Contracting work with the government is the bread and butter of many companies. For those that contract with the U.S. Department of Defense, a new federal security directive will now require all contractors to either implement a robust cybersecurity plan to protect their digital data, or have a detailed plan in place for doing so by December 2017. Failure to comply will prevent companies from contracting with the DoD.
What's this new federal directive?
In December 2016, the National Institute for Standards and Technology, an agency under the U.S. Department of Commerce, released NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."
Dubbed "NIST 800-171" or simply "rule 171," the directive covers whether a company has the IT safeguards and security measures necessary to protect any classified data in order to conduct business with the federal government.
This covers every type of company contracting with the government, from defense engineering firms to janitorial services. And this isn't strictly limited to contractors – it also covers subcontractors. In practice, any company that has access to classified government information that needs to be protected.
In addition to rule 171, the DoD has also issued another clause that is likely to impact government contracting, the Defense Acquisition Regulations System (DFARS) Clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." This clause covers implementing adequate security measures on all covered information systems owned, operated or utilized by the contractor.
How should government contractors respond?
With these new rules set to go into effect in 2018, it's imperative that government contractors have a plan in place to implement all of the technology.
Speaking with GovTech, Shawn Walker, vice president and co-founder of Secure Cyber Defense LLC, noted this directive impacts any company with classified information issued by the government and that it will take some time to implement.
"Starting from nothing, it will probably take six to 12 months to get all the technology in place to be able to say you're compliant," said Walker. "To put the plan together may take 30 to 60 days."
Companies can't simply wait until the last minute and cobble together a statement about a plan of action. Instead, they should start early and ensure they've accurately covered the list of 110 requirements outlined in the rule.
Steps to take
First, contractors should familiarize themselves with NIST 800-171 and the new DFARS clause, as these will be paramount in discerning how the directives apply to their firm and how they will affect operations and resources. Noncompliance with these new rules may cause the government contractors to forfeit their chances for a government partnership, so be sure to leave no stone unturned when reviewing the new rule and clause.
Next, perform a risk assessment of the organization based on the directive's requirements. The U.S. Department of Homeland Security provides a handy guide for conducting a thorough risk assessment, called the Cyber Security Evaluation Tool (CSET). According to its website, this tool provides contractors with a "systematic and repeatable approach for assessing the security posture of their cyber systems and networks."
Once risks are assessed, develop a plan of action and milestones for the company. This will serve as the guideline and map for every step, task and policy the organization implements to meet compliance.
Consider getting medium-assurance certification from the Information Assurance Support Environment, which allows for outside entities to securely communicate with the DoD and authenticate to DoD information systems.
With a carefully crafted plan of action, government contractors can tackle the new cybersecurity regulations with ease.