As I have noted in recent blogs here and here, momentum has been building this year toward a greater impact for cybersecurity compliance in the award of federal contracts, particularly at DoD. From talking with many contractors, however, it still appears that a lot of firms are taking a wait-and-see approach to cybersecurity. Meaning, they will wait to see if it becomes an issue for a particular contract or if DoD starts to more actively enforce and monitor requirements. While an understandable business judgment for some, given precious time and resources, the firms that do not get ahead of the curve on cyber are risking not only compliance problems but falling behind their competition, who will be better-positioned to win when cybersecurity is soon a more routine and prominent factor in solicitations and awards.
With the recently-enacted NDAA for FY 2019, as well as DoD’s “Deliver Uncompromised” initiative, there is more reason to pull your head out of the sand and devote time and resources to information security compliance. The NDAA is always a legislative cornucopia, and the 2019 one is no different. As my colleagues are addressing in other blogs, the 2019 NDAA touches on a range of important topics for contractors. There is an entire section in this year’s NDAA devoted to “Cyberspace-Related Matters,” as well as other sections that also implicate information security. Of note, the NDAA requires the avoidance of the lowest-priced technically acceptable (“LPTA”) selection method “[t]o the maximum extent practicable” when the procurement is predominantly for the acquisition of IT and cybersecurity services, among other knowledge-based professional services. If you provide these services, you now have another tool to push back on the attempted acquisition of these services by using the LPTA method. Additionally, the NDAA includes a strong policy statement expressing that the U.S. should use all of its powers, including offensive cyber capabilities, to deter and respond to cyber attacks, and the law affirms DoD’s authority to conduct military activities in cyberspace. Space Force, meet Cyberspace Force.
Another noteworthy cyber provision in the 2019 NDAA is one geared toward helping small business manufacturers become cyber compliant. Congress appears to have recognized that small firms, in particular, struggle with the myriad cyber requirements and costly solutions that are often needed to ensure full compliance. The law requires DoD to “prioritize efforts to increase awareness to help reduce cybersecurity risks faced by small manufacturers” and to conduct outreach events and training. The law also tasks DoD with instituting mechanisms to assist small business manufactures with “voluntary cybersecurity self-assessments.” This is a great idea and one that should be expanded in future years to all small business contractors. It is in the best interest of government and industry to ensure that small business contractors understand the requirements and that they are able to detect and mitigate, or eliminate, existing vulnerabilities in their IT systems and practices.
DoD has also recently touted its new “Deliver Uncompromised” initiative, which aims to make information security the “fourth pillar” of DoD acquisition, along with cost, schedule, and performance. In discussing this initiative recently, Ellen Lord, DoD’s Under Secretary of Defense Acquisition, Technology and Logistics, attempted to break the myth (in my experience common among contractors) that DoD is not monitoring or enforcing its cybersecurity requirements. According to an article by Paul McLeary on Breaking Defense, Under Secretary Lord told a group of reporters that “up to this point in time [compliance oversight] has really been self-reporting.” However, Under Secretary Lord warned that this will be changing soon as DoD expands the use of “red teams” to go in and assess contractors’ systems. It sounds like DoD has received a fair amount of pushback from industry on this, so the oversight process continues to be murky. But DoD’s message, at least, is clear: that light you see at the end of the tunnel is an oncoming train. Its arrival time may be uncertain, but it’s on the way.
If you are seeing cybersecurity requirements in solicitations as you gear up for the end-of-fiscal-year-bidding extravaganza, let us know if you have any questions. Also, I suggest a scrub of your teaming and subcontract agreements to make sure you are appropriately flowing down the cybersecurity requirements and shifting the risk to your partner or avoiding the flow down and risk, depending on your circumstances.
About the Author: Jon Williams is a partner with PilieroMazza and a member of the Government Contracts Group. He may be reached at email@example.com.