by Jennifer Bisceglie
What do the new DoD DFARS (Defense Federal Acquisition Regulation Supplement) subpart 204.73 rules mean for contractors?
If you contract with the DoD, or work with a firm that contracts for the DoD, it’s vital to understand the security of every part of your network, whether it’s a laptop in your office or a server half a country away.
The rules basically require business owners to understand every aspect of a data chain. That includes second- and third-tier suppliers, including those that handle cloud storage — if there’s a violation, the contractor is held responsible for understanding any leaks the subcontractors might have contributed. It also includes connections between the cloud and what ends up linking to the DoD, as well as the employees of any subcontractors or suppliers, so you can be assured that no one who has access to your information via working in the cloud can cause a rupture in the security chain.
“The biggest thing your company needs to do is have an assessment done as soon as possible,” says the Association of Procurement Technical Assistance Centers’ blog.
Alexander W. Major, an associate in the Government Contracts, Investigations & International Trade Practice Group, writing in The National Law Journal, agrees:
“Contractors and subcontractors have been drafted into a fight to secure and defend their country’s data from the looming threats of cyber criminals and cyber-terrorists. All contractors need to plan accordingly – IN ADVANCE OF AGREEING TO GOVERNMENT REQUIREMENTS [capitalization Major’s]– if they expect to do business in accordance with the regulations being imposed by all executive agencies.”
Contractors also carry the burden of understanding exactly which government rules apply to them. As law firm Holland & Knight explains, regulations from different agencies can be contradictory:
“That data could be subject to one standard under a DoD contract and another standard under a civilian agency contract. Accordingly, there is no one-size-fits-all process for determining what cybersecurity compliance will look like for government contractors. At this point, a contractor may want to determine the most stringent controls potentially applicable to its mix of contracts and types of information and measure the adequacy of its information assurance systems against that standard.”
Proving this point, NextGov.com notes that the Office of Budget Management is also working on it’s security rules — which was opened for public comment — and will work in addition to, but likely dovetail with, DoD requirements.
In sum: Figure out which rules are the most stringent when it comes to your business, and follow those, all the way through to the lowest-tier supplier.
Businesses will also need to explain how they will track any “spillage,” notes another law review article. That means contractors will need to have plans in place on how to deal with problems well before they arise.
Ideally, your firm will have a solid grasp of all the regulations that apply to your business, and abide by the most stringent ones in order to ensure that you’re fully compliant.
It’s not easy to track every potential risk to your information so that you can accurately report those details should the DoD come calling. But now, it’s more vital than ever to know the answers. Your business depends on it.
Jennifer Bisceglie is the President of Interos Solutions, Inc. Interos is at the forefront of supply chain risk management (SCRM) advisory and analytical services. Interos’ capabilities cover a broad range of technical services, including cybersecurity and SCRM, network security, systems engineering, and awareness training and education. Interos has been leading the conversation on SCRM and enterprise risk management for almost a decade, having worked with a number of both public and private sector companies in various industries ranging from technology and utilities to medical devices and pharmaceuticals. This post originally appeared on The Supply Chain Risk World and has been used here with permission.