Cybersecurity has become a crucial requirement for government contractors in 21st century operations. Computer systems have become highly vulnerable to attacks by hackers who may located halfway across the world or right inside the room. Although this has been a growing concern for so many years for all Internet users,government contractors in particular are now facing the additional challenge of complying with special regulatory obligations, which they must fulfill without hampering their ability to secure and fulfill government contracts.
New cybersecurity rules for government contractors are set to take effect on December 31, 2017. These will affect the General Services Administration (GSA), the Department of Defense (DOD), and the National Aeronautics and Space Administration (NASA).
With cybersecurity standards and practices already well-established for classified projects, the new set of regulations will be intended to protect unclassified sensitive information. This is brought about by the obvious fact that security breaches have tremendously increased in frequency over the last few years.
Although the new cybersecurity rules have been issued since two years ago, some government contractors have failed to act on them and are not even completely aware of all the requirements. According to more than a hundred new regulations, GSA, DOD and NASA contractors will have to impose tighter physical security measures at their premises, implement and document cybersecurity guidelines and practices, and devise an extensive emergency plan to address a cybersecurity attack.
The cost of complying with the new cybersecurity regulations can vary from one company to another. For some contractors, only minor adjustments to their existing cybersecurity policies and practices may be necessary; for others, thousands of dollars may have to be spent to update old servers or buy new onesor hire security experts.
While there are government contractors who are all set for the new guidelines, others may even be just beginning to prepare for them. The regulates require a new range of compliance obligations. But the unknown risks to government contractors, like compliance issues for subcontractors and the possibility of litigation, can pose even more risks for contractors in the long run. Hence, government contractors should keep working with their lawyer, with cybersecurity professionals and with compliance officers to avoid problems with their cybersecurity posture.
In 2017, federal officials promoted more effective cybersecurity by announcing different regulatory actions. For instance, in February of the same year, a “Cybersecurity National Action Plan” was announced, followed by two related executive orders.
In October of the same year, the Department of Defense issued a final rule that implemented cyber incident reporting requirements for all DOD contractors and subcontractors. DOD is calling on its contractors to be part of a voluntary Defense Industrial Base cybersecurity information sharing program, where they can exchange vital cybersecurity information with other contractors and learn from one another.