Firewalls. Encryption. Training. Insurance. Vigilance.
How do you protect your data and mitigate the risks inherent in the digital workplace? Experience confirms that information technology systems can easily be accessed by an unfriendly third party when one employee believes a single misleading email – and one such mistake can be extremely costly. But protections sufficient to truly secure your systems may be expensive, involve time otherwise spent on business pursuits , and will likely require buy-in at all levels of an organization. When margins are already slim, cybersecurity may take a back seat to other more immediate costs. A recent development in federal procurements, though, holds promise for contractors hoping to find a way to pay for improved cybersecurity.
The Department of Defense (“DoD”), through Katie Arrington, the Special Assistant to the Assistant Secretary of Defense for Acquisition for Cybersecurity, recently announced at the Professional Services Council’s Federal Acquisition Conference, in June 2019, that costs associated with improving cybersecurity will constitute an allowable cost on some DoD contracts. One commentator recently wrote in response to this news that “if the Pentagon follows through with its promise . . . this is one of those moments in procurement history that we will all remember.”
Although the extent of the allowance has not yet been detailed, the announcement is important because it recognizes that there is a cost that contractors and vendors bear to secure their systems in support of government projects. And like other project costs, the government, as owner, must play a direct role in both setting the bar for cybersecurity and providing compensation to address this important national security issue. This development also seemingly ends the debate as to whether cybersecurity costs can be included in overhead, at least on certain contracts and in some percentage.
The announcement that cybersecurity will be an allowable cost follows DoD’s rollout of its effort to develop and institutionalize its Cybersecurity Maturity Model Certification (CMMC) Program for contractors and vendors, which builds on the Defense Federal Acquisition Regulation Supplement regulation that required defense contractors, by December 2017, to implement the security controls in the National Institute of Standards and Technology’s Special Publication (NIST SP) 800-171. The concept of the CMMC is to standardize cybersecurity practices and require certification by third party assessment organizations. Currently, defense contractors are required to meet the NIST standard but are not audited; instead, contractors self-certify that their cybersecurity practices are sufficient. That is about to change.
The draft CMMC standard defines five maturity levels of protection, ranging from “basic hygiene,” which is presumably inexpensive enough that a small contractor or vendor could meet it, to “state-of-the-art” protections. The plan is for DoD to use third-party auditors to rate contractors on their ability to protect sensitive information on this five-point scale and then work minimum rating requirements into defense contracts. The apparent goal is to secure the entire supply chain (“supply chain risk management” according to one commentator), including by raising contractors, and their subcontractors and vendors, above the basic hygiene level, to protect DoD information. General contractors may become responsible for ensuring the cyber hygiene of their subcontractors and suppliers, a recognition that some of the most significant successful hacks in recent memory occurred because a low level supplier’s systems were unprotected.
The timing for putting the CMMC into place is aggressive. Arrington announced that the goal is to have a draft standard out in summer 2019, with third party assessors ready to certify vendors in January 2020. DoD will begin adding the CMMC standards to requests for information in June 2020 and will include the standards in solicitations beginning in September 2020. If that timing holds, contractors bidding on DoD contracts must be prepared to satisfy these standards in less than a year.
So how does this affect contractors who do not bid on DoD work? If, as Arrington suggested, this effort results in a standardization of cybersecurity protocols, the CMMC or similar requirements will likely expand to other federal work, and eventually to state contracts.
The interest in cybersecurity at the state level is clear. Just in the first half of 2019, 45 states and Puerto Rico introduced or considered more than 260 bills or resolutions that deal significantly with cybersecurity. Some of the key areas of legislative activity seek to:
- Improve government security practices.
- Address the security of connected devices.
- Regulate cybersecurity insurance or establish standards for insurance data and information security.
- Address elections security.
- Create cybersecurity commissions, task forces or studies.
In Massachusetts and Rhode Island, for example, where I practice, bills were introduced to give preference to technical vendors carrying cybersecurity insurance (MA H 2728 Pending), to set standards for some state contracts (MA H 2692 Pending), and to criminalize accessing the user account of another person without consent for the purpose of viewing or using information maintained on any electronic database, website, or account, with each instance constituting a separate offense (RI H 5987 Pending). Given this interest, it seems inevitable that state contracts will begin implementing requirements to secure government data obtained or shared in the course of construction projects, particularly given the increasing cyber-connectivity between owners, general contractors and their subcontractors and vendors. Such implementation by the states will be much easier if the federal government has already put standards in place.
Given these developments, it makes good sense to revisit and update your company’s cyber risk management plan. Strong protocols that protect systems from third party access, including the use of firewalls, encryption and frequent password changes, are recommended. In addition, employee training is a must, e.g., to provide updates on how hackers target and access systems and to reinforce the essential habit of not clicking that attachment from a stranger’s email. Revisions to contract language to shift the liability and cost to subcontractors and vendors may also be appropriate. Finally, insurance programs should be reviewed with an insurance agent or legal professional to confirm that the coverage in place truly provides the first- and third-party protections that are desired and expected.
For good reason, strong cyber hygiene is increasingly viewed as a necessity rather than a luxury, and at some point in the near future it may no longer be optional. As the federal government moves toward a common standard, it remains to be seen whether DoD will implement attainable goals for small and medium sized contractors. But the explicit indication that DoD will allow costs for cybersecurity to be included in overhead, at least on some contracts, is a recognition by the government that it must share in the cost burden if it wants to accomplish its goal of protecting valuable data. Contractors who recognize that the bar for cybersecurity is being set and position themselves now to both achieve compliance and recover the associated costs, where possible, will have the competitive edge.