Thursday, December 6, 2012
Heightened Cybersecurity Requirements Imposed on Companies Contracting with GSA and DOD
If your business is awarded a government contract with the General Services Administration (“GSA”) or the Department of Defense (“DOD”), it needs to understand the tightened cybersecurity regulations recently introduced by both agencies. Both of these regulations will require that contractors adopt enhanced security and training initiatives for employees.
On January 6, 2012, the GSA adopted final guidelines applicable to contracts and orders that involve information technology (“IT”) supplies, services and systems. The sweep of this regulation is broad, applying to a large swath of contractors offering goods and services to GSA or through a Schedule.
Within 30 days of contract award, GSA’s new regulation require a covered contractor to submit an IT Security Plan compliant with a variety of federal laws and regulations – including Homeland Security Presidential Directive 12, FISMA, and applicable NIST guidelines – which GSA reviews in order to determine whether the contractor is adequately protecting GSA’s data and preventing any unauthorized use of the data. Once accepted by the contracting officer, the IT Security Plan will be incorporated into the contract as a compliance document. Moreover, the GSA regulations also mandate that the contractor develop a Continuous Monitoring Plan, submit written proof of IT security authorization within six (6) months after contract award, submit annual verification that its IT Security Plan remains valid and ensure that its employees performing under the GSA contract receive annual IT security training. If the contractor fails to comply with these GSA regulations, its contract with GSA may be terminated.
Likewise, in June 2011, the DOD proposed a new rule to increase security measures to protect unclassified DOD information within a contractor’s system from unauthorized disclosure. The DOD regulations also require a contractor to report any cyber attacks on such unclassified information, and failure to report such incidents may be used as evidence that the contractor did not establish adequate safeguards. The DOD regulations provide for a two-tier protection scheme for unclassified DOD information─“basic safeguarding” and “enhanced safeguarding.” Unclassified DOD information falling under the “basic” category includes any nonpublic information provided by DOD to the contractor. The “enhanced” category includes information that DOD designates as critical, as well as personal identification information. Regardless of which category is applicable, the contractor will have to create sufficient security measures that may require necessary changes to a company’s email, intranet, and other data sharing processes.
It is essential for businesses contracting with either the GSA or the DOD to comply with these new regulations. While the contractor may incur increased costs as a result of updating or adding new protective measures to its IT security protocol, the contractor will benefit in the long run as the threat of cybersecurity attacks continue to increase and become more sophisticated.