Cyber Security Considered Critical Factor Within Government Contracting
Cyber security is a critical factor within government contracting, and it has received increasing attention within the U.S. federal government as technology continues to evolve. Last year, the Department of Defense (DoD) issued two final rules that changed the DoD Federal Acquisition Regulations Supplement (DFARS).
DFARS Clauses Focus on Cyber Security
Under DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, contractors with information systems that contain or transmit covered defense information are required to provide adequate security.
Adequate security consists of the 110 security controls in the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171). NIST SP 800-171 is a framework laying out how contractors must protect sensitive defense information and report cybersecurity incidents.
The NIST framework requires government contractors to document how they’ve met the following requirements:
- Security requirement 3.12.4 – Requires contractor to develop, document, and update System Security Plans detailing system boundaries, system environments of operation, how security requirements are implemented, and the relationship with other systems
- Security requirement 3.12.2 – Requires contractor to develop and implement Plans of Action to correct deficiencies and reduce/eliminate vulnerabilities in their systems
To effectively uphold cyber security within your government contracting operations, it is your responsibility under this DFARS Clause to report the incident to the DoD within 72 hours.
Furthermore, a solicitation clause, DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, requires that contractors represent they will implement security controls.
Contracts Experience Increase in Cyber Security Requirements
In addition to these two DFARS clauses, solicitations and contracts are seeing an increase in cybersecurity requirements. A contracting officer could determine a government contractor with inadequate cybersecurity protection failed to comply with obligations under the contract. These determinations could result in termination, negative past performance evaluations, and/or suspension.
According to an address given at the Air Force Association’s Air, Space & Cyber Conference in September 2018, Deputy Secretary of Defense Patrick Shanahan emphasized that cybersecurity will become a critical measurement for making contract awards.
It is also expected to be a significant consideration in holding a government contractor accountable for its performance.
DoD acquisitions currently focus on three critical measurements:
However, cybersecurity is expected to soon be considered the fourth critical measurement. Shanahan noted that adequate cybersecurity protection is part of the standard baseline of government contracting security. It’s not an optional feature.
“Security is the standard,” Shanahan said. “It’s the expectation. It’s not something that’s above and beyond what we’ve done before.”
Government contractors are encouraged to focus on and continuously improve their ability to comply with cyber security requirements consistent with expectations set forth during the Air Force Association’s Air, Space & Cyber Conference.
H2L Solutions, Inc. implements, tests, administers and sustains cybersecurity solutions. We have a staff of information security professionals skilled in the development and management of cybersecurity programs. Our professionals assist our clients with multiple layers of information assurance and cybersecurity requirements.
Want to know more about our services? Click here.