Contractors struggle with 'patchwork' of cybersecurity regulations

Federal contractors trying to report a hack on their computer systems struggle with a maze of piecemeal regulations, contracting experts say. And clarifying that ambiguity could be a difficult long-term project because there is likely no one bill or executive action that would do the trick.

"The compliance issues are hard for government contractors because you don't have one box, one checklist of things you can do for all of your contracts to make sure that you're compliant," said Elizabeth Ferrell, a partner at McKenna Long and Aldridge, at a Nov. 6 conference hosted by the Coalition for Government Procurement in Washington.

The revelation in August of a high-profile breach at U.S. Investigations Services and the Office of Personnel Management's subsequent decision to terminate the firm's background-check contracts drove home the vulnerability of federal contractors to cyberattacks and prompted some to reassess their security. OPM's ditching of USIS also raised the question of whether government agencies will write higher data security standards into contracts.

Adhering to data-breach regulations is no guarantee of continued government business. A USIS spokesperson said the firm swiftly reported the breach to authorities after its computers were hacked, and hired a forensics team to investigate. The company said in August that it also reported the breach right away to OPM. But USIS' computer system was likely compromised months before the firm notified authorities in June, according to a Nov. 3 Associated Press report.

At the conference, Ferrell rattled off a bevy of cybersecurity regulations or draft regulations that could apply to contractors. There are isolated rules in the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement, she said. "And then to compound it further, there are agency-specific cybersecurity clauses, and there are contract-specific cybersecurity clauses. So it makes it a very difficult thing for contractors to comply with it."

One DFARS clause, titled "safeguarding unclassified controlled technical information," took effect last November. It applies only to contractors whose systems handle such information.

Compliance with data-breach regulations can also be costly. A study released in May by the Ponemon Institute found that a data breach -- a category that includes everything from cyberattacks to accidental disclosures of data by the company -- cost companies an average of $3.5 million per incident. That total includes legal fees spent on compliance.

The many regulations facing contractors are not so much conflicting as overlapping, making them difficult to respond to separately, Ferrell said in a subsequent phone interview. She has heard from contractor clients who say that selectively complying with one regulation can be difficult. For example, it is much easier for a firm to institute companywide protections in response to the DOD clause on unclassified information instead of setting up a separate server for DOD contracts, she said.

"It would be helpful if there was a standard set of cybersecurity protections that all government contractors had to employ," she said, adding that enhanced protections could be written into contracts involving sensitive data.

The National Institute of Standards and Technology published a cybersecurity framework in February to help companies perform their own risk assessments, but that document does not stipulate protocols for reporting data breaches.

Robert Nichols, a partner at Covington and Burling, said vague regulations and the lack of a comprehensive government approach to breach reporting has left contractors unsure of how to respond to breaches. Nichols told FCW that he has heard this confusion directly from clients, which include contractors responsible for operating sensitive government facilities.

Congress has occasionally tried to tackle the issue, he said, but "I think it's going to be years before contractors have a clear road map as to the government's expectations of them."

Correction: This article was updated on Nov. 7 to clarify a quoted source's relationship with USIS. That individual is not an attorney for the firm, and described the speed of USIS' response -- not specific contractual obligations.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.