The Defense Department is tightening the cybersecurity standards contractors need to meet in order to do business with the Pentagon.
DoD released a handful of new guidance and memos over the last three months, giving teeth to rules that require companies to shape up their cybersecurity practices or risk losing business.
The policies are based off of a rule DoD tried to implement back in 2013, but realized contractors needed more time to comply. The rule finally took effect at the end of 2017, and companies that want to work with the Pentagon need to make sure they are up to snuff when complying with the National Institute of Standards and Technology Special Publication 800-171.
“DoD wants to get everyone to a certain cybersecurity level,” Susan Cassidy, a partner specializing in defense and procurement at Covington and Burling LLP told Federal News Network. “Now they are tightening up and they are going to make it a performance and award differentiator.”
The twopolicies outline what the Pentagon expects from contractors and what consequences there will be for noncompliance.
Cassidy said before an award, DoD’s policy requires companies attest that they implemented the minimum standards of special publication 800-171. DoD also wants companies to agree to add more security controls beyond the NIST standards when companies are handling government information that’s especially sensitive. Finally, DoD explains in the guidance how it will make sure contractors’ cyber practices are up to par. The evaluations include the possibility of conducting on-site assessments of a contractor’s information systems.
“DoD is going to evaluate our compliance with 800-171 as part of an award decision,” Cassidy said. “The system security plans, which are probably for the most part put together by your IT team, are also something that should be read by your business development team and your legal team because they are going to become part of the evaluation factors potentially and that means it’s going to impact your competitive landscape.”
System security plans are outlines of how companies plan to comply with the cybersecurity standards.
DoD laid out post-award expectations as well.
Ian Brekke, an associate at Covington and Burling LLP, said DoD expects the delivery of a system security plan from the prime contractor. DoD also warns contractors they will be subject to audit and that contractors must identify subcontractors who will be receiving or developing controlled defense information.
DoD further defined what it expected from pre- and post-award requirements in two subsequent memos from Assistant Secretary of Defense for Acquisition Kevin Fahey and Undersecretary of Defense for Acquisition and Sustainment Ellen Lord.
The Fahey memo further explains that the government will need systems security plans from subcontractors and how controlled defense information should be shared with subcontractors.
Lord’s memo addresses auditing contractors’ purchasing systems so the Defense Contract Management Agency can provide oversight and assess compliance.
DoD is already starting to train a closer eye on companies and their cybersecurity standards.
In June, the DoD Inspector General’s Office announced it is conducting an audit to determine whether DoD contractors have security controls in place to protect DoD information stored on their systems and networks from cyber threats.
Why it’s needed
In the past few years, DoD and the government as a whole fell victim to cyber breaches, which compromised personal information and government documents.
DoD is wisening up to the cyber threats, but is still scrambling to close the holes in its system vulnerable to hackers.
Cassidy said while DoD needs the protection, it’s a heavy lift for some companies.
“This does impose additional requirements on small businesses that may be very difficult for certain small companies to meet,” she said. “DoD has been pretty clear, especially in the recent past, that their concern is about their data. The risk of a breach is probably greater than a concern that a small business may not be able to participate.”
Cassidy said there are ways to circumvent the issues. Small companies that are simply providing a part for a larger weapons system can do things by paper. Prime contractors who contract out to small businesses can have the small business work on the prime’s networks.
DoD is showing it means business too. Another guidance that came out late last year outlines some of the consequences of not complying.
For instance, if a company submits a systems security plan, but does not follow it there is a possibility the company could have a false claim or be in breach of contract, Cassidy said.
“They have new weapons to come after you both on a false claims act approach, and on a breach of contract approach,” she said. “It could also impact your past performance.”