By Dan Firrincili, Senior Manager, Product Marketing at Deltek
In 2021, President Biden signed the Cybersecurity Executive Order 14028 into law, establishing new security standards for software that the government purchases — and underscoring the importance of cybersecurity practices for government contractors.
Legislation like President Biden’s executive order and NIST 800-171 clearly raises the bar for federal contractors. A contractor’s ability to comply with security-related regulations is now a major factor when agencies evaluate potential partners. To improve the odds of winning federal contracts, contractors must prioritize improving cybersecurity to remain compliant with evolving government regulations.
- Determine which requirements are most relevant
Compliance deadlines can blindside unsuspecting contractors and leave them scrambling to make up for lost time. With a long list of guidelines organizations must follow, it’s easy for details to slip through the cracks, which is why your team must understand the requirements they have to meet.
First, you’ll want to identify the federal agencies you want to work with and the contracts your organization is eligible for. For example, Dell Technologies (an IT contractor) must meet different requirements than Boeing (an aerospace contractor). Beyond the DoD, civilian agencies like the Department of Homeland Security (DHS) and General Services Administration (GSA) are also considering expanded regulations. That means internal cybersecurity will also become a high priority for any contractor outside of the defense industry.
Another consideration is whether you’ll need to obtain a Cybersecurity Maturity Model Certification (CMMC) to secure your desired contract. If you need CMMC, you’ll need to determine whether to pursue either a level one, level two, or level three certification by the May 2023 deadline.
- Consider the cloud
The DoD issued a press release in November 2021 that suspended the original CMMC and replaced it with CMMC 2.0. CMMC 2.0 set new priorities for protecting CUI, and you’ll need to pivot to meet these new requirements by 2025. With these changes, there are indications companies are taking steps to remain in compliance. The 2022 Clarity report found that the majority of companies (59%) acknowledge that CMMC requirements apply to their business, with most of that group (83%) making plans to achieve Level 2 or 3.
As regulations evolve, you’ll have to continuously pivot in similar ways and a cloud-based system can help. The cloud allows for greater visibility into data than on-premise solutions and the right provider will enable you to keep CUI secure. Some cloud providers offer enhanced support for more sensitive CUI data-types like ITAR, CDI, and CTI. The cloud can also enable early threat detection — a major focus for regulatory agencies.
Finally, leaving sensitive applications and CUI on-premise creates an impediment for convenient sharing of information with the government, which President Biden’s executive order addressed. On the other hand, a cloud environment offers you the visibility to locate and communicate information on time.
- Partner with a reputable provider
Navigating a compliance journey is difficult to do alone, which is why you should partner with a trusted project management provider that can help your organization meet specific compliance requirements. The provider should have a proven track record of monitoring government regulations and working with other organizations within the industry. A good data point to request from a potential partner is their clients’ success rate in passing formal federal agency assessments.
Stronger security helps contractors land Department of Defense dollars
A Department of Defense (DoD) contract is a prize for any federal contractor. But less-established contractors can struggle to obtain these contracts, with the number of federal contracts fulfilled by small businesses plummeting roughly 40% from 2010 to 2020. Going even further back, the number of aerospace and defense prime contractors has shrunk from 51 to only five since the 1990s.
Competition for DoD contracts is fierce enough, but if federal contractors fail to invest in greater security and compliance measures, they’ll disqualify themselves from consideration. However, smaller contractors often struggle to improve cybersecurity practices because of high initial costs and the frequency that federal agencies update their regulations.
Consider NIST 800-171, which details how federal contractors must handle controlled, unclassified information (CUI) like personal data, equipment specifications and intellectual property. NIST will likely announce a new revision to SP 800-171 later in 2022 after revising the certification in 2020 and 2018. Each new version includes altered controls — as of now, there are 110 in effect. Contractors must securely handle backups and external drives, train their staff on CUI handling, establish a data breach response plan and do much more to remain compliant.
Total compliance is easier said than done. A 2020 report found that only 53% of organizations met every NIST-800 requirement. But moving forward, contractors can no longer afford to remain complacent, especially with the barrier to entry for new contractors so high. As cybersecurity receives increased attention, the ability to achieve full compliance ahead of competing contractors is vital, regardless of the type of product the contractor offers.
