Large corporations serving as major US government defense contractors are asking their suppliers and service providers to meet stringent new cyber security deadlines by the end of the year. These new – and demanding – security standards address the safeguarding of information systems that process, store and transmit federal government contract information.
The rules mandate that many companies address their data storage security if they deal with major firms engaged by the US government.
The new requirements were published in the 2016 Defense Federal Acquisition Regulation Supplement, and followed guidance issued by the National Institute of Standards and Technology. The supplement covers contractors and subcontractors whose IT systems are used to store or transmit specific defense information.
Upgrades will frequently involve the purchase of new security software and, in many cases, new hardware.
Fresh operational requirements also must be in place, in particular the way companies approach data storage. Users are barred from employing online data storage such as iCloud and Dropbox. Laptop hard drives must be encrypted.
However, ensuring compliance will also require input from outside the immediate IT team. Lawyers may be needed to help companies draw up compliance documentation. “It is imperative for contractors and subcontractors to quickly identify the scope of their requirements,†says W. Barron Avery of law firm Baker Hostetler.
Many sub-contractors either remain unaware of their potential future data storage and transmission obligations under the new requirements, or will enter into engagements without this awareness. This is particularly the case where they are already one step removed from the actual Defense contract.
While the rule at the moment applies only to Defense contracts, there is an expectation that eventually it will be expanded to cover all federal contracts as the US government seeks to implement more robust cyber security policies.
“We often see clients struggle to fully understand the definition of controlled unclassified information and how such information may traverse or be stored on their network,†says Tom Tollerton, Manager of IT Advisory at Dixon Hughes Goodman LLP.