Well “up in arms” may be a bit strong. But small business advocates like Carol White, the Air Force’s deputy director for small business programs, are reporting that a recent Department of Defense contracting rule may put small government contractors at a disadvantage. That’s according to a report from Federal News Radio.
The new rule requires multifactor identification on any contractor owned system that uses certain Defense Department information. It also imposes certain reporting requirements in the event the system is hacked or compromised.
According to the Federal News Radio report:
“The office of Defense Procurement and Acquisition Policy (DPAP) issued a class deviation — an emergency workaround to the usual process of writing acquisition rules — ordering all of DoD’s contracting officers to insert new language into their contracts requiring, among other things, multifactor authentication on any contractor-owned system that houses unclassified but “controlled” Defense information and quick notification to DoD when any of those systems appear to have been breached.
“We’re hearing from a lot of our people in out in the field saying, ‘Hey, this is going to be a huge impact to our small contractors,’” Carol White, the Air Force’s deputy director for small business programs, said during a panel I moderated last week at AFCEA NoVA’s annual Air Force IT day. “It’s mostly anecdotal at this point, and we need to hear more from our small business contractors, but this is potentially going to drive up their costs.” (emphasis added)”
Cyber security in general is an increasing cost item for businesses. That cost disproportionately hits small businesses which don’t have the funds to invest in implementing security measures like larger counterparts.
It’s not just the out-of-pocket cost that hurts. Sometimes the biggest cost is in time and people to implement security measures.
Security doesn’t magically get put into place. Making changes to your computing systems often involves ambitious programming and project management undertakings. It may require considerable testing, as any change to a system may have unanticipated ripple effects.
Worse, implementing system changes, especially to meet a deadline, distracts your limited staff in a small business. That can disrupt the business. Responsibilities such as serving other customers may get put on the back burner, because you have to make hard choices.
Of course, security can’t be ignored. That’s why the cost of implementing security measures needs to be carefully factored into federal contracts and subcontracts (and private contracts, too). The implementation timing also needs to be factored in. It shouldn’t just be assumed that all will be absorbed by the businesses. The smallest businesses are least able to absorb the time and money.
Small businesses, when negotiating contracts be sure to highlight the security compliance costs — whether it’s a government contract or a private contract. And if you’re a DOD contractor or subcontractor, speak up. Help the other parties understand what’s involved for you. Everything has a cost.
Pentagon Photo via Shutterstock
More in: Cybersecurity
Is it really possible to secure the Internet? I wonder how. It is far too huge to secure and there will always be some loopholes since we’re dealing with data.
The problem is the DOD is expecting contractors to “eat” the excessive costs for implementing a new security framework on systems, without giving the system owners a chance to renegotiate the contract cost or providing them a mechanism to bill the government for the additional costs. The new requirements are not a bad thing, all businesses should be protecting the company data and their clients data from cyber attacks. It should be a cost of doing business.
Rob, I agree that security is not a bad thing. Lots worse things can happen to your business if your software has poor security.
Whether it’s too late to get some contract concessions from the DOD under existing contracts, I can’t say. Working those costs into future contracts is something I’d try for, though.
I don’t do any government contracting (my one subcontract years ago that involved about 7-8 hours of paperwork, just to earn $300 for writing a column for a government newsletter, caused me to automatically say “NO!” whenever I’ve been approached since). But in private contract settings I know that when we do a decent job of pointing out to the other side what’s involved from our side, we end up with better contract terms. Or we get some other concession.
Thanks for this article. Ken Holley at isicg.com is an expert in providing IT services on The Hill. He told me that numerous smaller defence contractors can’t afford Multi Factor Authentication and this is going to be a huge challenge for them.
How much of the defense contracts are going to the small businesses nowadays?