There are a growing number of cybersecurity requirements applicable to government contractors that work with the Department of Defense (DoD) and intelligence community. Thanks in part to a number of recent, high-profile cyber attacks, the laws and regulations governing cybersecurity will surely expand further. Indeed, President Obama mentioned cybersecurity in his 2015 State of the Union address, around the same time several new or rehashed legislative proposals were issued.
These laws and regulations are designed to impose requirements on contractors to employ adequate security measures for the avoidance, detection, and response to cyber attacks. Covered contractors are also expected to disclose when their network has been breached and facilitate the government’s investigation of what happened.
Despite all the attention on Capitol Hill, cybersecurity may still appear as a fuzzy object off in the distance for many contractors that do not work with DoD or handle sensitive information. However, recent developments suggest the object in your rearview mirror is closer than it may seem.
Although the recent spate of rules and laws have focused on a subset of contractors that work with DoD or handle sensitive data, there are signs that much broader-based cybersecurity requirements are coming soon. The National Institute of Standards and Technology (“NIST”) released a draft of a special publication last November, 800-171, addressing the protection of controlled unclassified information in nonfederal information systems and organizations.
A contractor’s information system would fall under a nonfederal information system. Covered firms would be expected to employ security protocols for unclassified information in nonfederal systems and organizations comparable to the security requirements currently imposed through Defense Federal Acquisition Regulation Supplement (“DFARS”) clauses that cover unclassified controlled technical information on unclassified information systems of DoD contractors.
The expansion of cybersecurity protocols to cover nonfederal information systems heralds the coming of cybersecurity requirements applicable to many more (if not all) federal contractors through the Federal Acquisition Regulation. A FAR clause of broader applicability requiring adequate cybersecurity and rapid reporting of cyber incidents is likely in the offing soon. The current requirements geared toward a narrower segment of DoD and intelligence community contractors will serve as a model for the requirements that will be imposed on a much broader base of contractors through the FAR.
This means it is time to take your head out of the sand when it comes to cybersecurity. Even if the existing laws and rules are not directly aimed at your company, the existing requirements give you a good idea of obligations the FAR may impose on you soon. Spending a little time now to understand the requirements, and where they are headed, is an opportunity you can seize to gain a competitive advantage through advance planning and preparedness.
About the Author: Jon Williams is a partner with PilieroMazza and a member of the Government Contracts Group. He may be reached at firstname.lastname@example.org.