The Department of Defense is bolstering its cybersecurity efforts, and that could mean significant challenges for some DoD contractors.
A delay in the implementation of new regulations, however, means there’s still time for companies to ensure compliance.
Until October, the Defense Industrial Base Cybersecurity and Information Assurance Program “was a voluntary, public-private cybersecurity partnership created by the DoD,” according to Governmentcontractslawblog.com. “Its purpose was to enhance and supplement DIB network defenses in the hopes of protecting DoD data, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness.”
The partnership promotes a collaborative environment, according to the blog, where participants share “actionable cyber threat information” to bolster cybersecurity. The DoD also offers technical assistance through the partnership, including mitigation and remediation strategies and best practices.
But now the DoD is preparing to have contractors use a more formal system.
Under new rules to protect controlled, unclassified information (also known as National Institute of Standards and Technology Special Publication 800-171), contractors and subcontractors must implement DoD cybersecurity controls and report cyber intrusions within 72 hours or risk losing contracts.
In December, the DoD issued an interim rule that extended the implementation deadline to December 2017.
“While the expectation was that contractors implement the cybersecurity controls as soon as possible, the public concern on the interim rules was that there was no reasonable amount of time to meet the requirements,” according to CyberSheath.com, a cybersecurity blog.
Interim rule details
Covington’s law blog Insidegovernmentcontracts.com reported the newest interim rule imposes the changes below.
• Contractors have until Dec. 31, 2017, to implement NIST SP 800-171 security requirements on covered contractor information systems.
• Contractors must, within 30 days of contract award, notify the DoD chief information officer of any NIST SP 800-171 security requirements that are not implemented at the time of contract award.
• [Defense Federal Acquisition Regulation Supplement] 252.204-7012 is amended to delete the requirement for DoD chief information officer acceptance of alternative, but equally effective, security measures prior to award.
• The subcontractor flow-down requirements are amended to limit the requirement to flow down the clause only to subcontracts for operationally critical support or where subcontract performance will involve a covered contractor information system.
• Other than identifying the parties, changes in the substance of DFARS 252.204-7012 are now expressly prohibited when flowing down the clause to subcontractors.
Andy Merritt, chief defense industry officer with the Colorado Springs Regional Business Alliance, said while large defense contractors likely already meet these requirements, preparing subcontractors could pose a problem.
“If a company has a cybersecurity breach and doesn’t have these new procedures in place, then the company can be determined noncompliant and the contract could be terminated for cause,” Merritt said.
“A smaller company probably doesn’t have as significant a [cyber] staff, especially on the detection side. Adding more IT security means adding more cost. … It’s a real struggle for companies — how to meet the standards without overburdening their company to the point they’re no longer financially competitive.”
Gary Henry is executive director of the Colorado Procurement Technical Assistance Center, which helps private-sector businesses obtain government contracts. Henry says one of the biggest challenges to implementing new requirements will be the prime contractors’ abilities to monitor subcontractors.
“It’s not only what you have to do to be in compliance, but how does a prime [contractor] ensure [subcontractors] are in compliance?” he asked. “It’s not across the board, but frankly, many companies touch those [sensitive] elements, whether they’re in a service industry or building weapons systems,” he said.
Henry said PTAC can provide gap analyses and assist contractors in understanding new requirements and contract clauses.
“We also work with prime contracting officers to help them understand the challenges of a small business,” Henry said.
“It’s easy for a government agency or a large prime contractor to say these things need to be implemented, without understanding the effect on small business.”
According to Merritt, there are about 230 aerospace and defense companies in the Colorado Springs area. Of those, he said, about 115 have an IT component. Merritt said the existing military infrastructure, the likelihood of a local national cybersecurity intelligence center and the capabilities of many private-sector companies means Colorado Springs contractors should look at the new federal rules as an edge, not a hurdle.
“I would say there’s a significant opportunity here for our community,” Merritt said.
“Go to a defense community with a lot of contractors, let’s say in manufacturing. They won’t have the same level of IT talent in their defense community as we have.”
Colorado Procurement Technical Assistance Center — Cybersecurity Panel
When: March 23, 8-9:30 a.m.
What: Panel discussion consisting of a prime contractor, a general contracting officer, a cybersecurity expert and a representative of small business
Where: Pikes Peak Regional Development Center, 2880 International Circle
Register at coloradoptac.org