Twenty-first century technology has made cybersecurity crucial for government contractors. Computer systems have become vulnerable to hackers and spies, whether from right across the street or the other continent. While this has been an issue for a long time for all Internet users, government contractors now have the special regulatory obligation of employing cybersecurity measures, without diminishing their ability to fulfill their responsibilities as government contractors.
There will be new cybersecurity rules for government contractors starting December 31, 2017. Specifically, these will apply to all contractors for the National Aeronautics and Space Administration (NASA), the General Services Administration (GSA), and the Department of Defense (DOD).
With cybersecurity standards and practices already well-established for classified projects, the new set of regulations will be intended to protect unclassified sensitive information. This is brought about by the obvious fact that security breaches have tremendously increased in frequency over the last few years.
Although the new cybersecurity rules have been issued since two years ago, some government contractors have failed to act on them and are not even completely aware of all the requirements. Over a hundred new regulations will require NASA, GSA and DOD contractors to beef up their premises’ physical security, draft and document their cybersecurity guidelines and practices, and create an extensive emergency plan in the face of a cybersecurity attack.
The cost of cybersecurity compliance will be different for various companies. There are contractors who only have to make small adjustments to their current cybersecurity practices and policies, while others may have to spend so much more to update or replace old servers, buy new equipment or hire security experts.
While some government contractors are well-prepared for the new set of regulations, many are not. With the regulations come an entire variety of new compliance responsibilities. But the not-so-known risks to government contractors, like the potential for litigation or subcontractor-related compliance issues, can pose bigger risks for them as time goes by. Hence, government contractors should keep working with their lawyer, with cybersecurity professionals and with compliance officers to avoid problems with their cybersecurity posture.
In 2017, federal officials promoted more effective cybersecurity by announcing different regulatory actions. For instance, in February of the same year, a “Cybersecurity National Action Plan” was announced, followed by two related executive orders.
After a few months in that same year, the Department of Defense came up with its final rule on the cyber incident reporting requirements, which covered all contractors and subcontractors of the department. DOD is encouraging its contractors to take part in the voluntary Defense Industrial Base cybersecurity information sharing scheme, which allows them to trade cybersecurity information with other contractors for mutual benefit.