Cybersecurity has become a crucial requirement for government contractors in 21st century operations. Computer systems have become highly vulnerable to attacks by hackers who may located halfway across the world or right inside the room. While this has been an issue for a long time for all Internet users, government contractors now have the special regulatory obligation of employing cybersecurity measures, without diminishing their ability to fulfill their responsibilities as government contractors.
There will be new cybersecurity rules for government contractors starting December 31, 2017. Specifically, these will apply to all contractors for the National Aeronautics and Space Administration (NASA), the General Services Administration (GSA), and the Department of Defense (DOD).
With cybersecurity standards and practices already well-established for classified projects, the new set of regulations will be intended to protect unclassified sensitive information. This is to address the problem of security breaches becoming increasingly common since the last few years.
While the new cybersecurity rules were first issued in 2015 yet, some government contractors failed to act on them and are not even fully apprised as to the requirements. According to more than a hundred new regulations, GSA, DOD and NASA contractors will have to impose tighter physical security measures at their premises, implement and document cybersecurity guidelines and practices, and devise an extensive emergency plan to address a cybersecurity attack.
The cost of cybersecurity compliance will be different for various companies. For some contractors, only minor adjustments to their existing cybersecurity policies and practices may be necessary; for others, thousands of dollars may have to be spent to update old servers or buy new onesor hire security experts.
Although some government contractors are more than ready for the new regulations, others are just starting to prepare. With the regulations come an entire variety of new compliance responsibilities. But the unknown risks to government contractors, like compliance issues for subcontractors and the possibility of litigation, can pose even more risks for contractors in the long run. Therefore, it is a must that government contractors work regularly with their lawyer, with cyber professionals and with compliance officers to avoid any problems.
In 2016, many regulatory actions were announced by federal officials with the goal of promoting effective cybersecurity. For example, in February, the federal government announced a “Cybersecurity National Action Plan,” along with two subsequent related executive orders.
In October of the same year, the Department of Defense issued a final rule that implemented cyber incident reporting requirements for all DOD contractors and subcontractors. DOD is encouraging its contractors to take part in the voluntary Defense Industrial Base cybersecurity information sharing scheme, which allows them to trade cybersecurity information with other contractors for mutual benefit.