Uniform Guidance and cybersecurity requirements: Charting a path forward

On April 22, 2024, the Office of Management and Budget (OMB) published into the Federal Register the revisions to the OMB Guidance for Federal Financial Assistance. The revisions — effective for grant awards issued on or after Oct. 1, 2024 — are aimed at improving stewardship of federal funds, promoting equitable access to programs and services, reducing administrative burden for agencies, applicants, and recipients, and facilitating streamlined and effective oversight and implementation of federal programs. The changes are significant, and require new understanding by recipients, subrecipients, and auditors alike. For a general background on the changes, check out our recent article, “How will OMB’s revisions for federal assistance impact my organization?”

One of the more obscure — and potentially impactful — changes to the Uniform Guidance is the incorporation of “cybersecurity” into certain key sections. While OMB didn’t specify why they included cybersecurity in the revisions, it’s generally recognized that cybersecurity is a necessary factor in today’s digital environment due to the importance of protecting sensitive personal and organizational data from theft, unauthorized access, and damage, and safeguarding against financial loss, reputational harm, and disruptions to operations.

How has the Uniform Guidance incorporated cybersecurity measures?

The revised Uniform Guidance 2 CFR 200 incorporates cybersecurity into several sections, but references in the internal controls and risk sections merit particular attention.

• 2 CFR 200.303 (e) — Internal Controls: In this section, OMB requires recipients and subrecipients to take reasonable cybersecurity and other measures to safeguard information, including protected personally identifiable information (PII) and other types of information. While OMB doesn’t prescribe what reasonable cybersecurity measures are, in the Summary of Comments included in the Federal Register, OMB indicates it will continue to evaluate whether it should implement a specific framework on a governmentwide basis in the future. In the meantime, recipients and subrecipients have discretion on the appropriate framework for safeguarding information as required by 2 CFR 200.303(e).
• 2 CFR 200.208(b) — Risks: This section requires federal agencies to conduct cybersecurity risk assessments to evaluate the risks posed by applicants before issuing awards. The risk assessment may incorporate elements such as quality of the application, amount of the award, risks associated with the program and cybersecurity risks, among other elements. While federal agencies have discretion on elements to incorporate, cybersecurity measures are essential in a landscape where threats to information systems are becoming more sophisticated and widespread. 

How can your organization maintain cybersecurity compliance in the evolving landscape? 

The core issue raised by the new cybersecurity requirements is the dual challenge of establishing sufficient protections in an increasingly hostile digital environment while adhering to what can be stringent grant compliance standards that are a challenge to some organizations. The guidance provides the flexibility to align your controls with broader standards such as “Standards for Internal Control in Federal Government” issued by the Comptroller General of the United States or the “Internal Control Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), avoiding overly prescriptive measures while still emphasizing the need for reasonable cybersecurity safeguards. Look at the Uniform Guidance for key language to help guide your deliberations: “must” is a requirement, while “should” is a best practice or recommended approach.

Adopting a cybersecurity framework

There are many cybersecurity frameworks that can be used as a guide by your organization to implement its baseline of cybersecurity controls. Most frameworks cover the same basic cybersecurity principles but approach them in different ways. The following are three different cybersecurity frameworks/guidance to consider.

• The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 provides a voluntary framework designed to help organizations of all sizes and sectors manage and reduce cyber risks. This framework can be useful regardless of the maturity level and technical sophistication of your cybersecurity programs. While suitable for organizations of any size, this framework is all-encompassing and can feel overwhelming if your organization is in the early stages of its cybersecurity program.
• The Center for Internet Security (CIS) Critical Security Controls (CSC) is another cybersecurity framework that provides a tiered approach to implementing cybersecurity controls. It starts with an initial focus on basic cybersecurity hygiene to address the most common risks and expands to more advanced controls as your cybersecurity posture matures. CIS mapped this framework to the NIST CSF and other frameworks/regulations for easy reference.
• The Cybersecurity & Infrastructure Security Agency (CISA) Cross-Sector Cybersecurity Performance Goals (CPGs) is a subset of cybersecurity practices meant to focus on high-impact security actions. Some smaller organizations find this framework to be more concise and less intimidating (having approximately 30 controls) — a good steppingstone to eventually get to the NIST CSF that’s in excess of 100 controls.

Any of these (or even other) cybersecurity frameworks can help you achieve the intent of the OMB guidance. When choosing an approach, consider your current state of cybersecurity maturity and the availability of cybersecurity resources if choosing to leverage a standard framework. In many cases, it’s beneficial to consult with grant compliance and cybersecurity experts to help your organization choose a framework and implement the requirements.

What steps should your organization take?

In the ever-evolving landscape of federal grants, the integration of robust cybersecurity measures within internal controls is becoming paramount. Despite the lack of prescription from OMB, there are a few steps your organization should consider taking now.

1. Review what cybersecurity measures you already have in place. It’s likely you have something now — that will be your baseline for moving forward.
2. Understand the federal, state, and local laws and regulations that apply to your organization. Just knowing the Uniform Guidance revisions is not enough — your framework must consider all relevant laws.
3. Identify where your organization creates, receives, maintains, and transmits PII or other sensitive information. Are there certain grants where this information is more prevalent?
4. Determine what internal controls are already in place and verify whether they reasonably safeguard information. Where deficiencies exist, develop internal controls that meet legal, regulatory, compliance and contractual requirements. In doing so, consider the five components of COSO framework, developed by the Committee of Sponsoring Organizations of the Treadway Commission:
   • Control environment
   • Risk assessment
   • Control activities 
   • Information and communication
   • Monitoring activities 

The bottom line

A lack of adequate cybersecurity measures can result in disruptions to your operations, data loss, reputation harm, a failed audit, or even legal actions and repayment of funds. Cybersecurity will be an increasing focus for OMB going forward, and by accepting federal awards, you agree to comply with the Uniform Guidance. Now’s the time to assess what this means for your organization. The good news is the Uniform Guidance currently provides you with reasonable discretion on adopting an appropriate framework for safeguarding information and creates an excellent opportunity to adopt a proactive cybersecurity stance that strengthens your organization’s overall security posture rather than simply complying with the rules.