It is becoming increasingly important that federal contractors implement a robust cybersecurity program. Why? The #1 reason is to protect your company from unscrupulous people or organizations who want to hold your data for ransom or deliberately harm your company or steal your data. Another reason could be that your company wants to pursue contracts with the Department of Defense (DoD) and other federal agencies. Or, perhaps your company is interested in going after future Small Business Innovation Research (SBIR) or Small Business Technology Transfer (STTR) contracts or Other Transactional Agreements (OTAs). Regardless of what agencies your company intends to do business with – defending against cyberattacks begins by understanding cyber activity risks, the vernacular of the industry, and how to protect your company and yourself.
What is Cybersecurity?
Implementing a cybersecurity program is not an easy task. Let’s start with a definition:
“Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”source
Sounds straight forward enough. But in learning the ropes of federal government contracting, you’ll find that there are several rules and regulations that surround cybersecurity and this is where it gets complicated. At the present time, there are several Federal Acquisition Regulation (FAR) and DoD clauses that deal with cybersecurity.
FAR clause 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
If included in the contract, this clause applies to any federal contractor that processes Federal Contract Information (FCI). This rule states that contractors are required to apply 15 cybersecurity and facilities security best practices to protect their information systems. Check out the link – the requirements are listed in the clause. These best practices are known as the FAR Critical 15 or FAR Critical 17 and are re-stated in the Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements.
DFARS Clause 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
This requirement is in all contracts except for contracts solely for the acquisition of Commercial Off the Shelf items. In addition, the contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support. Click the link about to find definitions of terms used. For a list of terms dealing with cybersecurity and the DoD’s CMMC ecosystem, click here.
DFARS clause 252.204-7021– Cybersecurity Maturity Model Certification Requirements
This interim rule specifies CMMC requirements and enables the department to verify the protection of FCI and Controlled Unclassified Information within the unclassified networks of Defense Industrial Base companies. The interim rule includes a phased rollout of CMMC implementation in fiscal years 2021-2025. Starting in fiscal year 2021, the department will pilot the implementation of CMMC requirements for Level 3 and below on select new acquisitions. For more information on the rollout, visit this blog or the defense.gov page.
To comply with the interim rule, all DoD suppliers, except organizations who supply commercial off-the-shelf items, must have a current assessment on record in the Government database Supplier Performance Risk System. The rule’s objective is to confirm that contractors are currently in compliance with, and have implemented, all 110 security controls in National Institute of Standards and Technology Special Publication 800-171.
The rule requires a contractor to have a System Security Plan that explains contractor compliance with each of the 110 security controls. The contractor must also generate a Plan of Action and Milestones, which describes how and when the contractor will attain full compliance for any control that is incomplete. Incomplete controls are any control where there is no available documentation that can verify the control is adequately implemented.
This brief overview is not meant to give guidance. Its goal is to have companies understand that becoming cyber-complaint is not something that can be done overnight – that it will take effort and time. Proof of compliance will be necessary. Leadership must be onboard, along with the company’s IT cadre, and assistance from cyber professionals may be necessary in order to understand the requirements. It’s not a one-time process – it’s an on-going process that will need to be continually controlled and updated. It’s also not something to leave until the last minute.
Help is Available
Don’t Miss the 2021 GRO-Biz Conference
To learn more about cybersecurity, you can attend our upcoming GRO-Biz Conference. This year, the conference is being held virtually March 9-11. In addition to learning about cybersecurity, attendees can hear from experts on several topics designed to help government contracting newcomers and experts. Visit WyomingSBDC.org/grobiz to reserve your spot.
You can also sign up for no-cost, confidential assistance with government contracting by clicking here.
About the Author: Andi enjoys helping business owners navigate the “bureaucratic quagmire” so that they can register and find government work. She has a background working for large Primes within the Department of Defense and is a former Lieutenant in the Naval Reserve. When she isn’t busy helping small businesses work with the government, Andi enjoys training young horses.