Twenty-first century technology has made cybersecurity crucial for government contractors. Security threats have become so real and strong that all computer systems can be considered vulnerable to attacks, whether the hacker is located on the other side of the world, or in the same room as the computer. While this has been an issue for a long time for all Internet users, government contractors now have the special regulatory obligation of employing cybersecurity measures, without diminishing their ability to fulfill their responsibilities as government contractors.
New cybersecurity rules for government contractors are set to take effect on December 31, 2017. Specifically, these will apply to all contractors for the National Aeronautics and Space Administration (NASA), the General Services Administration (GSA), and the Department of Defense (DOD).
Because cybersecurity standards and practices have been established for classified projects, the target of the new regulations is sensitive but unclassified information. This is the result of the evident fact that security breaches have become very common in the last few years.
The new cybersecurity rules were first issued two years ago, but some government contractors have not seriously acted on them and may not be fully aware of the requirements. According to more than a hundred new regulations, GSA, DOD and NASA contractors will have to impose tighter physical security measures at their premises, implement and document cybersecurity guidelines and practices, and devise an extensive emergency plan to address a cybersecurity attack.
The cost of complying with the new cybersecurity regulations can vary from one company to another. There are contractors who only have to make small adjustments to their current cybersecurity practices and policies, while others may have to spend so much more to update or replace old servers, buy new equipment or hire security experts.
Although some government contractors are more than ready for the new regulations, others are just starting to prepare. The regulations impose a whole new variety of compliance obligations. However, the less known risks to government contractors – for example, compliance issues for subcontractors and litigation possibilities – can be riskier for them over the long term. Therefore, it is a must that government contractors work regularly with their lawyer, with cyber professionals and with compliance officers to avoid any problems.
Federal officials in 2016 announced various regulatory actions with the intention of pushing for effective cybersecurity. For example, in February, the federal government announced a “Cybersecurity National Action Plan,” along with two subsequent related executive orders.
After a few months in that same year, the Department of Defense came up with its final rule on the cyber incident reporting requirements, which covered all contractors and subcontractors of the department. DOD is strongly encouraging its contractors to join the voluntary Defense Industrial Base cybersecurity information sharing program, where they can share cybersecurity information with other contractors and learn from one another’s strengths and weaknesses.