The Department of Defense (DoD) recently released their 2018 Cyber Strategy, which has significantly evolved since their last release in 2015. Just like the DoD expects quality from its suppliers, it also expects their products and services to be secure.
During the Air Force Association’s Air, Space & Cyber Conference in Washington DC, Deputy Secretary Patrick Shanahan made clear that “Cybersecurity is probably going to be what we call the fourth critical measurement. You know, we’ve got quality, cost, schedule.” He also elaborated on how the DoD evaluates its acquisition:
“Security is one of those measures that we need to hold people accountable for. And it shouldn’t be that being secure comes with a big bill. Like we wouldn’t pay extra for quality, we shouldn’t pay extra for security. We’re in a new world, and security is the standard, it’s the expectation, it’s not something that’s above and beyond what we’ve done before.”
Shanahan’s statements have a tremendous impact on government contractors. They reinforce the expectation that security should not be looked at as an after-thought, but already built into the product and services they provide the DoD. In the future, higher levels of proven security will be necessary in order to win DoD contracts. Those prime and subcontractors that are not compliant with security standards will not be able to win business.
Another area of focus is on supply chain security. The DoD will hold government contractors accountable for their supply chain cybersecurity practices. Contractors are responsible for all subcontractors they utilize, and they must take the time to properly assess each subcontractor to ensure their operations do not jeopardize the contractor’s ability to do business with the DoD.
At present, the DoD has its own cybersecurity regulations and contract clauses, the Defense Federal Acquisition Regulation Supplement (DFARS). Contractors should familiarize themselves with clauses 252.204-7008 “Compliance with Safeguarding Covered Defense Information Controls” and 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Even if these clauses are currently not in their contracts, measures should be taken to become compliant with NIST Special Publication SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The standard provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). If a government contractor is able to prove that it is NIST SP 800-171 compliant, it is an automatic first step in meeting the requirements of the fourth pillar.
There is good news for small businesses in the state of Maryland. The Maryland Department of Commerce has been awarded $515,636 in federal funding from the Department of Defense (DoD) Office of Economic Adjustment (OEA) to assist in-state small and mid-sized prime contractors requiring assistance in meeting the cybersecurity standard NIST SP800-171.
For more information on how to strengthen security and protect your business, contact one of our risk advisory specialists at 301.231.6200.