WashingtonExec
  • News & Headlines
  • Executive Councils
  • Videos
  • Podcast
  • Events
    • 🏆 Pinnacle Awards
    • 🏆 Chief Officer Awards
  • About
  • Contact Us
Twitter Feed
LinkedIn Facebook Twitter Instagram YouTube
LinkedIn Facebook Twitter Instagram YouTube
WashingtonExec
Subscribe To The Daily
  • News & Headlines
  • Executive Councils
  • Videos
  • Podcast
  • Events
    • 🏆 Pinnacle Awards
    • 🏆 Chief Officer Awards
  • About
  • Contact Us
WashingtonExec
You are at:Home»News»Contractors Face More Stringent Cybersecurity Requirements
News

Contractors Face More Stringent Cybersecurity Requirements

By Jeff KinneyFebruary 27, 2019
Share
LinkedIn Facebook Twitter Email

Key Takeaways for Executives

  • Defense contractors are facing ever more-stringent cybersecurity requirements.
  • Many of these are found in NIST (SP) 800-171.
  • To cope, contractors should focus on training, shoring up network infrastructure, and protecting CUI.

Defense contractors are facing more stringent federal requirements when it comes to cybersecurity, according to contracting attorneys.

These requirements stem from the evolving cyber threats the department faces, they said.

“Cybersecurity requirements are increasing for contractors due to the growing threat vectors targeted at government agencies,” said Shamlan Siddiqi, chief technology officer for NTT DATA’s public sector business. “Not only are stricter controls being published for contractors to work with government agencies, but also many cybersecurity requirements, such as data encryption, identity management and information assurance, are being incorporated into requests for proposals.”

Siddiqi said some of the most significant requirements for contractors are found in the National Institute of Standards and Technology Special Publication 800-171, which provides standards for non-federal computer systems that store, process, or transmit controlled unclassified information or provide security protections for such systems.

Among other things, he said these standards involve sharing and management service, virtual desktop service for accessing and processing data, multifactor authentication, use of appropriate cloud platforms, and active directory service for centralized access control and management.

Siddiqi said to remain compliant with the new requirements, contractor employees must be properly onboarded and trained. In addition, agencies and contractors should:

  • evaluate and adjust current controls, processes and application/infrastructure/network setup to strengthen security;
  • move key CUI data to secure storage, while also enhancing centralized access and identity management; and
  • conduct continuous impact assessments and risk tolerance analyses across the contractor ecosystem.

Barrage of Guidance

According to Covington & Burling LLP attorneys Susan Cassidy and Ian Brekke, not only do contractors have to comply with NIST (SP) 800-171, they also have to face audits and other compliance hurdles the Defense Department has layered on to cope with evolving security threats. These requirements are outlined in several DOD guidance memos, including November 2018 final guidance for assessing security controls in NIST SP 800-171.

DOD also issued two additional memos to further explain cybersecurity requirements for contractors, including:

  • A December 2018 memo from Assistant Secretary of Defense for Acquisition Kevin Fahey providing contractual language requiring activities can use in conjunction with the November 2018 guidance. The memo covers access to and delivery of contractors’ system security plans, access to and delivery of a prime contractors’ plans to track flow-down of CDI to subcontractors, rules regarding flow-down of CDI, and restrictions on unnecessary sharing of CDI.
  • A January 2019 memo from Undersecretary of Defense for Acquisition and Sustainment Ellen Lord on using audits of contractors’ purchasing systems to determine whether they have complied with the Defense Federal Acquisition Regulation Supplement cyber clause.

According to Cassidy and Brekke, all of this “piecemeal” guidance, while perhaps well-intended, runs the risk of raising more questions than answers.

“DOD’s evolving cybersecurity requirements present new challenges to contractors that are still working to fully implement all 110 controls in NIST SP 800-171,” they said.

Although DOD says compliance with NIST SP 800-171 is the minimum requirement, “the reality is that the ever-changing approach and the use of guidance issued in a piecemeal fashion has the potential to cause more confusion rather than less,” they said.

Regardless, firms with DOD cybersecurity contracts should take note of the requirements and do their best to meet them.

“Contractors will need to update their subcontract forms and develop an approach for meeting these requirements, as they are likely to begin appearing in solicitations, and [Defense Contract Management Agency] will be expanding its review of contractor purchasing systems with the above requirements,” Cassidy and Brekke said.

Related: Trump’s New National Strategy to Bolster Cybersecurity, Protect U.S Ingenuity

Previous ArticleEXECUTIVE PERSPECTIVE: Top 5 Things on the Minds of GovCon Execs: Kevin Wideman
Next Article 2019 Leukemia Ball Co-chair Richard Bynum: ‘Find a Way to Give Back Meaningfully’

Related Posts

WATCH: Attain’s Greg Baroni on March 31 Kidney Ball, Kidney Health Awareness

Katie Selbe Named COO of Newly Formed Eqlipse Technologies

Top ESG Execs to Watch in 2023: ECS’ Dr. Shayla Treadwell

1 Comment

  1. Pingback: SmallGovCon Week In Review February 25 – March 1, 2019 | SmallGovCon – Government Contracts Law Blog

Chief Officer Awards Finalists Announced
Trending

WATCH: Attain’s Greg Baroni on March 31 Kidney Ball, Kidney Health Awareness

March 22, 2023

Katie Selbe Named COO of Newly Formed Eqlipse Technologies

March 22, 2023

Top ESG Execs to Watch in 2023: ECS’ Dr. Shayla Treadwell

March 22, 2023

Top ESG Execs to Watch in 2023: Leidos’ Daniel Pellegrom

March 22, 2023

GDIT Wins $380M in EPA Contracts for Scientific, Climate Support

March 22, 2023
Quick Links
  • Executive Councils & Committees
  • Chief Officer Awards
  • Pinnacle Awards
  • K-12 STEM Symposium
  • Advertise With Us
  • About WashingtonExec
  • Contact

Subscribe to The Daily

Get federal business news & insights delivered to your inbox.

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
Copyright 2023 © WashingtonExec, Inc. | All Rights Reserved. Powered by J Media Group

Type above and press Enter to search. Press Esc to cancel.