regulatory framework increased capital requirements for banks, steering them away from heavily-leveraged loans. This regulatory backdrop allowed non-bank lenders to step in, providing bespoke loan solutions with greater flexibility and higher returns. While retaining niche appeal, private credit now stands as a pivotal financing avenue for corporate clients.

Partnerships: A Strategy for Innovation

Banks are increasingly seeking synergies with private credit firms. These partnerships often manifest in the form of co-lending and investment in business development companies (BDCs). An illustrative case is the cooperation between JPMorgan Chase and Oaktree Capital, joining forces to create a co-lending platform for leveraged loans. This collaborative approach leverages the bank’s extensive corporate networks with the nimbleness of private lenders, optimizing risk and reward dynamics.

Direct Competition: Banks Building Their Own Footprints

Aside from partnerships, some banks are tapping into private credit by establishing in-house funds. For example, Morgan Stanley launched an on-platform private credit fund, catering to a diversified portfolio of loans. This strategy allows banks to leverage their wealth management networks for direct investment, offering holistic financing solutions under one roof.

Joint Ventures: The New Norm

A seminal trend is the rise of joint ventures, embodying a co-operative yet competitive spirit. These ventures combine the analytical prowess of banks with the lending agility of private credit firms. Goldman Sachs’ collaboration with Solo Capital exemplifies this trend, pooling resources to source and manage loans according to strategic lending models.

Future Trends: What to Expect

The interplay between banks and private credit is poised to shape the lending industry significantly. Ongoing regulatory shifts and technological advancements will likely spur innovative lending models, potentially blurring the lines between traditional banks and private lenders. Enhanced data analytics capabilities might also transform credit assessments, providing deeper insights into borrower profiles.

Integrating Expertise for Holistic Solutions

Firms like Winston highlight the critical role expertise plays in this ecosystem. With a focus on private credit financings and regulatory acumen, they guide banks in navigating complex frameworks, ensuring specialized services that cater to diverse client needs. The distinction of such expertise is in blending technical prowess with a client-centric approach that remains crucial in this competitive landscape.

Frequently Asked Questions

What role do banks play in the private credit market?

Banks are re-entering the private credit market through partnerships, internal fund creation, and joint ventures. This allows them to offer enhanced loan structures and reach underserved markets.

Why are banks investing in private credit?

Banks see opportunities for higher yields and fee generation. Engaging with private credit aligns with evolving market demands and offers competitive advantages.

How have private credit firms impacted corporate lending?

They’ve driven innovation in loan structuring, offering customized and efficient lending solutions, catering specifically to the needs of non-public companies.

Pro Tips for Navigating the Private Credit Market

Stay informed about regulatory changes that impact both banks and private lenders. Knowledge is key to adapting strategies effectively.

Explore joint ventures as a way to leverage combined strengths and diversify lending portfolios.

Did you know? According to a recent study, private credit has seen an annual growth rate of approximately 29% from 2017 to 2022, illustrating its appealing prospects for both banks and borrowers alike.

Next Steps

As this landscape continues to evolve, the intersection between traditional banking practices and innovative private credit solutions will likely lead to unprecedented growth and opportunities. If you’re considering venturing into private credit or seeking deeper insights, exploring targeted financial advisories and strategic partnerships can be fruitful. Explore more on our blog or subscribe to our newsletter to stay ahead of the curve.

Beyond the CMMC: New Cybersecurity Assessments for Government Contractors