The New War: Cyber Security for Government Contractors
Nearly every week we learn of new cyber security breaches brought by unknown nations and infamous groups such as Anonymous. It is not inconceivable that our next war will solely be fought on the “cyber” front and contractors of all shapes and sizes will be on the front lines. Even now, each and every contractor is affected by the looming cyber security threat. For instance, some contract holders now have to develop and file an IT Security Plan within 30 days of contract award. Moreover, many states have reporting requirements when there is a breach that releases personal information.
On top of everything else, the Government is mandating that its systems and data be moved to a “cloud.” Utilizing a cloud-based system has the advantage of offering a cheaper alternative to dedicated storage. The system also offers convenience because by the very nature of the cloud, it can be accessible anywhere. On the other hand, putting everything in a cloud makes that information more vulnerable to hackers.
What do you do to insulate yourself from hackers and fight back against cyber threats? First, it is important to realize that no system is fool proof to hackers. The largest commercial companies and contractors have had systems breached by hackers. For instance, Chinese hackers are suspected of hacking into the Gmail (by Google) accounts of senior level Government officials. On the government contracting side, a contractor (which will be nameless on this blog) who has contracts protecting the FBI from cyber security threats, was hacked itself. The fact that one of the world’s largest companies and a government contractor whose expertise is in cyber security were both compromised is proof enough that everyone is at risk.
What do you need to know to be cyber compliant? It depends on the business your company is in and the type of data it stores. For example (this is certainly not an exhaustive list):
- In a Final Rule published on January 9, 2012, GSA is now requiring all contractors supplying IT services to the Government to have an IT Security Plan. This plan must be submitted within 30 days of contract award.
- Depending on the information you collect, your company could be subject to the Cable Communications Policy Act, The Telecommunications Act of 1996 or the Federal Trade Commission. Moreover, the Computer Fraud and Abuse Act can be used as a sword against hackers or those in your company who access information without authorization.
- A majority of states have enacted breach notification laws. For instance in Virginia, notification of affected persons and the Office of the Attorney General is required if certain personal information is released (such as names with connected social security numbers). See VA Code 18.2-186.6. Other states have similar requirements.
One piece of good news for contractors: the new search for cyber security will allow contractors who provide that service a chance to sell those services to the federal Government over the next few years. While spending overall is decreasing, spending in this critical area is increasing.