Government Contractors and Cyber Security Compliance
Twenty-first century technology has made cybersecurity crucial for government contractors. Security threats have become so real and strong that all computer systems can be considered vulnerable to attacks, whether the hacker is located on the other side of the world, or in the same room as the computer. While this has been an issue for a long time for all Internet users, government contractors now have the special regulatory obligation of employing cybersecurity measures, without diminishing their ability to fulfill their responsibilities as government contractors.
There will be new cybersecurity rules for government contractors starting December 31, 2017. These will affect the General Services Administration (GSA), the Department of Defense (DOD), and the National Aeronautics and Space Administration (NASA).
With cybersecurity standards and practices already well-established for classified projects, the new set of regulations will be intended to protect unclassified sensitive information. This is the result of the evident fact that security breaches have become very common in the last few years.
The new cybersecurity rules were first issued two years ago, but some government contractors have not seriously acted on them and may not be fully aware of the requirements. Over a hundred new regulations will require NASA, GSA and DOD contractors to beef up their premises’ physical security, draft and document their cybersecurity guidelines and practices, and create an extensive emergency plan in the face of a cybersecurity attack.
Compliance with the new cybersecurity regulations will cost differently for various companies. There are contractors who only have to make small adjustments to their current cybersecurity practices and policies, while others may have to spend so much more to update or replace old servers, buy new equipment or hire security experts.
While some government contractors are well-prepared for the new set of regulations, many are not. The regulates require a new range of compliance obligations. But the not-so-known risks to government contractors, like the potential for litigation or subcontractor-related compliance issues, can pose bigger risks for them as time goes by. Thus, it is necessary for government contractors to be closely working with their lawyer, with cyber specialists as well as with compliance officers in order to avoid problems.
In 2016, many regulatory actions were announced by federal officials with the goal of promoting effective cybersecurity. For example, in February, the federal government announced a “Cybersecurity National Action Plan,” along with two subsequent related executive orders.
After a few months in that same year, the Department of Defense came up with its final rule on the cyber incident reporting requirements, which covered all contractors and subcontractors of the department. DOD is strongly encouraging its contractors to join the voluntary Defense Industrial Base cybersecurity information sharing program, where they can share cybersecurity information with other contractors and learn from one another’s strengths and weaknesses.