Data Breaches Can Be Far More Costly Than Compliance

 
 

Data Breaches Can Be Far More Costly Than Compliance

 

A data breach can be a business’ worst nightmare. The costs of a breach are substantial and can have a negative effect on both the reputation of the company and economically as a whole. Not only are data breaches embarrassing and angering to those who had their information compromised, but there may also be some regulatory liability for a business that is hacked, especially if the measures taken to protect the information were not stringent enough.

A recent study has demonstrated the costs that are associated with data breaches. This study pegged the cost of the average data breach at $3.8 million, and this does not even factor in the costs for the large data breaches in which millions of records have been stolen. The costs associated with these hacks result from a variety of different measures that businesses must take when they learn that their systems have been penetrated.

The first thing that a business must do once it learns of a data breach is to contain it. This requires intensive activity, and containing the hack, unfortunately, does not happen overnight. Instead, it can take businesses months to secure their information systems again. Until a business can get control of a situation, countless hours of overtime may be necessary, and the costs for this can add up fast. In addition, there are steep legal costs too, as there are a variety of threats in that area in the wake of a data breach as well. The regulators will come fast, and legal help is necessary to deal with most of these inquiries.

Data breaches will almost assuredly cost companies some business. If the client is the federal government, the fact that there was a data theft in a previous contract could affect the company’s ability to get new contracts in the future. In the event that private clients have their information stolen, they will also be extremely hesitant to trust that company in the future. Unfortunately, much of a business’ value comes from its brand and a data breach will surely tarnish that brand.

It behooves companies to make sure that they follow the applicable cybersecurity standards. By protecting their information systems, companies stand a better chance of avoiding a large-scale hack that can place their future business at risk. The NIST standards that have been made mandatory to follow by the DFARS provide a starting point for companies that want to secure their networks. By complying with NIST 800-171, businesses can point to tangible efforts they have made. While hackers are determined and may still have the ability to penetrate a network, when a business is compliant with the rules, they can point to those efforts they have made in protecting their networks, and it can help placate regulators and the federal government customer(s) if there happens to be a data breach.

Compliance solutions for NIST 800-171 can help contractors in their efforts to make sure that their systems are protected. An investment made today on the front end will not only help a contractor keep its contracts, but can also save it from costly issues that may arise in the future.

DFARS Compliance Audits Have Begun. Are You Ready?

 
 

DFARS Compliance Audits Have Begun. Are You Ready?

 

DOD suppliers have known for a long time that DFARS compliance audits were on the way. What seemed to be a point in the future became a present reality as the Deputy Secretary of Defense Ellen Lord has announced that compliance audits will be beginning to assess if contractors are following the new cybersecurity standards.

Contractors are required by the terms of the DFARS to implement NIST SP 800-171. This standard imposes cybersecurity requirements for the information systems of those who do business with the federal government. Since it is part of the DFARS, if suppliers do not comply, they can lose their contracts with the federal government.

There were some earlier questions as to who would be the entity who was tasked with auditing for compliance with this standard. That auditor will be the Defense Contracts Management Agency (DCMA) for at least some of the requirements. This agency has responsibility for performing contract administration services for DOD. DCMA will provide certain contract audit services to DOD.

When DCMA has been tasked with providing contract administration services for a particular contract, these responsibilities will now include auditing for compliance with the DFARS and the NIST standard. Specifically, DCMA will be looking for whether the supplier has flowed down the DFARS compliance requirements to all subcontracts, as is mandated by the DFARS. In addition, DCMA will also be auditing to see how contractors assess the systems of their Tier I suppliers. Under these rules, contractors have a responsibility to make sure that anyone who they subcontract with complies with these rules. This means that DCMA will be scrutinizing a contractor’s purchasing system.

It is important to note that the NIST review done by DCMA will be in the context of an overall review of the contractor’s purchasing system. These reviews are usually required for larger contractors. It is unclear how these new audit parameters will apply to contractors that have under $25 million in contract revenue from the government.

