Cybersecurity Compliance for Government Contracting
by Brandon Graves, Partner
2021 was a significant year for cybersecurity, both in view of breaches and the regulatory landscape. For government contractors, cybersecurity requirements are currently in flux. CMMC 1.0 was scrapped, CMMC 2.0 was part way rolled out, some agencies did their own thing, the President issued significant executive orders, and NIST published a lot of guidance. In addition, the infrastructure bill included groundbreaking funding opportunities in both traditional IT and cybersecurity.
Fortunately, the steps to protect yourself from emerging threats and to comply with future regulations look very similar. And while a full compliance program can be daunting, most organizations can take small steps that can make a big difference.
The first thing you should do is look at where you are. Software and hardware inventories are the first of the Center for Internet Security’s Critical Security Controls, while are also essential for a quality risk assessment. Almost every compliance requirement, current or planned, places significant weight on risk assessments as a method to prioritize cybersecurity efforts and to involve senior management in cybersecurity decisions. Legal decisions also highlight the importance of risk assessments in justifying cybersecurity decisions to regulators.
That second point—senior management involvement in cybersecurity decisions—is critical. The person directly responsible for the daily operation of cybersecurity should be an executive. All executives should be involved in cybersecurity, and that involvement should be documented in established policies. The Department of Justice has formed a task force to identify government contractors without adequate cybersecurity and will pursue fraud charges where appropriate. Some of those charges will be targeted at senior executives.
This post hasn’t mentioned technical security measures yet, even though that is what most people think of when they think of cybersecurity. Implementing individual measures without an overarching plan, supported by senior management, is a recipe for failure both in defending against threats and in meeting compliance obligations. It is also a recipe for spending a lot of time and resources while failing.
Like any other compliance program, cybersecurity requires continuous monitoring. Audit, review, improvement. Unlike some compliance programs, cybersecurity programs must continually adapt to a rapidly changing threat environment. A well-designed program will be flexible enough to address these threats, and, as a happy by-product, meet new compliance obligations.
Our attorneys can help you get started in developing a plan. They can take a look at what you have in place now. Most importantly, they can help you when something goes wrong. Contact Centre today!