May 16, 2024

Cybersecurity has skyrocketed to the number one slot on many surveys and experts’ risk rankings as noted in GRF’s Top Risk for Nonprofits and Associations report. In response to the evolving landscape of cybersecurity threats, the Office of Management and Budget (OMB) has introduced language in the recently updated Guidance for Federal Financial Assistance aimed at strengthening information security measures for recipients and subrecipients of federally sourced funds.

In a nutshell, federal agencies want assurances that their award recipients are safeguarding data. Section 200.303 of 2 CFR introduces “reasonable” cybersecurity internal control stipulations alongside existing information protection measures outlined in section 200.303(e). This is to better align with the mandate that federal agencies assess recipients for cybersecurity risks when making award decisions. The Final Rule extends the scope of cybersecurity and information safeguarding controls to include all forms of information, beyond personally identifiable information (PII) and other classified sensitive data. The Final Rule refrains from dictating a specific cybersecurity framework, opting instead for the flexible term “reasonable security” to denote the expectation.

cyber journey pathwayReasonable cybersecurity measures

Reasonable cybersecurity measures are designed to be practical, proportionate to risk, and aligned with industry standards and best practices. The GRF Cybersecurity Pathway helps define what is “reasonable” for your organizational context.

Answer the following questions to determine the appropriate measures needed to comply with the new federal guidelines:


 Cyber Journey Step 1   What is your baseline?

  • Begin by conducting a thorough risk assessment to identify potential cybersecurity risks and vulnerabilities. Consider factors such as the organization’s size, complexity, data sensitivity, and regulatory requirements. This assessment serves as the foundation for developing a tailored cybersecurity strategy.

Cyber Journey Step 2What comprises a cyber security program?

  • Reference industry-recognized cybersecurity frameworks and standards, such as the NIST Cybersecurity Framework or ISO/IEC 27001, to guide the implementation of cybersecurity measures. These frameworks provide comprehensive guidance on risk management, security controls, and incident response procedures.
  • Define data classification categories based on their sensitivity and criticality. Establish procedures for classifying, labeling, and handling data while ensuring appropriate protection measures are applied to different data classifications. This may include encryption, access controls, data classification, and secure transmission protocols to prevent unauthorized access and data breaches.
  • Develop and maintain an incident response plan to effectively respond to cybersecurity incidents. Establish procedures for detecting, reporting, and mitigating security breaches, as well as restoring normal operations in a timely manner.
  • Assess and manage cybersecurity risks associated with third-party vendors, suppliers, and partners who have access to the organization’s systems or data. Implement contractual provisions and due diligence processes to ensure that third parties adhere to cybersecurity standards.

Cyber Journey Step 3Do your employees know the risks?

  • Invest in cybersecurity awareness training for employees to educate them about common cybersecurity threats, best practices, and their role in protecting sensitive information. Foster a culture of cybersecurity awareness and accountability throughout the organization.

Cyber Journey Step 4Are you keeping up to date?

  • Establish mechanisms for continuous monitoring of cybersecurity threats and vulnerabilities. Regularly update software, apply security patches, and conduct vulnerability scans to mitigate emerging risks and ensure the effectiveness of security controls.
  • Conduct external audits over top cyber risk areas to provide assurance that your cyber program is designed and operating effectively.

Failure to implement reasonable cybersecurity measures not only exposes organizations to increased cybersecurity risks but also jeopardizes their eligibility for federal funding. Additionally, non-compliance may result in reputational damage, legal liabilities, and financial penalties. As cybersecurity threats continue to evolve, organizations must prioritize the implementation of cybersecurity measures to safeguard sensitive information and maintain compliance with federal guidelines. For more information on how to define and implement reasonable cybersecurity measures, contact our GRF cybersecurity experts for more information.

Want to continue reading?

Check out GRF Cyber Resources page and GRF eBook: Cybersecurity Risks & Mitigation Strategies.

Melissa Musser, CPA, CIA, CITP, CISA

Partner and Director, Risk & Advisory Services