Cybersecurity continues to be a growing priority for both the federal government as well as private organizations. With more and more high-profile breaches occurring regularly, it has become crucial for the federal government to work closely with private contractors to ensure that efficient contingencies are put in place in case of a hack.
Mary Beth Bosco, Partner in the Government Contracts Group at ACG Annual Sponsor Holland & Knight, recently participated in a “Legal Minute” video, where she discussed new cybersecurity requirements for private companies working with the federal government.
Miss Bosco began by quoting FBI Director James Comey, who believes that “there are two different kinds of companies in the United States; those that have been breached, and those that don’t know that they’ve been breached.”
But despite growing cyber concerns, congress has yet to introduce comprehensive federal cybersecurity legislation. “The same is not true if you’re a company that does business with the federal government, and that’s particularly true of DoD contractors,” said Miss Bosco.
She continued, “In fact, just last week, the National Defense Authorization Act of 2015 passed, and it contains a new requirement for reporting to DoD cybersecurtity incursions.”
These new provisions create a new class of contractors knows as “Operationally Critical Contractors,” or companies that support the military in their logistics and transportation of US troops and supplies, such as fuel.
The U.S. Cyber Command estimates that over 80 percent of DoD logistics are transported by private companies. It also found that private airlines provide over 90 percent of DoD’s passenger movements and one third of bulk cargo movements.
“Given their importance to DoD, these companies are prime targets for cyber hackers. What these new requirements will do is set forth a procedure for DoD to identify who these companies are.”
“Once they’re indentified, they will be required to report rapidly to DoD whenever they experience a cyber incident. In addition, they’ll have to provide the DoD with information about the incident, and allow DoD into their facilities if necessary to investigate on its own.”
DoD contractors who handle information – even if it’s not classified but has some other restriction on dissemination – are also subject to breach reporting requirements right now. This might be:
- Export Control Information
- Technical Data Specifications
- For Official Use Only (FOIO) Information
“These contractors are already required to report any cyber breach within 72 hours, and again, to cooperate in investigation and to allow DoD to come in and investigate.”
But the DoD isn’t the only agency with cyber requirements; according to Miss Bosco, “more and more civilian agencies have these requirements on the book. Most of them require you to have a written cybersecurity assurance plan that they approve.”
The major takeaway from Mary Beth Bosco’s insightful discussion is that companies that do business with the federal government should be taking a harder look at their contracts to see what requirements are in them. They should also look at the governing regulations to see what types of reporting, planning, or other cyber requirements they’re subject to.
Companies working alongside the government should also be taking a look and paying attention to the DoD; “it’s very important for people to pay attention to what DoD is doing, because they’re really the leader in this area, and their requirements may not only be the basis for other federal agencies, but they may also be used in some cases as a standard of care for private companies.”
To watch Mary Beth Bosco’s video in full, click HERE