Cybersecurity Requirements: Another Challenge for Government Contractors
With all the recent data security breaches, it is not surprising that the U.S. Government is starting to crack down on cybersecurity for their government contractors. Approaches the U.S. Government are taking include issuing laws, regulations and standards that require contractors to take security measures for safeguarding their data.
On July 7, 2014, President Obama signed into law the Intelligence Authorization Act for Fiscal Year 2014 (Public Law 113-126). This law requires intelligence contractors with security clearances to promptly report network and information system breaches, and provide government investigators access to the contractors’ systems that have been comprised.
Additionally, the Department of Defense (“DoD”) will soon issue a new rule pursuant to the 2013 National Defense Authorization Act (NDAA) that requires contractors with security clearances to quickly report cyberattacks against their systems. Contractors will be required to inform DoD of the method of attack, a summary of the data comprised, and any access that the contractor may be required to give DoD for an investigation of the incident.
While these laws are being put into place, many questions remain unanswered, such as:
- What is the definition of a network penetration that must be reported?
- Will the investigations be publicly disclosed?
- Are unclassified systems and contracts covered under these rules?
- How much time do contractors have to report a cyberattack and how long must they retain the information related to the attack?
- How much access will contractors be required to provide to the government in the course of the investigation of the breach?
What is clear is that these new rules will impact government contractors of every size. Many contractors, especially smaller companies, may not have a robust cybersecurity program and compliance could be very expensive. Prime contractors could also be required to flow down the clauses regarding safeguarding of data down to their subcontractors, which could create additional compliance costs. However, failure to comply with the requirements could result in penalties, termination of contract by default, withholding of payment, or even suspension or debarment from future contracts.
Contractors should stay on top of the changing regulations, and understand compliance with the cybersecurity requirements is a cost of doing business with the government. For any questions regarding cybersecurity, please contact a Cherry Bekaert Government Contractor professional.