It’s a new frontier in data protection, with threats and attacks on systems expected to increase as more business is conducted online. For contractors, the procurement process has gotten much more stringent in terms of cybersecurity expectations. In the past several years, contractor cybersecurity has become a focus of the federal government. The Defense Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Assessment (CMMC) are the new standards for procurement at the federal level. Companies seeking to do business with the federal government are now subject to more rigorous cyber compliance requirements. These requirements come with a maze of complex and sometimes contradictory rules, as well as high costs to achieve compliance.
Cybersecurity is a Team Sport
Rich Delisio, Procurement Specialist at Ohio University Voinovich School-PTAC, has been a leader in preparing companies for this shift in procurement standards. The compliance process can be daunting for those taking the first steps. Delisio compares the slow-roll investment in cybersecurity to trying to get into better shape. He tells clients to start with the fundamentals, like Readiness Review Level 1, to measure current compliance and build an implementation plan. Each subsequent step gets companies closer to their goals. “It’s going to take a few years,” Delisio says. “If you’re a small company, you want to have an assessment done, have IT people who are have an understanding of the requirements and start protecting your information.”
Barriers to Cyber Adoption
Cost can be a significant barrier to compliance, particularly for start-ups facing steep up-front expenses. Delisio recommends strategically investing in cybersecurity and being slow and deliberate when rolling it out. He advises his clients to wait to spend money on third-party compliance providers until they have been properly identified and can provide CMMC certification.
Transparency is Key
One critical part of cybersecurity compliance is having visibility into the practices of the supply chain and to subcontractors, which will become increasingly scrutinized on the federal level. Delisio adds, “Be conscious of subcontractors; be aware of where they stand in the assessment process.” He counsels clients on having a baseline understanding of, and commitment to, their subcontractors’ existing cyber policies in order to remain compliant and continue to improve processes. Delisio encourages relationship building with subcontractors and to vet all potential connections to lower risk.
Make Policy Standard Practice
Cyber policies are a key driver for consistent cybersecurity practices across an organization, as well as with the relationships to vendors and subcontractors. Limiting access to data and systems and keeping it lean is something Delisio is already seeing among his clients. For some clients, access to sensitive contract information is limited to a single person, typically the project manager. Some have made physical changes, like storing equipment and information in a protected room where only a small number of people are allowed access. Delisio cautions against assuming access control without having policies in place. “Small companies sometimes think, not that many people have access to it. Then it’s four, eight.”
Compliance is a Marathon
Delisio expects more markets to follow the Department of Defense’s lead and adopt similar compliance requirements. He stresses the value of training and education for staff to engage them in a culture of compliance. These efforts build resources and networks. Leveraging the services of local Procurement Technical Assistance Centers (PTAC) can help guide companies toward compliance. Delisio reiterates that this is going to be a long process. Companies should be prepared to invest years in the transition, but not expect it to be like a switch turned on where everyone needs to be in immediate compliance. Most importantly, Delisio says, “As a company, be very protective of your information.”
Cyber Compliance Questions?
We're here to help! Schedule a free 30-minute cybersecurity consultation to assess your current posture and set manageable goals to go on the offensive against cyber threats. To schedule a consultation, click the button below, or email Ally at firstname.lastname@example.org.