Contractors should also be aware that their own compliance with the NIST standards is also subject to review by the DOD Inspector General. Contractors may be selected for a review, and these reviews may become more frequent in the future. DCMA’s audit will be limited in scope and will not be a full assessment of compliance with NIST 800-171. Thus, even if a contractor passes the DCMA audit, there are still other obligations that must be assessed.

In the wake of the Lord announcement, contractors should take the time to review all of their subcontracts to make sure that they have flowed down the necessary requirements. Given the complexities involved with NIST compliance, DOD suppliers may want to consider obtaining some extra help. Going at it alone in this vital area can place a contractor at risk of drastic penalties if their compliance is insufficient. DOD’s approach to this area is still evolving as these requirements are in their infancy and developing. Extra compliance assistance can keep the contractor abreast of new developments and assist with the compliance strategy.

Understanding DFARS Compliance

 
 

Understanding DFARS Compliance

 

Contractors that hold contracts with the Department of Defense must be compliant with any Defense Federal Acquisition Regulation Supplement (DFARS) clauses specified in their contracts. DFARS is a set of acquisition regulations that govern the way the Federal Government acquires goods and services. Failure to follow some clauses of the DFARS may lead to early termination of the contract, making DFARS compliance an existential issue for contractors. In a worst-case scenario, failure to comply with contractual DFARS clauses could lead to a contractor losing all of their work with the DOD. One pertinent regulation with which contractors must be familiar is the DFARS clause defining cybersecurity standards. This clause requires contractors to implement the requirements identified in the National Institute of Science and Technology (NIST) Special Publication 800-171. This particular standard addresses the storage and transmission of Controlled Unclassified Information (CUI).

DFARS Compliance

Oftentimes, in the course of their performance of a government contract, contractors come into possession of CUI. The definition of CUI is non-classified information for which government regulation requires safeguarding or disseminating controls. While unclassified, protection of this information is still in the national interest. This could involve private information, the disclosure of which would damage the person or entity who owns that information. In the past, this information was given the designation of “Sensitive but Unclassified.”

Although the worst-case scenario involves loss of contracts, it is ultimately the Contracting Officer’s responsibility to determine what action to take for noncompliance. For contracts involving CUI, attestation of compliance is a prerequisite for submitting bids for future DOD contracts. Small contractors who act as subcontractors to prime contractors can expect their primes to be vigilant about ensuring their compliance, as contractual clauses typically flow down to subcontractors.

For smaller contractors, the issue has become how to best find a compliance strategy for these rules. Compliance will usually revolve around having sound controls and a reporting mechanism. The rule first requires that contractors have adequate security on covered information systems. The DFARS cyber clause is also focused on prompt reporting of cybersecurity incidents. The regulation states that if a cybersecurity incident occurs, the contractor must provide the DOD with an incident report, the malicious software and access to the contractors’ information systems upon request. The good news for contractors is that the rules state that the occurrence of an incident is not an automatic implication that the contractor failed to protect CUI. However, contractors should be prepared for enhanced scrutiny by the government of their systems in the event of a cyber incident.

In such a case, contractors should be prepared to disclose what actions they took to comply with the DFARS cyber clause. This may include submitting evidence of implementation of each requirement in the contractors System Security Plan.  Contractors will have to recognize that they are partners with the government in safeguarding this information.

For contractors, the question they will ask first is what constitutes adequate security when it comes to DFARS compliance. This is addressed by the aforementioned NIST SP 800-171 standard. The standard has 110 security requirements that can fall into one of fourteen categories. At a minimum, contractors must describe how they have implemented, or plan to implement, the safeguards described in the special publication. These rules apply in all cases when CUI resides on a contractor network, whether that environment constitutes on-premise servers, an internal cloud as a component of an internal enterprise network system, smartphones or tablets, or any other data processing system.