The hottest issue for federal contractors today is cybersecurity awareness and defense. You may be thinking; “I’m just a subcontractor to the primes, why would they want to penetrate my internal IT system?”
Nation states are committing cyber theft on a grand scale. No matter how great the protection, there’s a small amount of information that leaks out from the defense prime contractors. Therefore, targeting first, second, and third-tier subcontractors, as well as prime contractors, has become more important to international cyber thieves. If cyber thieves can obtain information on pieces and components, an incomplete picture (stolen from the primes) becomes clearer.
It’s especially true if your company is a manufacturer of defense pieces, parts or complete sub-assemblies. Think about it. Information from the engineering staff to the manufacturing staff is all communicated electronically at lightning speed. At the same time, that information is secret to competitors. Your company developed it, built it, and made it compatible with third-party equipment. Simply put, it is intellectual property, not to be shared with the federal government. So, why allow it to be shared with an international cyber thief?
Perhaps it may not pop-up on your radar of importance. But if you are not currently protecting and monitoring your IT system, there is a high possibility it has already been penetrated.
The Defense Department has imposed requirements to protect “unclassified controlled technical information”, and it recently expanded these obligations via interim rules with immediate effect.
In a recent addition of FCW, The Business of Federal Technology Magazine, author Brian D. Miller provides the following: “We are going to see new cyber protection requirements in many solicitations and contract modifications. And an unwary contractor might become a casualty when it certifies compliance, even implicitly, with ‘all IT security standards.’ For example, the second draft request for proposals for GSA’s Alliant 2 subjects’ contractors to ‘all ordering activity IT security standards … and government-wide laws or regulation applicable to the protection of government-wide information security.’ How can a contractor certify before it knows what ‘sensitive data and information’ will be part of the performance of a task order? Or even what all the standards will be? Yet if a contractor does not certify or impliedly certify, it may lose the chance to compete for an award.”
Essentially, failing to certify will likely result in the government acting under the False Claims Act (FCA). When imposed on prime contractors, it will flow down to the subcontractors for full compliance.
To get started, be aware that the FBI offers assistance upon request. The Bureau’s Cyber Action Team was established in 2006 to provide rapid incident response on major computer intrusions and cyber-related emergencies. These specialists are located at FBI field offices around the country. They are either special agents or computer scientists, possessing advanced training in computer languages, forensic investigations, and malware analysis.
Since the Team’s inception, the Bureau has investigated hundreds of cyber-crimes. Several of those cases were deemed of such significance that the rapid response and specialized skills of the Cyber Action Team were required. Some of those cases affected U.S. interests abroad, and the team deployed overseas, working through our legal attaché offices and with our international partners.
So, don’t have your IT folks simply respond to the ‘Help Tickets’. Proactively monitoring your IT system is now a requirement that cannot be overlooked, regardless of how benign your activity. Then, if an intrusion is detected, the FBI is there to help.
In the coming months, The McKeon Group will provide additional insights and actions that can be taken to strengthen cybersecurity and compliance requirements for all federal contractors.