Twenty-first century technology has made cybersecurity crucial for government contractors. Computer systems have become highly vulnerable to attacks by hackers who may located halfway across the world or right inside the room. Although this has been a growing concern for so many years for all Internet users,government contractors in particular are now facing the additional challenge of complying with special regulatory obligations, which they must fulfill without hampering their ability to secure and fulfill government contracts.
There will be new cybersecurity rules for government contractors starting December 31, 2017. To be affected by these are the Department of Defense (DOD), the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA).
Given that cybersecurity standards and practices have already been established for classified projects, the new regulations will be targeted at protecting sensitive but unclassified information. This is to address the problem of security breaches becoming increasingly common since the last few years.
While the new cybersecurity rules were first issued in 2015 yet, some government contractors failed to act on them and are not even fully apprised as to the requirements. Over a hundred new regulations will require NASA, GSA and DOD contractors to beef up their premises’ physical security, draft and document their cybersecurity guidelines and practices, and create an extensive emergency plan in the face of a cybersecurity attack.
The cost of complying with the new cybersecurity regulations can vary from one company to another. Some contractors only need small adjustments to their existing cybersecurity policies and practices, while others have to spend more for updates or replacement of old servers, the purchase of new equipment or the use of security experts’ services.
While some government contractors are well-prepared for the new set of regulations, many are not. The regulates require a new range of compliance obligations. However, the less known risks to government contractors – for example, compliance issues for subcontractors and litigation possibilities – can be riskier for them over the long term. Hence, government contractors should keep working with their lawyer, with cybersecurity professionals and with compliance officers to avoid problems with their cybersecurity posture.
Federal officials in 2016 announced various regulatory actions with the intention of pushing for effective cybersecurity. For example, in February, the federal government announced a “Cybersecurity National Action Plan,” along with two subsequent related executive orders.
After a few months in that same year, the Department of Defense came up with its final rule on the cyber incident reporting requirements, which covered all contractors and subcontractors of the department. DOD is calling on its contractors to be part of a voluntary Defense Industrial Base cybersecurity information sharing program, where they can exchange vital cybersecurity information with other contractors and learn from one another.