Contractors struggle with 'patchwork' of cybersecurity regulations

Federal contractors trying to report a hack on their computer systems struggle with a maze of piecemeal regulations, contracting experts say. And clarifying that ambiguity could be a difficult long-term project because there is likely no one bill or executive action that would do the trick.

"The compliance issues are hard for government contractors because you don't have one box, one checklist of things you can do for all of your contracts to make sure that you're compliant," said Elizabeth Ferrell, a partner at McKenna Long and Aldridge, at a Nov. 6 conference hosted by the Coalition for Government Procurement in Washington.

The revelation in August of a high-profile breach at U.S. Investigations Services and the Office of Personnel Management's subsequent decision to terminate the firm's background-check contracts drove home the vulnerability of federal contractors to cyberattacks and prompted some to reassess their security. OPM's ditching of USIS also raised the question of whether government agencies will write higher data security standards into contracts.

Adhering to data-breach regulations is no guarantee of continued government business. A USIS spokesperson said the firm swiftly reported the breach to authorities after its computers were hacked, and hired a forensics team to investigate. The company said in August that it also reported the breach right away to OPM. But USIS' computer system was likely compromised months before the firm notified authorities in June, according to a Nov. 3 Associated Press report.

At the conference, Ferrell rattled off a bevy of cybersecurity regulations or draft regulations that could apply to contractors. There are isolated rules in the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement, she said. "And then to compound it further, there are agency-specific cybersecurity clauses, and there are contract-specific cybersecurity clauses. So it makes it a very difficult thing for contractors to comply with it."

One DFARS clause, titled "safeguarding unclassified controlled technical information," took effect last November. It applies only to contractors whose systems handle such information.

Compliance with data-breach regulations can also be costly. A study released in May by the Ponemon Institute found that a data breach -- a category that includes everything from cyberattacks to accidental disclosures of data by the company -- cost companies an average of $3.5 million per incident. That total includes legal fees spent on compliance.

The many regulations facing contractors are not so much conflicting as overlapping, making them difficult to respond to separately, Ferrell said in a subsequent phone interview. She has heard from contractor clients who say that selectively complying with one regulation can be difficult. For example, it is much easier for a firm to institute companywide protections in response to the DOD clause on unclassified information instead of setting up a separate server for DOD contracts, she said.

"It would be helpful if there was a standard set of cybersecurity protections that all government contractors had to employ," she said, adding that enhanced protections could be written into contracts involving sensitive data.

The National Institute of Standards and Technology published a cybersecurity framework in February to help companies perform their own risk assessments, but that document does not stipulate protocols for reporting data breaches.

Robert Nichols, a partner at Covington and Burling, said vague regulations and the lack of a comprehensive government approach to breach reporting has left contractors unsure of how to respond to breaches. Nichols told FCW that he has heard this confusion directly from clients, which include contractors responsible for operating sensitive government facilities.

Congress has occasionally tried to tackle the issue, he said, but "I think it's going to be years before contractors have a clear road map as to the government's expectations of them."

Correction: This article was updated on Nov. 7 to clarify a quoted source's relationship with USIS. That individual is not an attorney for the firm, and described the speed of USIS' response -- not specific contractual obligations.