Cybersecurity Requirements Could be Expanding its Reach Soon
By: Sara Crabtree, Senior Manager and Neal Beggan, Principal
For more than a year, Cherry Bekaert has been writing about the changes coming down the Federal pike in regards to cybersecurity requirements impacting government contractors. Defense Acquisition Regulation Supplement (“DFARS”) 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which became effective in October 2016, requires that prime contractors and subcontractors provide “adequate security” on all Covered Contractor Information Systems (“CCIS”). CCIS are unclassified information systems that are owned or operated, by or for a contractor that processes, stores, or transmits Controlled Unclassified Information or Covered Defense Information.
DFARS 252.204-7012 states that CCIS shall be subject to the security requirements in the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. NIST 800-171 is a set of security requirements made of 14 families of security areas that result in 110 individual controls that a contractor must meet. The control families include areas such as access control, configuration management, incident response, physical protection, and system and information integrity.
DFARS 252.204-7012 required contractors who have Department of Defense (“DoD”) contracts and who are subject to the DFARS to comply by December 31, 2017. Cherry Bekaert has stressed that just because a contractor may not be subject to the DFARS today, does not mean that you should ignore your cybersecurity. This is because we expect this to be promulgated to the Federal Acquisition Regulation (“FAR”) in the near future. While DoD contractors were impacted first, it appears that General Services Administration (“GSA”) schedule holders may be the next group of contractors to be impacted.
The latest GSA regulatory agenda includes a plan to expand cybersecurity rules for its government contractors, taking its lead from DFARS 252.204-7012. Additionally, GSA’s regulatory agenda specifically mentions implementing NIST 800-171 as a requirement for GSA schedule holders. The agenda shows an intent to expand cybersecurity requirements to a contractor’s systems, whether they be internal, external, cloud-based and mobile systems. The public comment period for these changes is scheduled to be open from April to June 2018.
GSA is also considering expanding its reporting requirements for cybersecurity incidents, including preserving images, mandatory employee training, a delineation of roles and responsibilities, and an establishment of a reporting timetable. The public comment period for these changes is expected to be from August to October 2018.
We can’t stress enough how important it is for all government contractors to evaluate their cybersecurity policies and procedures and conduct a risk analysis now. This issue is not going away, and we expect this will become a FAR rule in the next few years. Take the time to educate yourself on the NIST and DFARS clause and try not to get bogged down by the lack of guidance and assumptions. You probably have more controls in place than you realize.
We encourage all contractors to be proactive with this matter, as the risks of a breach are great. Based on the 2017 Ponemon Cost of Data Breach Study sponsored by IBM, on average it costs $141 per lost or stolen record. The average cost of a data breach totals $7.3 million. In addition, a contractor may face termination for default of their contract, breach of contract, liquidated damages, exclusion from future contract awards due to non-responsibility, and a violation of the False Claims Act. Furthermore, compliance with these cybersecurity requirements is mission critical to the government and contractors demonstrating adherence to the requirements has become a competitive discriminator.
Contracting officers are deeming contractors technically deficient from contract award when they cannot prove compliance. Can your organization afford these alternatives?