Cybersecurity has become a crucial requirement for government contractors in 21st century operations. Security threats have become so real and strong that all computer systems can be considered vulnerable to attacks, whether the hacker is located on the other side of the world, or in the same room as the computer. Although this has been a growing concern for so many years for all Internet users,government contractors in particular are now facing the additional challenge of complying with special regulatory obligations, which they must fulfill without hampering their ability to secure and fulfill government contracts.
New cybersecurity rules for government contractors are set to take effect on December 31, 2017. These will affect the General Services Administration (GSA), the Department of Defense (DOD), and the National Aeronautics and Space Administration (NASA).
With cybersecurity standards and practices already well-established for classified projects, the new set of regulations will be intended to protect unclassified sensitive information. This is brought about by the obvious fact that security breaches have tremendously increased in frequency over the last few years.
Although the new cybersecurity rules have been issued since two years ago, some government contractors have failed to act on them and are not even completely aware of all the requirements. According to more than a hundred new regulations, GSA, DOD and NASA contractors will have to impose tighter physical security measures at their premises, implement and document cybersecurity guidelines and practices, and devise an extensive emergency plan to address a cybersecurity attack.
The cost of cybersecurity compliance will be different for various companies. Some contractors only need small adjustments to their existing cybersecurity policies and practices, while others have to spend more for updates or replacement of old servers, the purchase of new equipment or the use of security experts’ services.
Although some government contractors are more than ready for the new regulations, others are just starting to prepare. The regulations impose a whole new variety of compliance obligations. But the not-so-known risks to government contractors, like the potential for litigation or subcontractor-related compliance issues, can pose bigger risks for them as time goes by. Hence, government contractors should keep working with their lawyer, with cybersecurity professionals and with compliance officers to avoid problems with their cybersecurity posture.
In 2016, many regulatory actions were announced by federal officials with the goal of promoting effective cybersecurity. In February, for example, the federal government released a “Cybersecurity National Action Plan” as well as two related executive orders.
After a few months in that same year, the Department of Defense came up with its final rule on the cyber incident reporting requirements, which covered all contractors and subcontractors of the department. DOD is calling on its contractors to be part of a voluntary Defense Industrial Base cybersecurity information sharing program, where they can exchange vital cybersecurity information with other contractors and learn from one another.