Overview of Cybersecurity Requirements

When contracting with the federal government, it’s crucial to ensure your team and information systems are prepared to handle sensitive and controlled information that cannot be shared with the public. Managing physical data always carries some risk. However, digital data presents even greater challenges. Many computer systems connected to the internet are not fully secured, and day-to-day practices, including limited user training, risky behaviors, and poor cyber hygiene, can open the door to potential threats. Examples of these are:

  • Limited User Training – knowledge of policies, requirements, threats and impacts
  • Risky behaviors – weak passwords, sharing passwords, clicking on unknown links
  • Cyber hygiene – Failing to install updates, not using A/V, using outdated – unsupported software

The federal government defines cybersecurity requirements in regulations. These regulations define what is required to comply with contractual requirements and to provide adequate security to protect their data from being compromised through cyber threats. For those companies working with contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), there are clear cybersecurity standards that must be met:

  • Systems must comply with FAR 52.204-21, which outlines basic safeguarding for contractor information systems.
  • Systems must also comply with NIST SP 800-171 r2 specified by DFARS 252.204-7012, to provide the protection of covered defense information.

In many instances, cybersecurity requirements must be flowed down from the prime contractor to their subcontractors and suppliers. Flow-down requirements may include purchases of commercial items. Thes flow-down requirements continue down through the supply chain anytime FCI or CUI is involved. Supply Chain security should not be an afterthought. Companies need to be diligent in knowing their suppliers and with whom they are subcontracting. Until CMMC goes live, companies also need to be vigilant in ensuring external resources who will have access to either FCI or CUI have implemented the required security measures.

In summary, both contractors and subcontractors are responsible for ensuring their cybersecurity practices align with these federal requirements.