Being a government contractor can be a boon for your businesses, especially since the government doled out $3.98 trillion in government contracts last year alone. Nonetheless, there’s a significant price you have to pay in order to work with the government—especially if you’re processing, transmitting or storing controlled unclassified information (CUI). Because companies will need to adopt certain safeguards and dissemination controls when handling governmental CUI, companies working with the government will need to ensure their IT systems and hosting infrastructure can adequately support the government’s stringent cybersecurity standards.
This fact became especially clear when the government introduced new contractor cybersecurity requirements last year. These changes forced existing Department of Defense contractors who store and process CUI adopt Defense Federal Acquisition Regulation Supplement (DFARS) security procedures by December 31, 2017 in order to avoid losing their contracts. The government also now requires contractors to satisfy NIST SP 800-171’s security standards, which cover how government contractors should store and secure governmental CUI on their own private servers and information systems.
DFARS and NIST SP 800-171 are only a couple of security rules that potential contractors should plan for. There are several other relevant federal regulations that contractors will need to satisfy depending on the federal agencies they plan to work with. In some instances, state laws such as New York’s cybersecurity requirements for financial institutions could apply. Some of the most common data security standards that contractors should be preparing for include:
- ITAR—If you are exchanging defense-related technical data with the U.S. government, you may need to comply with the International Traffic in Arms Regulations (ITAR). The Department of State enforces these regulations, which requires companies that manufacture, broker or export defense-related technical data to use high-level IT and hosting safeguards to prevent inadvertent disclosures.
- FIPS—Businesses that handle CUI that isn’t solely regulated by other domestic laws or regulations may also need to comply with the Federal Information Processing Standards (FIPS). FIPS standards are published by NIST, and cover a variety of encryption, handling and dissemination requirements for different types of data. You can find a full list of FIPS data handling and encryption requirements online here.
The government’s growing emphasis on contractor security practices is also affecting contractor bidding outcomes. The Government Accountability Office (GAO) and federal agencies are now placing more weight contractors’ cybersecurity capabilities when analyzing bids. The GAO’s decision in Syneren Tech. Corp. is one example of this. Before this decision, Syneren submitted a bid to provide IT services for the Navy. In its bid, Syneren disclosed that its work would utilize a vulnerable software program that did not meet the Navy’s cybersecurity requirements. Naturally, the Navy rejected Syneren’s bid. After Syneren filed a formal protest with the GAO claiming that the Navy improperly evaluated its bid, the GAO ruled in favor of the Navy after finding that the Navy’s solicitation contained explicit cybersecurity-related conditions that bidders needed to satisfy. As a result, Syneren’s failure to incorporate satisfactory security safeguards cost it a potentially-lucrative government project.
These developments underscore why it’s important that contractors use the right tools to host governmental CUI securely. Moving this data into the cloud can help you meet governmental security standards and avoid potential bidding roadblocks.