Knowing the answer, down to the most obscure-seeming data point, could be the difference between successfully navigating government contracting, and closing up shop.
New rules rolled out at the end of August codify the Department of Defense’s cybersecurity policy, including the responsibilities of DoD contractors and subcontractors when it comes to information security. The new “interim rule” pulls together some requirements already scattered through other acts and memorandums, but adds some new items.
And in early October, the federal government made it clear that these are not voluntary regulations, but instead requirements for doing business, according to The National Law Review.
Some 10,000 businesses will be impacted by the changes, according to NextGov.com.
The Small Print (Some of It)
Data breaches have become such a major concern that the DoD says “urgent and compelling reasons” pushed authorities to issue the new rules without any public comment, effective immediately. Likely weighing heavily on their minds was an alleged Russian spearfishing attack against the Pentagon just weeks before the August announcement.
Ultimately, the issuances demand a closer examination of data security and resources along every step of a defense contractor’s supply chain.
Essentially, contractors must report any incident that impacts “covered defense information (CDI), a covered contractor information system (a federal contractor’s information system that handles CDI), or on a contractor’s ability to provide operationally critical support” according to one trade organization. In return, the DoD promises to protect proprietary information on behalf of the contractors should they need to investigate.
The Government Contracts, Investigations and International Trade blog from the law firm of Sheppard Mullin lays out the changes in great detail. It’s worth reading the entire post. Some of the highlights:
- The DoD has expanded the definitions of the unclassified information that, if involved in a potential “incident,” contractors are liable to report.
- The burden of following the new rules falls on contractors. Those who can’t follow the new rules will have to prove why it’s impossible or inapplicable.
- Contractors must report whether their work utilizes cloud computing, and includes wording for contracts.
Additionally, all cloud computing facilities must be located in the U.S., another law journal post notes, and firms must be able to explain how they will track everything and work with the DoD should the worst happen.
Businesses have 72 hours to report any breaches — the clock starts as soon as the problem is discovered — and reporting happens via a DoD website. Law firm Holland & Knight reports that it’s up to the contractor to investigate the scope, as well as the circumstances while the DoD reserves the right to dive into systems to check the breaches themselves.
And if you think there is wiggle room because you may be a small business with only a handful of employees? Think again–there are no exceptions for small businesses.