3 steps contractors can take to reach total compliance
High-profile security breaches like the SolarWinds supply chain attack and Colonial Pipeline ransomware attack led to President Biden’s executive order — and for good reason. The hackers involved in these attacks used complex methods to bypass detection and gain access to valuable data.
Although smaller contractors often assume they won’t fall victim to the same attacks that plague large organizations, a cyberattack can happen to anyone — including your organization. Compared to 2020, when the majority of businesses experienced the same or fewer cybersecurity incidents, in Deltek’s recent 2022 Clarity Government Contracting Industry Study, more than half respondents reported an increase in cybersecurity incidents in calendar year 2021. In terms of security challenges, 41% of respondents experienced security challenges that required action or remediation. For example, the most commonly mentioned were data breaches (59%), ransomware and phishing (50%), and viruses (48%). Unless your organization commits to improving organizational cybersecurity practices and maintaining full compliance, an attack is ultimately unavoidable.
Fortunately, there are several steps you and your team can take to beef up cybersecurity and demonstrate full compliance:
- Determine which requirements are most relevant
Compliance deadlines can blindside unsuspecting contractors and leave them scrambling to make up for lost time. With a long list of guidelines organizations must follow, it’s easy for details to slip through the cracks, which is why your team must understand the requirements they have to meet.
First, you’ll want to identify the federal agencies you want to work with and the contracts your organization is eligible for. For example, Dell Technologies (an IT contractor) must meet different requirements than Boeing (an aerospace contractor). Beyond the DoD, civilian agencies like the Department of Homeland Security (DHS) and General Services Administration (GSA) are also considering expanded regulations. That means internal cybersecurity will also become a high priority for any contractor outside of the defense industry.
Another consideration is whether you’ll need to obtain a Cybersecurity Maturity Model Certification (CMMC) to secure your desired contract. If you need CMMC, you’ll need to determine whether to pursue either a level one, level two, or level three certification by the May 2023 deadline.
- Consider the cloud
The DoD issued a press release in November 2021 that suspended the original CMMC and replaced it with CMMC 2.0. CMMC 2.0 set new priorities for protecting CUI, and you’ll need to pivot to meet these new requirements by 2025. With these changes, there are indications companies are taking steps to remain in compliance. The 2022 Clarity report found that the majority of companies (59%) acknowledge that CMMC requirements apply to their business, with most of that group (83%) making plans to achieve Level 2 or 3.
As regulations evolve, you’ll have to continuously pivot in similar ways and a cloud-based system can help. The cloud allows for greater visibility into data than on-premise solutions and the right provider will enable you to keep CUI secure. Some cloud providers offer enhanced support for more sensitive CUI data-types like ITAR, CDI, and CTI. The cloud can also enable early threat detection — a major focus for regulatory agencies.
Finally, leaving sensitive applications and CUI on-premise creates an impediment for convenient sharing of information with the government, which President Biden’s executive order addressed. On the other hand, a cloud environment offers you the visibility to locate and communicate information on time.
- Partner with a reputable provider
Navigating a compliance journey is difficult to do alone, which is why you should partner with a trusted project management provider that can help your organization meet specific compliance requirements. The provider should have a proven track record of monitoring government regulations and working with other organizations within the industry. A good data point to request from a potential partner is their clients’ success rate in passing formal federal agency assessments.
Given the challenges typically associated with the implementation of new technologies, you should also prioritize the provider’s customer service capabilities in your search. During the implementation stage, a delayed response from a provider could mean thousands of dollars in contract money going to another organization. By responding quickly to potential snafus, the right provider can guide you toward full compliance ahead of competitors.
Compliance will only become more difficult — and more important
Cybercriminals will continue to find new ways to target government partners in attempts to access CUI. As long as that’s the case, you can expect to deal with an ever-expanding list of cybersecurity compliance standards.
But by following a few best practices, your organization can work toward achieving total compliance, setting itself apart from cybersecurity laggards and increasing your ability to secure valuable contracts that drive bottom line growth.
About the Author
Dan Firrincili, Senior Manager, Product Marketing at Deltek. He is a Product Marketing Manager in the Product Strategy and Management group at Deltek. In his role, he helps government contracting firms understand how investments in Deltek’s project accounting and information products can help support a more compliant, profitable public sector experience. Dan is also involved with producing analysis and thought leadership resources for the government contracting industry, including Deltek Clarity.
Dan can be reached online at Linkedin and at our company website https://www.deltek.com/en