In the 21st century, effective cybersecurity has become an imperative for government contractors. Hackers and spies can breach a computer system’s security from across the street or from the other side of the world. While effective cybersecurity has been a growing concern for a number of years for government, businesses, and even for individuals, government contractors now also face the additional challenge of quick compliance with specialized regulatory obligations and new, precise cybersecurity rules that may have a direct impact on their ability to obtain and fulfill government contracts.
In 2017, according to the Department of Homeland Security’s website, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace. Cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services.”
Marcel Lettre, President Obama’s last Undersecretary of Defense for Intelligence, agreed with the Department of Homeland Security’s assessment, describing cybersecurity as a “political, economic, diplomatic and military challenge” that is “evolving and growing more acute over time.” Indeed, the number of cyber attacks on government contractors have increased dramatically in recent years. Many of those contractors store vast amounts of important and sensitive intellectual property on their servers. Contractors should frequently review their operational, technology, and risk management policies and practices related to cybersecurity.
WHEN WILL THE NEW CYBERSECURITY RULES GO INTO EFFECT?
Dozens of new cybersecurity rules for government contractors will go into effect on December 31, 2017. The new cybersecurity rules will apply to all contractors for the Department of Defense (DOD), the National Aeronautics and Space Administration (NASA), and the General Services Administration (GSA). Cybersecurity standards and practices are already well-established for classified projects, so the new regulations are aimed more at safeguarding sensitive – but unclassified – information at a time when cybersecurity breaches are happening with increasing frequency.
The new rules, however, have apparently caught some government contractors by surprise, but any failure to comply by December 31 could risk the ability of contractors to continue obtaining and fulfilling government contracts. Insiders are concerned that a number of key manufacturers may not have paid sufficient attention to the new guidelines, which require government contractors to adopt and implement a number of new cybersecurity practices, countermeasures, and reporting standards. Manufacturers who are not in compliance with the new regulations by December 31 will not continue to qualify for DOD, NASA, or GSA contracts.
The new cybersecurity rules were first issued in 2015, but a number of government contractors have been slow to act on them and may not be fully apprised of what is required. More than one hundred new regulations will require DOD, NASA, and GSA contractors to bolster the physical security of their premises, to create and document their cybersecurity policies and practices, and to design a comprehensive emergency plan to deal with a cybersecurity breach.
WHAT WILL COMPLIANCE WITH THE NEW CYBERSECURITY RULES COST?
The cost of compliance with the new cybersecurity regulations may vary quite substantially from company to company. Some government contractors may need to make only the slightest adjustments to their current company cybersecurity practices and policies; other contractors may have to spend thousands of dollars to replace outdated servers and other equipment or to hire security personnel or consultants.
So even though some government contractors are well-prepared for the new regulations, many others are not. The regulations mandate a variety of new compliance obligations. But the hidden risks to government contractors – such as compliance issues with subcontractors and the potential for litigation – may actually pose even greater risks to contractors in the long term. Government contractors must work closely with their legal counsel, with cyber experts, and with compliance professionals on a regular basis to assess their cybersecurity posture.
A number of other regulatory actions were announced by federal officials in 2016 to promote the goal of effective cybersecurity. For example, in February of last year, President Obama announced a “Cybersecurity National Action Plan” and issued two executive orders to “enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.”
And in October, the Department of Defense issued a final rule implementing mandatory cyber incident reporting requirements for DOD contractors and subcontractors. DOD strongly encourages its contractors to participate in the voluntary Defense Industrial Base cybersecurity information sharing program, which fosters dialogues and cybersecurity information exchanges among contractors.
WHAT OTHER CYBERSECURITY ISSUES DO CONTRACTORS FACE?
Washington, D.C. government contract attorney Roy R. Morris, a partner at Dunlap Bennett & Ludwig, explains that, “Cybersecurity was traditionally thought of as a defensive strategy, however, now the government is considering all of its options and building offensive capabilities.” The cybersecurity laws that now require government contractors and subcontractors to implement and enforce security measures against cyber threats are exceedingly complicated and involve a number of overlapping federal regulations.
Adding to the complexity, some U.S.-based defense contractors may also be subject to non-U.S. laws such as the European Union’s General Data Protection Regulation (GDPR). Thus, government contractors and subcontractors may possess or work with data that is subject to multiple regulations and jurisdictions. If you and your company are seeking a government contract, a security clearance, or advice regarding the National Industrial Security Program (NISP), take advantage of the advice and experience that an experienced government contract attorney can provide.
A cyber-savvy government contract attorney helps contractors identify and manage security risks, protect their digital assets, respond swiftly to cyber threats, and determine when the reporting of cyber incidents to the government is mandatory. As you may already know, any failure to comply with cybersecurity regulations can result in contract terminations and even to potential liability under the False Claims Act.
Cybersecurity is a crucial compliance element for all government contractors. Contract termination can seriously impair a contractor’s ability to remain operational and profitable. Regardless of your company’s size or net worth, a Washington, D.C. government contract attorney can offer the legal advice you need and take legal action on your company’s behalf if a government contract is terminated or suspended, if your company is debarred, or if a security clearance is revoked.