The OMB has stressed the importance of recipients and subrecipients following appropriate cybersecurity practices in the 2024 updates to the Uniform Guidance, underscoring the seriousness of the matter.

OMB clarified that agencies should consider cybersecurity risk when evaluating organizations that apply for funding. Poor cybersecurity practices may lead to lost funding, especially in a competitive environment.

OMB also clarified that recipients and subrecipients must have reasonable cybersecurity controls to protect sensitive information. Adding cyber language to contracts isn’t enough; third-party cyber practices should be evaluated as part of risk management.

So What Should You Do?

Review your cybersecurity policies and controls to ensure they are documented, current, and operational. Third-party cybersecurity risk management is especially important - practices should include:

• Identifying contractors and subrecipients who have access to confidential information.
• Performing due diligence to ensure their controls are adequate and residual risks are adequately mitigated.
• Monitoring cybersecurity practices over the term of the relationship and ensuring escalation procedures are in place to address problems if they occur.

How Vendor Centric Can Help.

Our advisors have extensive experience developing and implementing robust cybersecurity policies and procedures for managing risk with third-party contractors and subrecipients. Schedule a consultation to learn how we can help.