Are you equipped to deal with federal cybersecurity regulations?
Landing a government contract can be a huge plus for your business. However, working with any federal agency means dealing with a host of regulations. Fail to comply and you could lose the contract and end up paying fines or facing legal action.
Cybersecurity is one area that sees changes all the time and even now, the General Services Administration is working on developing standardized federal cybersecurity protocols. Make sure that your business is equipped to deal with stringent cybersecurity standards—today and in the future.
The scope of cybersecurity threats
Most of us are aware of cyber threats facing industries like financial/banking, insurance, retail, healthcare, and e-commerce. The general public may not be as informed on the ongoing threats to our federal and state government agencies.
Federal agencies oversee critical infrastructure systems, such as energy, transportation, communications, health and human services, and financial services. The Department of Defense relies on protected systems to relay sensitive military information. All of these departments function by way of IT systems which are often the target of cyber-attacks.
Cyber threats represent an immense problem in all sectors of government. “The risks to these IT systems are increasing—including insider threats from witting or unwitting employees, escalating and emerging threats from around the globe, and the emergence of new and more destructive attacks,” states the U.S. Government Accountability Office (GAO).
Over 35,000 security incidents were reported to the Department of Homeland Security in 2017 alone. These incidents included:
- Loss or theft of computer equipment and devices
- Email phishing attacks
- Attacks on websites or web-based applications
- Improper usage such a violation of policy by unauthorized users
- Attacks executed with removable media or devices
- Other (Did not fit into any category; these attacks represented the largest percentage of security incidents at 31%)
Due to the seriousness of the threat, the GAO identified four “major cybersecurity challenges and ten critical actions that the federal government and other entities can take to address them.” The 4 major challenges are:
- Establishing a comprehensive cybersecurity strategy with effective oversight
- Securing federal systems and information
- Protecting cyber critical infrastructure
- Protecting privacy and sensitive data
The goal on the federal level is to develop protocols and regulations in order to protect the confidentiality, integrity, and availability of sensitive personal information for government agencies. These regulations will also apply to any business or organization with a government contract.
Cybersecurity regulations and government contractors
Even without federal standards, organizations with government contracts still have to follow certain rules. Let’s look at a few examples:
U.S. Department of Defense rules
In June 2019, the Department of Defense (DoD) unveiled new cybersecurity standards for contractors. “The new standards will have a five-tier system, and they will combine guidance currently in place from the National Institute of Standards and Technology…”
Called the Cybersecurity Maturity Model Certification, the new protocols include third-party oversight and audits to ensure compliance, as well as education and training.
Foreign entities and governments represent a looming threat as they seek to steal U.S. intellectual property (IP) and other sensitive DoD data. We also cannot ignore cyber terror threats that seek to damage U.S. infrastructure as a way to hurt either the government or American citizens.
One of the main goals of the new rules will be to help establish protocols for contractors and subcontractors, even down to tier-three and tier-four subcontractors.
The General Services Administration also announced new regulations for contractors, which includes how entities handle and store data and how they should report cyber incidents.
Privacy laws around the globe may affect government contractors
The General Data Protection Regulation (GDPR) introduced sweeping privacy standards that apply to all European Union (EU) countries as well as companies that do business with member states. Violating GDPR standards can lead to substantial fines and legal action.
Canada also has its own privacy standards, with the Personal Information Protection and Electronic Document Act (PIPEDA). Again, violating the standard can spell trouble in the form of fines and legal action, as well as compromised security.
Internet of Things regulations
California’s new IoT bill (SB-327) is designed to increase security for the Internet of Things (IoT) devices. IoT refers to any internet-connected device or appliance. These can include cars, refrigerators, thermostats, electric systems, watches, and other types of smart devices.
Any of these devices represent a way to infiltrate networks and gain access to private information. While many such devices are in your home, they are also used by government agencies.
“Starting on January 1st, 2020, any manufacturer of a device that connects ‘directly or indirectly’ to the internet must equip it with ‘reasonable’ security features, designed to prevent unauthorized access, modification, or information disclosure,” the bill states.
We mention the California IoT because it applies to contractors doing work for the state and state laws often end up forming the basis of federal regulations. For now, if you are in California or do business with a company in California—whether you are working as a government contractor or not—you will need to comply with SB-327. In the future, every business in all states may have to comply with similar regulations.
Other state-specific regulations
California is not the only state to enact new legislation. For example, New York’s Department of Financial Services (NYDFS) passed sweeping Cybersecurity Regulations (123 NYCRR 500) that apply to all financial institutions and insurance companies. Since many financial institutions have national or regional offices in New York or do business with New York companies, they must also comply with these regulations.
Other states have followed New York’s lead and passed similar measures governing the financial and insurance sectors, as well as other major industries.
If you hope to land a government contract, be aware of the federal and state regulations that come with it. It is your job to ensure you stay abreast of any changes and remain compliant with all cybersecurity laws.
While the task can seem overwhelming, you can find a partner in CyberGuard360. We offer state-of-the-art security systems to help monitor and protect against cyber-attacks. We also provide a wide array of other services, including risk assessment, education, training, and disaster recovery. Call us at 844-315-9882 or reach us via our online contact form.